When it comes to building secure mobile applications, errors most often occur in session management. By themselves, these mistakes do not present a significant risk, but the more mistakes made, the more vulnerable the application. And therein lies the problem: I often find several of these errors in any given app.
In my upcoming talk at OWASP AppSecUSA 2013, I will detail one example of a vulnerable mobile app, in this case, a popular fantasy football application that when hacked, allowed individuals to change team line-ups and post imposter comments. Users who have not updated their mobile app to the most recent version are at risk of having their line-ups manipulated by other league managers or troublemaking hackers. Of course, this was fun for me, but also enlightening. My ongoing research continues to unearth patterns in session management vulnerabilities.
In the meantime, here is a checklist based on common mistakes that developers and security professionals can use to ensure proper session management of their mobile applications.