M9: Improper Session Handling

Overview

The OWASP M9: Improper Session Handling vulnerability refers to the improper management of session tokens in mobile app development. This vulnerability occurs when session tokens are unintentionally shared with adversaries during transactions between mobile apps and backend servers. Adversaries who gain access to session tokens can impersonate users and perform unauthorized actions. This vulnerability can lead to severe technical and business impacts such as fraud, information theft, and business interruption.

Description

Mobile apps use session tokens to maintain state between users and backend servers. After successful authentication, the server issues a session cookie to the mobile app, which is used for future service transactions. Improper session handling occurs when session tokens are unknowingly shared with adversaries during subsequent transactions. This vulnerability allows adversaries to impersonate users and perform unauthorized actions.

How to Prevent ?

To prevent M9: Improper Session Handling, mobile app developers should:

Example Attack Scenarios:

• Failure to Invalidate Sessions on the Backend:  Many developers invalidate sessions on the mobile app and not on the server side, leaving a window of opportunity for attackers. Sessions should be properly invalidated on the server side to prevent attacks.

• Lack of Adequate Timeout Protection:  Mobile apps should have adequate timeout protection on backend components to prevent unauthorized access to existing sessions. Timeout periods should be determined based on the app's security level.

• Failure to Properly Rotate Cookies:  Session management implementations should reset cookies during authentication state changes to ensure that previous sessions are no longer accepted. This prevents unauthorized access.

• Insecure Token Creation:  Tokens used for session management should be properly generated using industry-standard methods. They should be long, complex, and resistant to guessing attacks.