Session management in mobile applications

Hello everyone,

I have some doubts about session management in mobile applications. I’m testing an app in which:

  1. There isn’t logout functionality
  2. Session token doesn’t expire

Due the token doesn’t expire, i was thinking if “FIN.S.0068. unsafe downtime” would apply in this case and if we can talk about “FIN.S.0076. insecure session handling” when there isn’t logout functionality in mobile apps combined with a session token that doesn’t expire.

Thanks.

Yes, you should report those two findings in that case. Even if it is a web application you should do that, because doesn’t matter if is web or mobile a logout function and correct session expiring is a must.