M10: Extraneous Functionality

Overview

Extraneous functionality refers to hidden or unused code within a mobile app that provides unauthorized access to backend systems. Attackers can exploit this functionality to gain sensitive information or execute unauthorized actions. Detecting and preventing extraneous functionality is crucial to maintain the security and reputation of the app.

Description

Extraneous functionality in a mobile app can expose how backend systems work or enable unauthorized high-privileged actions. This can lead to severe technical impacts such as data breaches and intellectual property theft. It also has business impacts like unauthorized access to sensitive functionality, reputational damage, and intellectual property theft.

How to Prevent ?

To prevent extraneous functionality, it is recommended to perform a manual secure code review. This review should include examining the app's configuration settings to discover hidden switches, verifying that test code is not included in the final production build, checking API endpoints for proper documentation and accessibility, and reviewing log statements to ensure sensitive backend information is not being logged.

Example Attack Scenarios:

• Administrative Endpoint Exposed:  Developers included a hidden administrative dashboard within the mobile app that accessed admin information via the backend API. While the production version of the app didn't display the dashboard, the underlying code was present. An attacker analyzed the app's binary and discovered the URL to the administrative endpoint, allowing them to execute back-end administrative functionality.

• Debug Flag in Configuration File:  An attacker manually added the 'debug=true' flag to a configuration file in a local app. This activated debug mode, causing the app to output log files with descriptive backend information. The attacker used this information to identify vulnerabilities in the backend system.