AUT-11 · Mobile Threat Catalogue

Mobile Threat Catalogue

Authentication credentials (e.g. token or private key) stolen from device

Contribute

Threat Category: Authentication: User or Device to Remote Service

ID: AUT-11

Threat Description:

Threat Origin

Mobile Top 10 2016 1

Exploit Examples

Serious OS X and iOS Flaws Let Hackers Steal Keychain, 1Password Contents 2

CVE Examples

Not Applicable

Possible Countermeasures

Mobile App Developer

When creating files, named sockets, or similar resources statically-defined (i.e., predictable by an attacker), verify that the resource does not already exist. If it does, cease execution and exit the app with an error that prompts the user to take action.

Enterprise

Use app-vetting tools or services to identify malicious apps that exploit cross-application resource attacks.

References

  1. Mobile Top 10 2016, Mar. 2016; www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 [accessed 8/23/2016] 

  2. D. Goodin, “Serious OS X and iOS Flaws Let Hackers Steal Keychain, 1Password Contents”, Ars Technica, 17 June 2015; http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/ [accessed 8/25/2016]