Story image

OWASP vulnerabilities plague mobile apps: Data leakage a major concern

09 May 2018

Mobile apps may provide useful functionality but they also pose significant vulnerabilities, particularly when developers are pushing out apps at a rapid pace.

Research from security firm Pradeo says that mobile apps can contain unwanted behaviours such as useless background activities, and they can also contain vulnerabilities that enable easier system attacks.

Across two million applications analysed by Pradeo’s security engine, almost one third of applications contained an OWASP vulnerability.

OWASP (Open Web Application Security Project) is an organisation that provides a security knowledge framework for building and verifying secure software.

Pradeo found that vulnerabilities can lead to four major risks: These vulnerabilities can lead to four major risks: Data leakage, Man-in-the-Middle attacks (MITM), denial of service, and poor encryption.

Data leakage affected 47.6% of tested applications. According to Roxane Suau, it is one of the main threats companies now face.

According to Suau, data leakage vulnerabilities include:

- Broadcast-Activity: This vulnerability manifests when the application’s ‘Activity’ component hasn’t a high enough protection level. It allows the third-party app to avoid some security measures to access sensitive data.

- Broadcast-Service: This vulnerability manifest when the application’s ‘Service’ component hasn’t a high enough protection level. It allows the third-party app to launch or to link itself to the service.

- Implicit-Intent: Every data broadcasted through this method is prone to be caught by a third-party app.

Man-in-the-Middle attacks affected 4.6% of mobile applications. These attacks happen when an attacker intercepts communications between two parties. This could leave victims exposes to data theft or funds theft.

Examples include:

- 509TrustManager: This vulnerability manifest when the interface X.509TrustManager is implemented in an unsafe way, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

- HandleSslError: Every validation error message from the SSL certificate is ignored, which authorizes invalid certificate.

- PotentiallyByPassSslConnection: This vulnerability corresponds of the unsafe implementation, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

Denial of Service attacks affected 3% of applications. These attacks usually involve requests from an attacker to a network to authenticate requests with invalid return addresses.

Vulnerabilities include:

- URLCanonicalisation: Depending on the ‘ContentProvider’ utilization, this method use can lead to a directory crossing vulnerability.

- MaliciousIntents: A third-party malicious app can send an ‘intent’ to an app component that shouldn’t be allowed to receive it.

Finally, poor encryption affected 1.5% of devices. Poor encryption can lead to breaches of sensitive data.

Vulnerabilities include:

- AES: Encryption method AES doesn’t ensure data confidentiality, integrity and authenticity.

- ECB: The app uses the ECB mode in its encryption algorithm. The ECB mode is known for being weak, because it uses the same encoded text for identical plain texts blocs.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.