Threat Category: Vulnerable Applications
ID: APP-2
Threat Description: Mobile OS APIs allow apps to share data with other apps, either by exposing specific services to other apps (e.g. Android intents) or by storing it to locations accessible to other apps. Sensitive information stored in commonly-accessible files/locations (e.g. OS-managed contacts list) or openly accessible through intents may be read or potentially modified by apps untrusted by the developer, which may lead to a loss of confidentiality, integrity, or availability of that data.
Threat Origin
Not Applicable, See Exploit or CVE Examples
Exploit Examples
CVE Examples
Possible Countermeasures
Use app-vetting tools or services to identify insecure storage of sensitive data.
Consider the use of devices that support Android 7.0 and later, which enables app-level encryption in addition to block-level encryption.
Mobile Device UserConsider the use of devices that support Android 7.0 and later, which enables app-level encryption in addition to block-level encryption.
References
J. Case, “Exclusive: Vulnerability In Skype For Android Is Exposing Your Name, Phone Number, Chat Logs, And A Lot More”, blog, 14 Apr. 2011; www.androidpolice.com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/# [accessed 8/25/2016] ↩
J. V. Dyke, “World Writable Code Is Bad, MMMMKAY”, blog, 10 Aug. 2015; www.nowsecure.com/blog/2015/08/10/world-writable-code-is-bad-mmmmkay/ [accessed 8/25/2016] ↩
“[Vulnerability Identifier]: LOOK-11-001, blog, 1 Feb. 2011; https://blog.lookout.com/look-11-001/ [accessed 8/25/2016]” ↩