Weaknesses in Mobile Applications
A view in the Common Weakness Enumeration published by The MITRE Corporation.
Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.
CWE entries in this view (slice) are often seen in mobile applications.
The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of o...
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
The software uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
The software does not validate, or incorrectly validates, a certificate.
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the dat...
The software operates in an environment in which power is a limited resource that cannot be automatically replenished, but the software does not properly restrict the ...
The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is...
The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.
The software contains code that is designed to disrupt the legitimate operation of the software (or its environment) when a certain time passes, or when a certain logi...
The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
The software stores sensitive information in a file system or device that does not have built-in access control.
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exte...
The Android application uses an implicit intent for transmitting sensitive data to other applications.