Mobile Threat Catalogue

Untrusted Input to Sensitive Operations

Contribute

Threat Category: Vulnerable Applications

ID: APP-11

Threat Description: Applications often have a need to dynamically incorporate input into sensitive operations such as access control decisions (e.g. authentication) or database operations. However, if a sensitive operation acts on untrusted and unsafe input, it may not function as intended. An attacker with control over such input can potentialy craft it to control application or system behavior. Prime examples of exploits include buffer overflow and code injection attacks. Therefore, it is important to evaluate untrusted input for safeness in the context in which it will be processed prior to accepting it.

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

Team Joch vs. Android 1

CVE Examples

Possible Countermeasures

Mobile App Developer

When input should match one of a set of known and comparable options, use whitelisting to ensure the input is safe before applying it to security logic.

When whitelisting is not possible, use vetted data sanitization libraries to verify the input appears syntactically safe prior to applying it to security logic.

Always use fail-safe security logic in apps; if input cannot be verified to be safe (versus not identified as unsafe), reject the input and do not perform the security action.

References

  1. J. Oberheide and Z. Lanier, “Team Joch vs. Android”, presented at ShmooCon 2011, 28-30 Jan. 2011, slide 54; https://jon.oberheide.org/files/shmoo11-teamjoch.pdf [accessed 8/25/2016]