M3: Insecure Authentication/Authorization

Insecure authentication and authorization flaws allow attackers to bypass login flows, escalate privileges, or hijack sessions. Mobile-specific failures often stem from weak biometric fallbacks, inconsistent enforcement of backend access controls, or misconfigured OAuth/OpenID Connect flows implemented within the app.

Typical Weakness Patterns

• Custom authentication stacks that skip server-side validation and trust device assertions.
• Token issuance flows that fail to bind tokens to device identifiers, enabling replay on rooted or emulated devices.
• Broken session lifecycle management (e.g., no logout invalidation, missing refresh token rotation, long-lived JWTs without revocation).
• Weak or missing authorization checks on backend APIs consumed by the mobile client.

Detection Cues

• Manual testing that manipulates API calls (using tools like Burp Suite or mitmproxy) to replay tokens or swap user identifiers.
• Static analysis of mobile code paths that reveals hardcoded secrets, insecure OAuth redirect URIs, or client-side-only checks.
• Backend log analysis detecting token reuse from multiple devices, abnormal privilege escalation attempts, or suspicious biometric bypasses.

Mitigation

• Delegate authentication to proven, standards-based services (OpenID Connect, FIDO2/WebAuthn) and enforce server-side validation of every session.
• Use asymmetric tokens or DPoP-style proof-of-possession to bind tokens to device keys, reducing the replay attack surface.
• Implement least-privilege authorization checks on every backend endpoint and cover them with automated tests.
• Rotate and revoke tokens aggressively, and enforce device integrity checks before granting sensitive scopes.