Story image

OWASP vulnerabilities plague mobile apps: Data leakage a major concern

09 May 18

Mobile apps may provide useful functionality but they also pose significant vulnerabilities, particularly when developers are pushing out apps at a rapid pace.

Research from security firm Pradeo says that mobile apps can contain unwanted behaviours such as useless background activities, and they can also contain vulnerabilities that enable easier system attacks.

Across two million applications analysed by Pradeo’s security engine, almost one third of applications contained an OWASP vulnerability.

OWASP (Open Web Application Security Project) is an organisation that provides a security knowledge framework for building and verifying secure software.

Pradeo found that vulnerabilities can lead to four major risks: These vulnerabilities can lead to four major risks: Data leakage, Man-in-the-Middle attacks (MITM), denial of service, and poor encryption.

Data leakage affected 47.6% of tested applications. According to Roxane Suau, it is one of the main threats companies now face.

According to Suau, data leakage vulnerabilities include:

- Broadcast-Activity: This vulnerability manifests when the application’s ‘Activity’ component hasn’t a high enough protection level. It allows the third-party app to avoid some security measures to access sensitive data.

- Broadcast-Service: This vulnerability manifest when the application’s ‘Service’ component hasn’t a high enough protection level. It allows the third-party app to launch or to link itself to the service.

- Implicit-Intent: Every data broadcasted through this method is prone to be caught by a third-party app.

Man-in-the-Middle attacks affected 4.6% of mobile applications. These attacks happen when an attacker intercepts communications between two parties. This could leave victims exposes to data theft or funds theft.

Examples include:

- 509TrustManager: This vulnerability manifest when the interface X.509TrustManager is implemented in an unsafe way, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

- HandleSslError: Every validation error message from the SSL certificate is ignored, which authorizes invalid certificate.

- PotentiallyByPassSslConnection: This vulnerability corresponds of the unsafe implementation, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

Denial of Service attacks affected 3% of applications. These attacks usually involve requests from an attacker to a network to authenticate requests with invalid return addresses.

Vulnerabilities include:

- URLCanonicalisation: Depending on the ‘ContentProvider’ utilization, this method use can lead to a directory crossing vulnerability.

- MaliciousIntents: A third-party malicious app can send an ‘intent’ to an app component that shouldn’t be allowed to receive it.

Finally, poor encryption affected 1.5% of devices. Poor encryption can lead to breaches of sensitive data.

Vulnerabilities include:

- AES: Encryption method AES doesn’t ensure data confidentiality, integrity and authenticity.

- ECB: The app uses the ECB mode in its encryption algorithm. The ECB mode is known for being weak, because it uses the same encoded text for identical plain texts blocs.

What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Bitdefender announces security integration with Kaseya
The new partnership will allow VSA by Kaseya’s cloud and on-premises users to deploy and manage security with Bitdefender Cloud Security for MSPs.
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.