Threat Category: Vulnerable Applications
ID: APP-4
Threat Description: Organizations or individual users may develop and rely upon specific apps or devices to complete necessary work. Knowledge of a serious vulnerability affecting such an app or device increases the risk associated with using it to accomplish that work. However, the impact of being unable to complete the work as a result of abstaining from use of the app or device, may be unacceptable.
Threat Origin
Not Applicable, See Exploit or CVE Examples
Exploit Examples
Stumping the Mobile Chipset 1
CVE Examples
Possible Countermeasures
Use iOS and Android runtime permission features to remove risky permissions (e.g. GPS access, contact list access, etc.) from unsupported apps or apps with known vulnerabilities.
Uninstall vulnerable apps from the device. Once a patched version is available for download, redownload and install the app.
EnterpriseUse iOS and Android runtime permission features to remove risky permissions (e.g. GPS access, contact list access, etc.) from unsupported apps or apps with known vulnerabilities.
Use MAM solutions to detect vulnerable apps and prevent access to enterprise resources while the app is installed.
Use MAM solutions to forcefully disable vulnerable apps until a patch is available and installed.
Use MAM solutions to temporarily revoke access to sensitive device sensors or OS-provided services.
References
A. Donenfeld, Stumping the Mobile Chipset, presented at DEFCON 24, 7 Aug. 2016; https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/DEFCON-24-Adam-Donenfeld-Stumping-The-Mobile-Chipset.pdf [accessed 8/25/2016] ↩