.jpg "blog post cover")
.jpg "Author Photo")
Need estimation?
Leave your contacts and get clear and realistic estimations in the next 24 hours.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Proper user authentication and authorization are more than just security best practices – they are essential pillars of trust, compliance, and user protection. Especially for apps handling sensitive data or communication services, weak access control can lead to serious vulnerabilities like data breaches, account hijacking, and regulatory violations. Ensuring that only the right users can access the right features at the right time is critical to an app’s long-term success and reputation.
When conducting a comprehensive tech audit for one of our clients struggling with product launch, Axon revealed critical user authorization and authentication issues in their app. We created this article to share with our blog readers what issues we uncovered, how they impacted the product, and what we recommended to eliminate the associated risks and help the client launch the app.
Who Is the Client?
Our client created a mobile solution that enables users to stay globally connected with global phone numbers and eSIM data plans. Thus, frequent travelers, digital nomads, international students, or global business professionals can purchase and manage multiple mobile, landline, or toll-free phone numbers from different countries in a single app. The product leverages embedded eSIM technology that instantly activates virtual phone numbers and data plans, providing uninterrupted and affordable connectivity anywhere in the world without roaming fees and surprise bills.
What Was the Challenge?
The client contacted the Axon team at the active development stage of their mobile app with bugs in the system, poor user experience, and problems with payment implementation. All this prevented the company from launching its app to production. Our development experts offered to conduct a comprehensive project audit that would reveal the root cause of the observed problems and potentially provide answers to what could be done to solve them.
Our tech audit of the application included the following components:
- General project infrastructure setup and configuration
- Product architecture
- Code review
- Data model review
- UI review
What Did the Audit Reveal?
The application is a cross-platform Flutter mobile app. The Node.js back end relies on the AWS cloud infrastructure and services, implementing a serverless architecture with Lambda functions and multiple third-party services integrations. The data layer leverages MySQL relational database and AWS S3 buckets for file storage.
The tech audit uncovered some coding flaws and deviations from software development standards that had a considerable impact on project delivery as well as the overall system functionality and performance, for instance:
- Missing CI/CD pipeline and Continuous Integration or Continuous Deployment tools. This led to slower development cycles and increased risk of bugs and errors. Also, the lack of automation forced the development team to semi-manually manage and coordinate integrations, testing, and deployment of new code changes, increasing their workload.
- Missing relevant documentation, such as a cloud topology diagram (showing the infrastructure components), a solution component diagram (reflecting all microservices and integrations), deployment documentation (describing the application’s setup and run in different environments), and physical data model documentation (showing the internal schema of the database).
- Coding flaws like the absence of code formatting and static code analyzer configurations, lack of type annotations, improper naming conventions, lack of strict equality/inequality operators, and undocumented scripts that reduced code readability and increased the chance of bugs.
- Security weaknesses, like absent data validation in HTTP requests and hard-coded secrets that affected data integrity and system security.
- Coding and data model issues like back-to-back `awaits`, outdated runtime version, presence of unused or empty tables and columns, remnants of previous versions, or obsolete functionalities in the data schema, lack of database normalization, defined relations, and references, and the use of outdated database management system, all of which hindered the application performance and data manipulations.
We provided recommendations for CI/CD Configuration on the AWS Platform as well as guidelines on proper coding and data management practices, for example:
- Introducing CI/CD tools (e.g., AWS CodePipeline).
- Using tools that help standardize code formatting and enforce coding conventions (e.g., Prettier and ESLint).
- Introducing TypeScript support for strong static typing.
- Integrating a schema-validation library (e.g., Zod or Yup).
- Using SSM Parameter Storage for configuration data storage.
- Removing unnecessary database columns, tables, default values, duplicated data, etc.
- Utilize database constraints to enforce specific rules for data manipulation.
- Introducing a database change management solution (such as Liquidbase) and using it in conjunction with the CI/CD pipeline.
However, a major challenge was the REST API implementation, which faced critical issues due to the absence of both authentication and authorization measures. Let’s discuss this in more detail.
Authentication and Authorization Issues
Authentication and authorization are the processes responsible for verifying the identity of the user. Given the application’s role in handling real phone numbers, personal communications, and global connectivity, robust user authentication and authorization mechanisms are a must-have for such type of applications.
For instance, authentication ensures that only legitimate users can access their accounts and use sensitive services like eSIM activation, phone number management, or global messaging. Without strong authentication, user accounts could be vulnerable to takeover, risking privacy breaches, fraudulent number usage, or unauthorized data plan purchases.
Meanwhile, authorization governs what authenticated users can do: purchase new numbers, view billing information, or manage eSIM profiles. Separating permissions for such actions prevents the misuse of privileges. This is especially important in scenarios where users manage multiple identities or interact with business-class features. Misconfigurations may result in unauthorized access to private communication records or abuse of toll-free numbers.
.jpg)
In our case, the application provided one-time passwords to the users via the endpoint that validated them, but it only returned user information for use in the app. At the same time, it didn’t provide any JSON Web Tokens or session tokens to establish ongoing user sessions or enforce access controls. Also, the endpoints didn’t require authentication, practically allowing anyone – logged in or not – to access the application. This automatically implied no authorization as well, leaving the system vulnerable and enabling malicious actors with access to the API to compromise user information and abuse the existing system.
We recommended that the client put resolving these issues as the top priority to prevent user data exposure and other unauthorized access to resources.
Learn more about implementing user authorization and authentication from our blog articles:
SAML Authentication & SSO Explained: Integration and How It Works
Struggling with application launch?
Order a comprehensive tech audit!
Contact us
Our Authorization and Authentication Recommendations
For an app that deals with sensitive telecommunications data, personal identifiers (e.g., phone numbers, SIM/eSIM profiles), global reach, and potential financial transactions, strong authentication and authorization practices are critical for security, regulatory compliance, and user trust. Here are our recommendations.
Authentication Best Practices
Industry-Standard Authentication Protocols
We suggested that, first and foremost, the client should implement OAuth 2.0 or OpenID Connect for secure and extensible login flows. These protocols support social logins (via Google, Apple, and other trusted identity providers) and passwordless logins (using one-time codes that the client wanted to keep).
Multi-Factor Authentication (MFA)
This authentication method is one of the most secure options for quick and user-friendly login. Thus, it is strongly recommended for actions like number purchase, SIM activation, or billing updates. It supports SMS-based one-time passwords and time-based one-time password generation apps (such as Google Authenticator) or even biometrics for ultimate security.
Phone Number Verification
This authentication method requires number verification with a one-time password via SMS for any number linked to a user’s identity or used for login. The benefit of it is that users should re-verify it periodically or during high-risk actions like eSIM activation or device change.
Session Management & Token Security
One of the key security practices enforced by the OAuth 2.0 and OpenID Connect protocols is the use of short-lived access tokens and refresh tokens. Another important aspect is secure token storage. Also, proper session management practices ensure logout from all devices and session revocation in case of system compromise.
Secure Password Handling
If the authentication mechanism relies on passwords, they should be stored using the bcrypt and argon2 hashing and never in plain text. It is highly recommended to design a UI that would enforce common password strength rules.
Device Binding and Fingerprinting
In order to avoid unauthorized third-party access, we recommend tracking and logging device sessions to detect unfamiliar devices and using secure device identifiers to reduce fraud (especially common with eSIM provisioning).
Authorization Best Practices
Role-Based Access Control (RBAC)
Assigning roles within the system determines access level to actions (e.g., view call logs, modify billing, manage multiple numbers) to different categories of users, like user, admin, support, and enterprise-owner. This prevents user access to data and functions that are critical for application functionality, and also shrinks the attack surface for malicious actors.
Least Privilege Principle
Users should only be able to access or modify resources they can own by design. For this, API routes must check the ownership of resources and only allow a user to manage their own numbers.
Scoped Access Tokens
It is necessary to make sure that the front end and back end validate token scopes consistently. Scopes help to limit what each token can do, e.g., read:numbers, write:profile, manage:esim.
Rate Limiting and Abuse Prevention
For sensitive endpoints, like login, OTP, or eSIM provisioning, IP or user-based rate limits must be implemented. Rate limiting serves against infrastructure attacks, DDoS attacks, and other suspicious activity. Different rate limits can be implemented on different levels, for example, at the server level, user level, etc. Monitoring for abuse patterns like SIM swapping, call spamming, or toll fraud is also a good practice.
Audit Logging and Monitoring
Tracking auth-related actions like logins, failed logins, and MFA changes, and logging sensitive operations such as number purchases and eSIM activations help reveal system errors and unusual activity in a timely manner.
Consent and User Transparency
User consent lies at the core of the authorization mechanism. Therefore, all auth flows must be transparent to users (show message "This device will be able to manage your eSIM"), and users should be able to see and revoke third-party app access at any time.
Project Outcomes
- We moved the project to the AWS CodePipeline service, which is a fully managed continuous delivery service that helps automate release pipelines for quick and reliable application and infrastructure updates. We also worked on developing the missing project documentation needed for clear and organized development.
- We eliminated the found coding and data model flaws, improving the overall code quality, optimizing application performance, and refining data management.
- We set up a proper authorization and authentication flow following the industry-standard protocol, implementing the best security practices and recommendations.
%20(1).jpg)
Engineers at Axon have extensive knowledge in implementing user authorization, authentication, and other identity management features in various application types and taking into account diverse product and industry requirements. To streamline project development for our clients, we created a ready-to-use IAM component that can be easily and quickly integrated into any application to develop a custom solution. Feel free to get in touch with our experts and let us know your product needs!