Continuing our series on the OWASP Top 10 Project, today we see the next most exploited mobile threat called Security Decisions via Untrusted Inputs.
What does Security Decisions Via Untrusted Inputs mean?
Developers generally use hidden fields and values or any hidden functionality to distinguish higher level users from lower level users. An attacker can intercept the calls (IPC or web service calls) and temper with such sensitive parameters. Weak implementation of such functionalities leads to improper behavior of an app and even granting higher level permissions to an attacker. This can be easily exploited using something called as hooking.
Here is a nice presentation to help you understand more about the Android permissions model and the basis for this threat to be exploited.
Are you vulnerable to this threat?
Your mobile application can accept data from all kinds of sources. In most cases this will be an Inter Process Communication (IPC) mechanism.
[ What is IPC? – In computer science, inter-process communication (IPC) is the activity of sharing data across multiple and commonly specialized processes using communication protocols. Typically, applications using IPC are categorized as clients and servers, where the client requests data and the server responds to client requests. ]
In general try and adhere to the following IPC design patterns:
- When there is a business requirement for IPC communication, the mobile application should restricted access to only a set of white-listed trusted applications.
- Sensitive actions which are triggered through IPC entry points should require user interaction before performing the action
- All input received from IPC entry points must undergo stringent input validation in order to prevent input driven attacks
- Do not pass any sensitive information through IPC mechanisms, as it may be susceptible to being read by third party applications under certain scenarios
What are the impacts of Security Decisions Via Untrusted Inputs?
Technical Impact: This vulnerability may lead to privilege escalation providing access of higher authorities and functionalities to an attacker. It can even bypass security mechanisms implemented by the app leading to loss of confidentiality and integrity.
Business Impact: This vulnerability leads to loss of reputation.
At the same time, impacting and harming the integrity and confidentiality.
How can this be prevented?
iOS Specific Examples:
- Do not use the deprecated handleOpenURL method to handle URL Scheme calls. This method does not contain an argument containing the BundleID of the source application.
- Instead use the openURL:sourceApplication:annotation method and validation the sourceApplication argument against a white-list of trusted applications
- Do not use the iOS Pasteboard for IPC communications, as it is susceptible to being set or read by all third party apps on the device.