Authentication vulnerabilities described by OWASP (Open Web Application Security Project)
| Name | Category | Description |
|---|---|---|
| Improper certificate validation | Insecure Communication | A mobile app is potentially vulnerable if the Authentication Server accepts the user auth request even if the communication with the client is not established over an SSL/TSL secure channel. |
| Insufficient session expiration | Insecure Communication | A mobile app is potentially vulnerable if the auth token is not refreshed or destroyed after a long user´s inactivity time |
| Session fixation | Insecure Communication | A mobile app is potentially vulnerable if the auth token is not destroyed after the user has signed out. |
| Missing Encryption of Sensitive Data | Insecure Communication | A mobile application is potentially vulnerable if the auth server accepts the user auth request even if the communication with the client is not established through an HTTPS-CC protocol |
| Auth bypass using an alternate path or channel | Insecure Authentication/Authorization | A mobile application is potentially vulnerable if it does not limit the access to functionalities and screens, collecting sensible data, for only auth users |
See also session hijacking