This is a new one, in this specific form, and refers to vulnerabilities where an app does not adequately protect sensitive personal information, or PII. The impact of this can be far reaching, potentially leading to unauthorised access, data breaches and identity theft.
| Threat Agents | Application Specific Protection of Personally Identifiable Information (PII) is critical. This includes all personal information – name, address, credit card details, email, IP addresses, health data, religion, sexuality, political opinions, and, in some jurisdictions, device IDs. The value of this information lies in the assistance it gives attackers to: – impersonate the victim to commit fraud – use payment data to make purchases – blackmail the victim – cause other harm by manipulating this data PII can be: – Leaked, violating confidentiality – Manipulated, violating integrity – Destroyed, violating availability |
| Attack Vectors | Exploitability: AVERAGE Stores of PII are usually well protected, as the value of this data is understood, and in some cases, protection is legislated. However, some are less well protected, such as clipboard contents and query parameters. Accessing PII therefore usually follows a primary breach in another area. |
| Security Weakness | Prevalence: COMMON Detectability: EASY Many apps capture and process PII – often more than they need to fulfil their function. Careless handling of PII by developers increases risks. It must always be handled on the assumption that communication and storage have been compromised. |
| Technical Impacts | Impact: LOW Direct technical impact is considered low, unless manipulation of the data impacts functionality, in which case it could leave an app inoperable for the victim. |
| Business Impacts | Impact: SEVERE Depending on the data and the number of impacted users, a breach here could represent an existential threat to a business: Regulatory This data is tightly regulated, including GDPR (Europe), PDPA (Singapore), CCPA (CA, US), PIPEDA (Canada), Data Protection Act 2018 (UK), PDPL (China) and POPIA (South Africa). Sanctions apply for those in breach. Financial Litigation from impacted users can have a significant impact. Reputational A significant breach will likely garner media attention, adversely impacting business. Misuse of Data Stolen data could be used to impersonate users and attempt further attacks on the app publisher. |
| Causes | Apps are only vulnerable to this if they process PII, although this is almost always the case. This data can be considered a special case of general data, and as such to be vulnerable to exposure: – Insecure data storage and communication (M5, M9) – Data access with insecure authentication and authorisation (M3, M1) – Insider attacks on the app’s sandbox (M2, M4, M8) |
| Prevention | The safest and most comprehensive solution is not to capture or process any PII. Achieving this requires an excellent awareness of what constitutes PII and the associated risks. Ask these questions: Is all PII usage really necessary? Can some be replaced by less critical data (for example, reduced accuracy of location tracking)? Can use be reduced (for example, reduced frequency of location tracking)? Can some or all of the PII be anonymised? Can PII be securely deleted after an expiration period? Can users be prompted to consent to optional PII storage? Can storage of remaining PII be prevented or reduced? Can transmission of remaining PII be stopped or reduced? Is PII included in any logging or analytics? If so, can it be removed or is it absolutely necessary? Are those logs and analytics handled securely? Is a third party involved? |
iOS Best Practice
Ensure that any PII which remains after addressing the above questions is stored securely, and entirely within the app’s sandbox, ensuring simple removal on uninstallation and exclusion from backups.
Android Best Practice
Ensure that any PII which remains after the above questions have been addressed is also stored securely, and entirely within the app’s sandbox. Specifically, be very careful of setting hasFragileUserData to true, causing the app to preserve its data after uninstallation. An attacker with access to the device at a later date could install a malicious app with the same package ID and retrieve all the data.
If you want to chat to us more about any of this, or to discuss any mobile app requirements or questions you may have, then get in touch.
Comments are closed