M2: Inadequate Supply Chain Security (2024)
OWASP Risk Analysis
Risks from third-party SDKs, malicious dependencies, and compromised build pipelines. Attackers inject code through trusted libraries or tamper with CI/CD systems.
Risk Assessment
Threat Agents
Attackers manipulate mobile app functionality by exploiting supply chain vulnerabilities, including injecting malicious code during development, modifying code during builds to introduce backdoors or spyware, exploiting vulnerabilities in third-party libraries and SDKs, or leveraging hardcoded credentials for unauthorized access.
Attack Vectors
Exploitability
AVERAGE
Multiple exploitation methods exist: insider threats or attackers can inject malicious code during development; threat agents can compromise app signing keys or certificates to sign malicious code as trusted; or attackers can exploit vulnerabilities in third-party libraries or components.
Security Weakness
Prevalence
COMMON
Detectability
DIFFICULT
Results from inadequate secure coding practices, insufficient code reviews and testing, insecure app signing and distribution processes, weaknesses in third-party software components or libraries, and insufficient security controls for data encryption, storage, or protection against unauthorized access.
Technical Impact
Impact
SEVERE
Data breaches where attackers steal sensitive data including login credentials, personal information, or financial data. Malware infection of user devices. Unauthorized access to application servers to modify or delete data. Complete system compromise leading to application shutdown, significant data loss, and long-term reputational damage.
Business Impact
Impact
SEVERE
Financial losses from investigation costs, notification expenses, legal settlements, and lost revenue. Reputational damage reducing customer trust and revenue. Legal and regulatory consequences including fines, lawsuits, and government investigations. Supply chain disruption causing operational delays and delivery interruptions.
Am I Vulnerable?
- Lack of Security in Third-Party Components: Third-party components, such as libraries or frameworks, can contain vulnerabilities that can be exploited by attackers. If the mobile application developer does not vet the third-party components properly or keep them updated, the application can be vulnerable to attacks.
- Malicious Insider Threats: Malicious insiders, such as a rogue developer or a supplier, can introduce vulnerabilities into the mobile application intentionally. This can occur if the developer does not implement adequate security controls and monitoring of the supply chain process.
- Inadequate Testing and Validation: If the mobile application developer does not test the application thoroughly, it can be vulnerable to attacks. The developer may also fail to validate the security of the supply chain process, leading to vulnerabilities in the application.
- Lack of Security Awareness: If the mobile application developer does not have adequate security awareness, they may not implement the necessary security controls to prevent supply chain attacks.
How Do I Prevent It?
- Secure Coding Practices: Implement secure coding practices, code review, and testing throughout the mobile app development lifecycle to identify and mitigate vulnerabilities.
- Secure App Signing and Distribution: Ensure secure app signing and distribution processes to prevent attackers from signing and distributing malicious code.
- Trusted Third-Party Components: Use only trusted and validated third-party libraries or components to reduce the risk of vulnerabilities.
- Security Controls for Updates: Establish security controls for app updates, patches, and releases to prevent attackers from exploiting vulnerabilities in the app.
- Supply Chain Monitoring: Monitor and detect supply chain security incidents through security testing, scanning, or other techniques to detect and respond to incidents in a timely manner.
Example Attack Scenarios
- Malware Injection: An attacker injects malware into a popular mobile app during the development phase. The attacker then signs the app with a valid certificate and distributes it to the app store, bypassing the app store's security checks. Users download and install the infected app, which steals their login credentials and other sensitive data. The attacker then uses the stolen data to commit fraud or identity theft, causing significant financial harm to the victims and reputational damage to the app provider.
Based on OWASP Mobile Top 10 (2024) — the industry standard for mobile app security risks.