The Android App Vulnerability “Improper Platform Usage” is listed on the Owasp List of top 10 mobile vulnerabilities. It refers to misuse of a platform’s feature or failure to use platform security controls. It includes Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system.
The vulnerability in this category arises when an app on any platform (iOS, Android, Windows Phone, etc.) fails to use or incorrectly uses a feature or capability. However, this risk differs from the rest as the design and implementation is not the app developer’s issue. Here, any exposed API call can serve as an attack vector.
This risk is commonly prevalent in mobile applications. The vulnerability stems when an organization exposes a web service or API call which is then consumed by the mobile app. Use of insecure coding techniques leads to the web service of API being exposed as vulnerable to improper platform usage. Through the mobile interface, a rival is able to feed malicious inputs or unexpected sequences of events to exploit the vulnerability.
Ways to exploit Improper Platform Usage
- Violation of published guidelines: Each platform (Android, iOS) is expected to adhere to development guidelines stated for their security. If an application fails to follow these guidelines, it is exposed to this risk. For example, the iOS Keychain feature comes with a set of guidelines on how to be used. Apps not following these guidelines would experience this vulnerability.
- Violation of common practice: The manufacturer guidance doesn’t codify all best practices. Sometimes, there are best practices that are common in mobile applications.
- Unintentional misuse: As part of a system or human error, some apps unintentionally get some part of their implementation wrong. This varies from a bug to setting the wrong flag on an API call, or even a slight misunderstanding of the working behind the protections.
At Astra, we have a team of security experts who can help you to detect vulnerabilities in your mobile app and fix them.
While OWASP describes this vulnerability as commonly prevalent and easily exploitable, but the actual severity of the impact depends mostly on the type of exploit and the extent to which the hacker managed to gain control.
The technical impact of this vulnerability is severe, as an adversary can misuse any application using the mobile device. To exemplify, an improper platform usage risk can give rise to exploitation of a Cross-Site Scripting (XSS) vulnerability via the mobile device. Leading to further loss of information important to the user.
How to prevent Improper Platform Usage?
The commonly exploited attack vector here is any exposed API. Prevention of the risks associated with improper platform usage requires secure coding and configuration practices on the server-side of the mobile application. The key is to follow the recommended best practices when developing your API.
Worried that your phone might be vulnerable to such threats? Protect your mobile now with Astra’s Complete Security Suite for Android and iOS apps