Threat Category: Mobile Application Store
ID: ECO-18
Threat Description: App developer’s credentials typically have permission to push app updates to the respective app store. If these credentials are somehow obtained by an attacker, they could remove any applications that the developer has published.
Threat Origin
Keep out hijackers: Secure your app store dev account 1
Exploit Examples
Major security hole allows Apple passwords to be reset with only email address, date of birth (update) 2
CVE Examples
Not Applicable
Possible Countermeasures
To reduce the potential for an attacker to impersonate you to official apps stores, follow best practices to protect your developer accounts, such as using multi-factor authentication. 3 4
References
G. Gruman, “Keep out hijackers: Secure your app store dev account,” InfoWorld, 5 Dec. 2014; www.infoworld.com/article/2854963/mobile-development/how-to-keep-your-app-store-dev-account-from-being-hijacked.html ↩
C. Welch, “Major security hole allows Apple passwords to be reset with only email address, date of birth (update),” The Verge, 22 Mar. 2013; www.theverge.com/2013/3/22/4136242/major-security-hole-allows-apple-id-passwords-reset-with-email-date-of-birth ↩
Protect your developer account, Google, 2016, https://support.google.com/googleplay/android-developer/answer/2543765?hl=en [accessed 8/25/16] ↩
Security and your Apple ID, Apple, 2016, https://support.apple.com/en-us/HT201303 [accessed 8/25/16] ↩