SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
OWASP vulnerabilities plague mobile apps: Data leakage a major concern
Wed, 9th May 2018
FYI, this story is more than a year old

Mobile apps may provide useful functionality but they also pose significant vulnerabilities, particularly when developers are pushing out apps at a rapid pace.

Research from security firm Pradeo says that mobile apps can contain unwanted behaviours such as useless background activities, and they can also contain vulnerabilities that enable easier system attacks.

Across two million applications analysed by Pradeo's security engine, almost one third of applications contained an OWASP vulnerability.

OWASP (Open Web Application Security Project) is an organisation that provides a security knowledge framework for building and verifying secure software.

Pradeo found that vulnerabilities can lead to four major risks: These vulnerabilities can lead to four major risks: Data leakage, Man-in-the-Middle attacks (MITM), denial of service, and poor encryption.

Data leakage affected 47.6% of tested applications. According to Roxane Suau, it is one of the main threats companies now face.

According to Suau, data leakage vulnerabilities include:

- Broadcast-Activity: This vulnerability manifests when the application's ‘Activity' component hasn't a high enough protection level. It allows the third-party app to avoid some security measures to access sensitive data.

- Broadcast-Service: This vulnerability manifest when the application's ‘Service' component hasn't a high enough protection level. It allows the third-party app to launch or to link itself to the service.

- Implicit-Intent: Every data broadcasted through this method is prone to be caught by a third-party app.

Man-in-the-Middle attacks affected 4.6% of mobile applications. These attacks happen when an attacker intercepts communications between two parties. This could leave victims exposes to data theft or funds theft.

Examples include:

- 509TrustManager: This vulnerability manifest when the interface X.509TrustManager is implemented in an unsafe way, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

- HandleSslError: Every validation error message from the SSL certificate is ignored, which authorizes invalid certificate.

- PotentiallyByPassSslConnection: This vulnerability corresponds of the unsafe implementation, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

Denial of Service attacks affected 3% of applications. These attacks usually involve requests from an attacker to a network to authenticate requests with invalid return addresses.

Vulnerabilities include:

- URLCanonicalisation: Depending on the ‘ContentProvider' utilization, this method use can lead to a directory crossing vulnerability.

- MaliciousIntents: A third-party malicious app can send an ‘intent' to an app component that shouldn't be allowed to receive it.

Finally, poor encryption affected 1.5% of devices. Poor encryption can lead to breaches of sensitive data.

Vulnerabilities include:

- AES: Encryption method AES doesn't ensure data confidentiality, integrity and authenticity.

- ECB: The app uses the ECB mode in its encryption algorithm. The ECB mode is known for being weak, because it uses the same encoded text for identical plain texts blocs.