OWASP Mobile Top 10 Part 1: Improper Platform Usage

OWASP Mobile Top 10 Part 1: Improper Platform Usage

The improper platform usage vulnerability is the first vulnerability in the OWASP Mobile Top 10. This blog will provide some insight into what it is and how it’s actually exploited in the wild while also telling you how to protect your own mobile applications.

What is Improper Platform Usage?

The improper platform usage vulnerability refers to a vulnerability that is derived from the improper usage of platforms in use by an application. In other words, this category covers the misuse of a platform feature or the failure to use certain security controls. Probable misuse scenarios could include the misuse of TouchID or some other security control. In general, the improper platform usage vulnerability might appear to be insignificant at first, but in the hands of an attacker, it could certainly be used as an avenue for an attack of a bigger scale.

How Dangerous is the Improper Platform Usage Vulnerability?

As you already probably understood, such a vulnerability might arise when an app fails to use secure coding practices when creating a mobile application. All mobile applications should use certain security controls – the failure of using them could result in such a vulnerability being introduced into the application in question. According to OWASP, the threat agents for this vulnerability are application-specific and any exposed API call could become a potential attack vector for a nefarious party. In order for this vulnerability to be exploited, the mobile app should have an exposed service or an API call that is implemented using insecure coding techniques.

Improper Platform Usage Vulnerabilities in the Real World

As far as the real world in concerned, improper platform usage vulnerabiltiies usucally stem from exposed service or API calls that are secured improperly. When exploiting these kinds of vulnerabilities in the real world, the attacker is usually able to provide some kind of unexpected sequences of events and (or) malicious input to a vulnerable endpoint – a service on an API. The service or the API would then process the input and, depending on the vulnerability being exploited (the attacker could potentially exploit any vulnerability outlined in the OWASP Top 10, potentially grant the attacker access to confidential information.

Protecting Your Application Against Improper Platform Usage Vulnerabilities

To protect your mobile applications from improper platform usage vulnerabilities, limit the applications that are allowed to communicate with your application, familiarize yourself with the OWASP Mobile Top 10 and general security best practices, do not violate the security guidelines of the platform you are developing in and avoid unintentional misuse – if you are implementing services or APIs that are communicating with your application, be sure to implement them properly. If you’re dealing with iOS, for example, use the iOS Keychain instead of the local storage – data stored in the local storage is available in unencrypted iTunes backups. If your API or service is communicating with a web server, be sure to harden its security – test your web server and avoid the OWASP Top 10 vulnerabilities prevalent in web applications, perhaps use a firewall, invest into an intrusion detection system etc.

Summary

The first vulnerability in the OWASP Mobile Top 10 is related to the use of an insecurely configured service or an API – a vulnerable endpoint – that usually interacts with another application. To avoid such a vulnerability being introduced into your mobile applications, limit the applications that are allowed to communicate with your application, familiarize yourself with the OWASP Mobile Top 10 and general security best practices, do not violate the security guidelines of the platform you are developing in, avoid unintentional misuse of the platform or security features and you should be well on your way to more secure mobile applications.

However, if you mobile application does get compromised, be sure to run a check through the data breaches available in BreachDirectory to see if you are at risk of identity theft and secure yourself.