Mobile App Security

All You Need to Know About Android App Vulnerability: Improper Platform Usage

Updated on: March 29, 2020

All You Need to Know About Android App Vulnerability: Improper Platform Usage

The Android App Vulnerability “Improper Platform Usage” is listed on the Owasp List of top 10 mobile vulnerabilities. It refers to misuse of a platform’s feature or failure to use platform security controls. It includes Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system.

The vulnerability in this category arises when an app on any platform (iOS, Android, Windows Phone, etc.) fails to use or incorrectly uses a feature or capability. However, this risk differs from the rest as the design and implementation is not the app developer’s issue. Here, any exposed API call can serve as an attack vector.

This risk is commonly prevalent in mobile applications. The vulnerability stems when an organization exposes a web service or API call which is then consumed by the mobile app. Use of insecure coding techniques leads to the web service of API being exposed as vulnerable to improper platform usage. Through the mobile interface, a rival is able to feed malicious inputs or unexpected sequences of events to exploit the vulnerability.

Ways to exploit Improper Platform Usage

All You Need to Know About Android App Vulnerability: Improper Platform Usage
  1. Violation of published guidelines: Each platform (Android, iOS) is expected to adhere to development guidelines stated for their security. If an application fails to follow these guidelines, it is exposed to this risk. For example, the iOS Keychain feature comes with a set of guidelines on how to be used. Apps not following these guidelines would experience this vulnerability.
  2. Violation of common practice: The manufacturer guidance doesn’t codify all best practices. Sometimes, there are best practices that are common in mobile applications.
  3. Unintentional misuse: As part of a system or human error, some apps unintentionally get some part of their implementation wrong. This varies from a bug to setting the wrong flag on an API call, or even a slight misunderstanding of the working behind the protections.

At Astra, we have a team of security experts who can help you to detect vulnerabilities in your mobile app and fix them.

Vulnerability Impact

While OWASP describes this vulnerability as commonly prevalent and easily exploitable, but the actual severity of the impact depends mostly on the type of exploit and the extent to which the hacker managed to gain control.

The technical impact of this vulnerability is severe, as an adversary can misuse any application using the mobile device. To exemplify,  an improper platform usage risk can give rise to exploitation of a Cross-Site Scripting (XSS) vulnerability via the mobile device. Leading to further loss of information important to the user.

How to prevent Improper Platform Usage?

The commonly exploited attack vector here is any exposed API. Prevention of the risks associated with improper platform usage requires secure coding and configuration practices on the server-side of the mobile application. The key is to follow the recommended best practices when developing your API.

Worried that your phone might be vulnerable to such threats? Protect your mobile now with Astra’s Complete Security Suite for Android and iOS apps

Was this post helpful?

Tags: , , , , ,

Bhagyeshwari Chauhan

An engineering grad and a technical writer, Bhagyeshwari blogs about web security, futuristic tech and space science.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Point Gadget
Point Gadget
2 years ago

Recently Google removed millions of apps from app store for various reasons. Is there any vulnerability reasons behind it?

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA/ France India Germany