Insufficient validation and sanitisation of data from external sources, such as user inputs or network data, can lead to severe security vulnerabilities in mobile applications. Failing to properly validate and sanitise such data exposes the application to attacks specific to mobile environments, including SQL injection, command injection, and cross-site scripting (XSS). These vulnerabilities can result in unauthorised access to sensitive data, manipulation of app functionality, or even complete system compromise.

Remediation

• Enforce strict validation on all user inputs, ensuring they conform to expected formats, data types, and length. Reject or sanitise any unexpected data.
• Encode data before rendering it to the user interface, especially in dynamic web views or app components, to prevent XSS and similar attacks.
• Restrict access to sensitive operations or data to only what is absolutely necessary, and validate all requests thoroughly.
• Avoid logging raw user inputs or unvalidated external data to prevent leakage of sensitive information.