Story image

OWASP vulnerabilities plague mobile apps: Data leakage a major concern

09 May 2018

Mobile apps may provide useful functionality but they also pose significant vulnerabilities, particularly when developers are pushing out apps at a rapid pace.

Research from security firm Pradeo says that mobile apps can contain unwanted behaviours such as useless background activities, and they can also contain vulnerabilities that enable easier system attacks.

Across two million applications analysed by Pradeo’s security engine, almost one third of applications contained an OWASP vulnerability.

OWASP (Open Web Application Security Project) is an organisation that provides a security knowledge framework for building and verifying secure software.

Pradeo found that vulnerabilities can lead to four major risks: These vulnerabilities can lead to four major risks: Data leakage, Man-in-the-Middle attacks (MITM), denial of service, and poor encryption.

Data leakage affected 47.6% of tested applications. According to Roxane Suau, it is one of the main threats companies now face.

According to Suau, data leakage vulnerabilities include:

- Broadcast-Activity: This vulnerability manifests when the application’s ‘Activity’ component hasn’t a high enough protection level. It allows the third-party app to avoid some security measures to access sensitive data.

- Broadcast-Service: This vulnerability manifest when the application’s ‘Service’ component hasn’t a high enough protection level. It allows the third-party app to launch or to link itself to the service.

- Implicit-Intent: Every data broadcasted through this method is prone to be caught by a third-party app.

Man-in-the-Middle attacks affected 4.6% of mobile applications. These attacks happen when an attacker intercepts communications between two parties. This could leave victims exposes to data theft or funds theft.

Examples include:

- 509TrustManager: This vulnerability manifest when the interface X.509TrustManager is implemented in an unsafe way, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

- HandleSslError: Every validation error message from the SSL certificate is ignored, which authorizes invalid certificate.

- PotentiallyByPassSslConnection: This vulnerability corresponds of the unsafe implementation, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

Denial of Service attacks affected 3% of applications. These attacks usually involve requests from an attacker to a network to authenticate requests with invalid return addresses.

Vulnerabilities include:

- URLCanonicalisation: Depending on the ‘ContentProvider’ utilization, this method use can lead to a directory crossing vulnerability.

- MaliciousIntents: A third-party malicious app can send an ‘intent’ to an app component that shouldn’t be allowed to receive it.

Finally, poor encryption affected 1.5% of devices. Poor encryption can lead to breaches of sensitive data.

Vulnerabilities include:

- AES: Encryption method AES doesn’t ensure data confidentiality, integrity and authenticity.

- ECB: The app uses the ECB mode in its encryption algorithm. The ECB mode is known for being weak, because it uses the same encoded text for identical plain texts blocs.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.