Threat Category: Authentication: User or Device to Remote Service
ID: AUT-11
Threat Description: Vulnerabilities in applications may allow attackers to steal credentials from a device either remotely or with physical access.
Threat Origin
Mobile Top 10 2016 1
Exploit Examples
Serious OS X and iOS Flaws Let Hackers Steal Keychain, 1Password Contents 2
CVE Examples
Not Applicable
Possible Countermeasures
When creating files, named sockets, or similar resources statically-defined (i.e., predictable by an attacker), verify that the resource does not already exist. If it does, cease execution and exit the app with an error that prompts the user to take action.
EnterpriseUse app-vetting tools or services to identify malicious apps that exploit cross-application resource attacks.
References
Mobile Top 10 2016, Mar. 2016; www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 [accessed 8/23/2016] ↩
D. Goodin, “Serious OS X and iOS Flaws Let Hackers Steal Keychain, 1Password Contents”, Ars Technica, 17 June 2015; http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ [accessed 8/25/2016] ↩