Security in the android application

Question

I recently developed an application which was the financial app and it had undergone security vulnerability testing.

One of the point identified in the testing was- Account Takeover Through Insecure Direct Object Reference- The comment provided was as below- During security assessment, it is found that insecure authorization controls in the Android application allow an attacker to make requests on behalf of different users. It allows an attacker to take over any user's account. The application completely lacks authorization controls which allow an attacker to make requests on behalf of any user.

The remedy provided was- To prevent this, ensure user's access rights are restricted to the correct privilege level and not just by the pages available to the user in the interface of the application.

Does this mean a role-based system? My app does not need multiple user roles. There is the only single role "End User" who will be using the app.

Can someone provide insight?

Answer 1

Each system has at least two roles: admin (privileged user) and (unprivileged) user. However, in real systems there exist several roles like editor, Finance manager, HR manager, etc. So, you need to provide these users with different level of access to the resources.

Answer 2

You need to consider the following,

1. Use Authentication methods for the web APIs such as basic auth, OAuth 2.0, OAuth 1.0
2. Use session manager for the user, even if only one user.
3. Use Gradle to save the data such as URL, token, token secret etc.
4. Use minimal 3rd party libraries.
5. Use proguard
6. Hide all logs
7. Change Debug variable to Release variable before release or test.

Answer 3

Implement OAUTH session management with access token renewal.