Story image

OWASP vulnerabilities plague mobile apps: Data leakage a major concern

09 May 18

Mobile apps may provide useful functionality but they also pose significant vulnerabilities, particularly when developers are pushing out apps at a rapid pace.

Research from security firm Pradeo says that mobile apps can contain unwanted behaviours such as useless background activities, and they can also contain vulnerabilities that enable easier system attacks.

Across two million applications analysed by Pradeo’s security engine, almost one third of applications contained an OWASP vulnerability.

OWASP (Open Web Application Security Project) is an organisation that provides a security knowledge framework for building and verifying secure software.

Pradeo found that vulnerabilities can lead to four major risks: These vulnerabilities can lead to four major risks: Data leakage, Man-in-the-Middle attacks (MITM), denial of service, and poor encryption.

Data leakage affected 47.6% of tested applications. According to Roxane Suau, it is one of the main threats companies now face.

According to Suau, data leakage vulnerabilities include:

- Broadcast-Activity: This vulnerability manifests when the application’s ‘Activity’ component hasn’t a high enough protection level. It allows the third-party app to avoid some security measures to access sensitive data.

- Broadcast-Service: This vulnerability manifest when the application’s ‘Service’ component hasn’t a high enough protection level. It allows the third-party app to launch or to link itself to the service.

- Implicit-Intent: Every data broadcasted through this method is prone to be caught by a third-party app.

Man-in-the-Middle attacks affected 4.6% of mobile applications. These attacks happen when an attacker intercepts communications between two parties. This could leave victims exposes to data theft or funds theft.

Examples include:

- 509TrustManager: This vulnerability manifest when the interface X.509TrustManager is implemented in an unsafe way, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

- HandleSslError: Every validation error message from the SSL certificate is ignored, which authorizes invalid certificate.

- PotentiallyByPassSslConnection: This vulnerability corresponds of the unsafe implementation, which ignores all SSL certificate validation errors when it connects in HTTPS to a remote host.

Denial of Service attacks affected 3% of applications. These attacks usually involve requests from an attacker to a network to authenticate requests with invalid return addresses.

Vulnerabilities include:

- URLCanonicalisation: Depending on the ‘ContentProvider’ utilization, this method use can lead to a directory crossing vulnerability.

- MaliciousIntents: A third-party malicious app can send an ‘intent’ to an app component that shouldn’t be allowed to receive it.

Finally, poor encryption affected 1.5% of devices. Poor encryption can lead to breaches of sensitive data.

Vulnerabilities include:

- AES: Encryption method AES doesn’t ensure data confidentiality, integrity and authenticity.

- ECB: The app uses the ECB mode in its encryption algorithm. The ECB mode is known for being weak, because it uses the same encoded text for identical plain texts blocs.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.