Improper Platform Usage

Overview

The Improper Platform Usage vulnerability refers to the misuse or failure to use platform security controls in a mobile application. This includes misusing platform features such as Android intents, platform permissions, and TouchID. The vulnerability can be exploited through exposed API calls, leading to severe technical and business impacts.

Description

The defining characteristic of the Improper Platform Usage vulnerability is the failure to utilize platform capabilities or the incorrect use of these capabilities. This vulnerability is not solely the app developer's issue, as it involves the misalignment between the app and the platform's best practices and guidelines. Violating published guidelines, conventions, or unintentional misuse can expose the app to this risk. It is essential to follow secure coding practices and configuration guidelines to prevent this vulnerability.

How to Prevent ?

To prevent the Improper Platform Usage vulnerability, developers must adhere to secure coding and configuration practices on the server-side of the mobile application. It is crucial to refer to the OWASP Web Top Ten or Cloud Top Ten projects for specific vulnerability information. Following the manufacturer's guidelines and best practices, such as utilizing the iOS Keychain for secure storage and properly configuring permissions, can help mitigate this risk.

Example Attack Scenarios:

• App Local Storage Instead of Keychain:  One example attack scenario involves storing sensitive data in app local storage instead of using the iOS Keychain. App local storage is accessible in unencrypted iTunes backups, which can lead to unauthorized access if the backup is compromised. Developers should use the iOS Keychain to securely store session keys, passwords, and other sensitive data to mitigate this risk.