Mobile Top 10 2014-M4

Back To The Mobile Top Ten Main Page

Threat Description  Attack Vector Description Security Weakness Description Technical Impacts Business Impacts

Unintended data leakage (formerly side-channel data leakage) is a branch of Insecure Data Storage. It includes all manner of vulnerabilities that can be introduced by the OS, frameworks, compiler environment, new hardware, etc, all without a developers knowledge.

In the mobile development world this is most seen in undocumented (or under-documeted) internal processes such as:


 * The way the OS caches data, images, key-presses, logging, and buffers.
 * The way the development framework caches data, images, key-presses, logging, and buffers.
 * The way or amount of data ad, analytic, social, or enablement frameworks cache data, images, key-presses, logging, and buffers.

It is important to threat model your OS, platforms, and frameworks, to see how they handle the following types of features:


 * URL Caching (Both request and response)
 * Keyboard Press Caching
 * Copy/Paste buffer Caching
 * Application backgrounding
 * Logging
 * HTML5 data storage
 * Browser cookie objects
 * Analytics data sent to 3rd parties

It is especially important to discern what a given OS or framework does by default. By identifying this and applying mitigating controls, you can avoid unintended data leakage. Specific examples to follow.

OS: iOS

 * URL Caching (Both request and response)
 * Keyboard Press Caching
 * Copy/Paste buffer Caching
 * Application backgrounding
 * Logging
 * HTML5 data storage
 * Browser cookie objects
 * Analytics data sent to 3rd parties

OS: Android

 * URL Caching (Both request and response)
 * Keyboard Press Caching
 * Copy/Paste buffer Caching
 * Application backgrounding
 * Logging
 * HTML5 data storage
 * Browser cookie objects
 * Analytics data sent to 3rd parties

References