M7: Client Side Injection

Overview

This json response provides information on the threat agent, attack vectors, security weakness, technical impacts, business impacts, vulnerability prevention, and example attack scenarios related to client side injection.

Description

Client side injection refers to the execution of malicious code on a mobile device via a mobile app. This code is provided as data input by a threat agent, and is processed by the mobile app's underlying frameworks. The code can run with the same permissions as the user or with privileged permissions, potentially leading to fraud or privacy violations. This json response explains the risks, impacts, and preventive measures associated with client side injection.

How to Prevent ?

To prevent client side injection, it is important to validate user or application supplied data and apply input validation. This can be done by using parameterized queries, disabling JavaScript and plugin support for web views, and validating actions and data via an Intent Filter for all Activities. Additionally, following secure coding practices specific to iOS and Android platforms can help mitigate the risk of client side injection.

Example Attack Scenarios:

• SQL Injection:  Data retrieved from a mobile app's server contains malformed data that results in a local SQL injection within the mobile device's local databases. This can lead to local malware injection, information theft, and more

• Cross-Application Scripting Attacks:  Malicious intents fed from one Android application to another may result in buffer overflows that allow for malicious code execution

• Cross-Site Script Attacks:  Local HTML modifications via malware or other apps result in the execution of malicious JavaScript in the presentation layer of the app, potentially leading to information theft