Hypori Mobile Mitigates OWASP Mobile Risk

Abstract

Improper credential usage is a significant security risk in mobile applications, commonly leading to data leakage, account compromise, and unauthorized access. The OWASP Mobile Top 10 highlights this as a persistent issue. This paper explores how Hypori, the Virtual Mobile Infrastructure (VMI) solution, mitigates this risk through its architecture and security controls, effectively eliminating the local handling of credentials on user devices.

1. Introduction

The OWASP Mobile Top 10 identifies Improper Credential Usage (M1) as a critical security concern in mobile applications [1]. It involves the insecure use, storage, or transmission of credentials (e.g., passwords, tokens, keys) on mobile devices. These flaws expose sensitive data and provide a vector for attackers to gain unauthorized access. This paper describes how Hypori's design addresses and mitigates the threat of improper credential usage.

2. Understanding OWASP M1: Improper Credential Usage

The OWASP Mobile Top 10 security risk covering Improper Credential Usage, includes four fundamental areas: Hardcoded Credentials, Insecure Storage, Insecure Transmission and Weak Authentication [2]. When looking at ways to empower a mobile workforce, companies need to understand the components of this risk. Whatever means they use to gain access to corporate resources or environments, company IT and Security Teams must ensure that those capabilities do not use hardcoded credentials. Embedding sensitive information like passwords or API keys directly into the application's code or configuration files makes it easy for attackers to find and exploit. Additionally, by storing credentials locally on the device without proper encryption or protection those credentials are vulnerable to theft and unauthorized use if the device is compromised. In the authentication process the application must transmit credentials over encrypted channels to prevent interception or man in the middle attacks. And finally, the authentication mechanism must be robust enough to prevent unauthorized access such as certificate or multi-factor based authentication.

3. Hypori Architecture Overview

Hypori is the market leader in virtual mobile infrastructure (VMI). The Hypori platform delivers secure mobile access to enterprise apps and data from any mobile device without processing, storing, or transmitting data on the device, and without compromising user privacy. Built on a zero-trust architecture and designed to meet the highest security standards, Hypori eliminates the need for traditional mobile device or app management.  

4. Hypori's Mitigation Strategies for Improper Credential Usage

• Credential Management: No pre-configured credentials are configured within the client app on the user’s device.  During device enrollment, the Hypori authentication service provides the Hypori Client a certificate which going forward is then used to create a mutually authenticated TLS tunnel (mTLS) between the Hypori client app on the end user device and its respective Virtual Workspace.  
• Secure Storage: The Hypori client app relies on minimal services within the host device to function and retains no data on the end user device. This includes no buffering or persisting of display frames in memory or anywhere in the physical device. The device authentication certificate is stored in the protected keystore (iOS or Android) on the device.  Furthermore, the Hypori Client app is Common Criteria-certified by National Institute of Standards and Technology (NIST) and NSA’s National Information Assurance Partnership (NIAP). NIAP ensures that all certified products “demonstrate exact compliance to the applicable technology protection profile.” This certification validates the cryptographic elements used to protect the communication with the Hypori Service, that no data is at rest on the user device, and no personally identifiable information (PII) is transmitted or stored on the device.  
• Secure Transmission and Authentication Set-up: During the provisioning process, the Hypori Client App receives a certificate which is used in all future authentication operations. This credential is stored in the device OS protected keystore. When the Hypori Client App begins its connection to the Hypori service, it first conducts a series of device attestation checks to determine whether the end user device is jailbroken or rooted. If the Hypori Client App determines that the device is compromised, it will not attempt to connect to the Hypori service and provide the end user with an error message. If the Hypori Client App determines it is safe to transmit, it will initiate a connection to the appropriate TLS Proxy within the Hypori infrastructure using the client certificate using encryption over port 443. The TLS tunnel is encrypted in accordance with NIST Federal Information Processing Standards (FIPS) and validated through NIAP.  The TLS Proxy and Hypori Client App mutually validate each other’s certificates using trust stores. The TLS Proxy and Hypori Client App then use Online Certificate Status Protocol (OCSP) / Certificate Revocation List (CRL) for Android or OCSP Stapling for iOS to check if the certificate has been revoked. If the certificate is valid, the TLS Proxy will connect to the Hypori authentication service within its Control Plane to forward the authentication request.  These components also validate each other’s certificates. The Hypori Client App certificate is also used to identify the authentication domain and location of the end user Virtual Workspace.  Once the validation is completed, the authentication service returns a challenge to the TLS Proxy for secondary authentication, and the TLS Proxy returns the challenge to the Hypori Client App. The Hypori App prompts the user for a multi-factor authentication mechanism (biometrics, PIN,  or OTP) and the challenge is signed as a Cryptographic Message Syntax (CMS) Message and sends the signed challenge message to the TLS Proxy. The TLS Proxy then forwards the signed challenge message to the authentication service. The authentication service validates the signed challenge, extracts user information from the certificate and validates it against the user directory entry. After successfully authenticating the user, the authentication service returns the Auth token to the TLS Proxy. The TLS Proxy server forwards the Auth Token to the Hypori Client App. The Hypori Client App uses the Auth token to identify its virtual device and initiates a connection to it via the TLS Proxy and completes the connection process. The entire process is conducted within a HTTPS/ 443 channel and ends with the mutually authenticated TLS tunnel (mTLS) in place.
• Robust Authentication: As shown above, Hypori uses layers of authentication to ensure non-repudiation and authorized access to its environment and customer resources. Primary authentication to gain access to a Hypori Virtual Workspace is provided using certificate-based authentication. During the onboarding process, the end user device is provisioned with a private key which is contained within the protected keystore on their device. The key is further protected by device attestation, root/jailbreak detection and code obfuscation to maximize key protection.  If any of these conditions are detected, the device will not connect, the device credential will be revoked, and the end user will receive a message to contact their system administrator.  In order to validate a secure connection with the Hypori SaaS infrastructure, the Authentication service ensures that the certificate has not expired and is valid and the key usage properties are correct.  Once the certificate is validated, we validate that the identity associated with the certificate is a valid entity in the identity system (today LDAP, future OIDC Identity provider). If valid, the secondary auth process starts. The end user must authenticate that they are the valid device owner through a secondary authentication mechanism. This can be biometrics, a PIN, or token generators. OIDC is a future capability on the Hypori Roadmap. This secondary authentication provides the end user access to their virtual workspace and the application within. The final layer of authentication is provided by the customer and their integration into their enterprise resources and services. For example, if a customer uses Okta Verify to access their online resources through SSO, then that would be the mechanism for the customers user community to access those resources.  This could occur within the Hypori virtual workspace with no more integration than any other end user device, with the benefit of not extending the attack surface beyond the secure enclave. All communication between the Hypori Virtual Workspace and the enterprise would take advantage of any protected communications resources using TLS, VPNs or capabilities such as Zscaler.

5. Conclusion

Hypori’s Virtual Mobile Infrastructure removes concerns around the OWASP Mobile Risk of Improper Credential Usage through its secure and robust authentication architecture. This enables organizations to secure mobile access even in high-risk BYOD scenarios, aligning with zero trust principles and modern cybersecurity frameworks. Hypori also reduces risks to Improper Credential Usage within the Virtual Workspace. Apps running with the Virtual Workspace are shielded from any security or configuration issues on the end user device. The Virtual Workspace operates within a highly secure environment that can easily integrate with enterprise certificate validation processes. All certificates and private keys are stored within the Android SE protected keystore and further safeguarded using a cloud provided key management service and further backed by FIPS 140-3 validated Hardware Security Module. Hypori’s infrastructure has been tested numerous times by Third Party Assessment Organizations (3PAO) and numerous Red Teams from commercial and government organizations without significant findings or compromise which has earned the NIAP Common Criteria, FedRAMP High, DoD CC SRG Impact Level 5 and SOC2, Type II authorizations and certifications.

‍

‍

References

1. OWASP Mobile Top 10 2024 (https://owasp.org/www-project-mobile-top-10/)

2. OWASP Mobile Top 10 2024 Improper Credential Usage (https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage.html)

3. NIST SP 800-63 – Digital Identity Guidelines

‍