M8: Security Misconfiguration (2024)

Debug flags left in production, overly permissive permissions, insecure default settings, and exposed backup data. Often caused by rushing releases.

Risk Assessment

Am I Vulnerable?

• Default Settings Not Reviewed: Using default configurations without reviewing security settings, permissions and default credentials.
• Lack of Secure Communication: Using unencrypted or weakly encrypted communication channels.
• Weak or Absent Access Controls: Allowing unauthorized access to sensitive functionality or data.
• Failure to Update or Patch: Not applying necessary security updates or patches to the app or underlying components.
• Improper Storage of Sensitive Data: Storing sensitive data in plain text or weakly protected formats.
• Insecure File Provider Path Settings: A file content provider that was meant for internal application use is exposed to other apps or users.
• Exported Activities: An activity that is meant for internal application use is exported and/or browsable, which exposes an additional attack surface.

How Do I Prevent It?

• Secure Default Configurations: Ensure that default settings and configurations are properly secured and do not expose sensitive information or provide unnecessary permissions.
• Default Credentials: Refrain from using hardcoded default credentials.
• Insecure Permissions: Avoid storing application files with overly permissive permissions like world-readable and/or world-writable.
• Least Privilege Principle: Request only the permissions necessary for the proper functioning of the application.
• Secure Network Configuration: Disallow cleartext traffic and use certificate pinning when possible.
• Disable Debugging: Disable debugging features in the production version of the app.
• Disable Backup Mode (Android): By disabling backup mode on Android devices, you prevent the inclusion of app data in the device's backup.
• Limit Application Attack Surface: Only export activities, content providers, and services that are necessary to be exported.

Example Attack Scenarios

• Insecure Default Settings: A mobile app is released with default settings that have weak security configurations enabled. This includes using insecure communication protocols, leaving default usernames and passwords unchanged, and not disabling debugging features in release builds. Attackers exploit these misconfigurations to gain unauthorized access to sensitive data or perform malicious actions.
• Insecure File Provider Path Settings: A mobile app exposes its root path in an exported file content provider, allowing other apps to access its resources.
• Overly Permissive Storage Permissions: A mobile app stores application shared preferences with world-readable permissions, allowing other apps to read them.
• Exported Activity: A mobile app exports some activity that is meant for internal use, giving attackers extra attack surface to the application.
• Unnecessary Permissions: A mobile app requests excessive permissions that are not essential for its core functionality. For instance, a simple flashlight app requesting access to the user's contacts, location, and camera. This exposes user data to unnecessary risks, as the app could potentially misuse the granted permissions or unintentionally leak sensitive information.