Knowledge Base - Issues
Our knowledge-base provides a comprehensive collection of information on vulnerabilities related to cyber security.IPA symbol table (CWE-200) is a type of IT vulnerability that is associated with the usage of platforms such as iOS and mobile apps. This type of vulnerability allows attackers to gain access to sensitive information by using the symbol table of an iOS application. The symbol table contains information...
Abuse of Mobile Network Connection is a configuration management vulnerability, which can occur in Android, iOS, and Mobile App applications. According to the CWE directory, this vulnerability occurs when the application connects to a mobile network to access services, but the data is not properly protected, allowing an attacker to...
AddJavaScriptInterface Remote Code Execution is a vulnerability in Android and mobile application that allows attackers to execute arbitrary code on the device. It is a type of Input Validation vulnerability, identified by the Common Weakness Enumeration (CWE) directory as CWE-494. It is also included in the OWASP Testing Guide, which...
Address Space Layout Randomization (ASLR) is a computer security technique enforced by the operating system that randomizes the memory layout of a program. It is used to prevent malicious code from exploiting known address locations of a program in order to cause the program to crash or execute arbitrary code....
Android Class Load Hijacking is a vulnerability that enables an attacker to gain control of a mobile application's runtime environment by exploiting the application's class loader. This vulnerability is identified in the Common Weakness Enumeration (CWE) directory as CWE-427 and is also described in the OWASP Testing Guide as a...
Android Class Loading Hijacking (CWE-919) is a vulnerability that affects the authorization process in Android and mobile app development. It is a type of vulnerability in which an attacker is able to exploit an application's class loading procedure to inject malicious code into the application. This malicious code can then...
APK files list is an Information Gathering vulnerability (CWE-200) that occurs in Mobile App and Android. It is a vulnerability that allows an attacker to view the list of installed applications on a user's device. This can be used in a variety of ways to gain further access to the...
Application checks rooted device is an IT vulnerability that allows attackers to root a mobile device and gain access to the device. This vulnerability is classified as CWE-716: Create a User with Unrestricted Privileges. According to the OWASP Testing Guide, this vulnerability can occur in Android, iOS, and Mobile App...
Application implements anti-debug techniques (CWE-16) is a resiliency vulnerability that occurs when an application implements measures to detect when it is being debugged or reverse-engineered. This vulnerability is often found in mobile apps, specifically on iOS devices where the application can detect when a debugger is attached and can take...
Application signed with an expired certificate is an authentication vulnerability that occurs when an application, such as an app on Android, iOS, or a Mobile App, is signed with an expired certificate, allowing users to execute a malicious application. This vulnerability has been identified in the Common Weakness Enumeration (CWE)...
Attribute hasFragileUserData not set is a vulnerability for Mobile App and Android applications found in the Common Weakness Enumeration (CWE) directory. It is categorized as a Platform Usage vulnerability. This vulnerability occurs when an application does not explicitly declare a sensitive user data attribute (e.g. username, password, etc.) so that...
Attribute requestLegacyExternalStorage set is a Configuration Management vulnerability, which usually occurs in Android and mobile applications. It is defined in the Common Weakness Enumeration (CWE) directory as "CWE-732: Incorrect Permission Assignment for Critical Resource". This means that the application does not assign the correct permissions to sensitive or critical resources,...
Attribute usesCleartextTraffic set is a type of IT vulnerability that is classified as a Network Communication vulnerability. This vulnerability is present in both Android and Mobile App systems, as well as in other similar systems. According to the CWE/SANS TOP 25 Most Dangerous Software Errors directory, this vulnerability occurs when...
Automatic Reference Counting (ARC) not enforced is a type of Configuration Management vulnerability (CWE-822) that occurs in mobile applications and iOS. It is an issue where a reference count is not correctly enforced and allows memory to be accessed even when the reference count is 0 or less. This can...
Backup mode disabled is a vulnerability within the Configuration Management category of the Common Weakness Enumeration (CWE-16). It is related to a lack of secure configuration management, where the configuration of a system is not set up correctly. This can lead to the system becoming vulnerable to attack. Specifically, the...
Broadcast receiver dynamic registration is a type of authorization vulnerability that occurs in mobile applications and Android operating systems. This vulnerability occurs when an application registers a broadcast receiver dynamically, and does not properly control the intent filters (CWE-284). This can lead to an attacker sending a malicious intent to...
Call to dynamic code loading API is a type of authorization vulnerability that affects Android, iOS and Mobile Apps. This vulnerability allows attackers to bypass authentication measures, such as user accounts, by loading code into the application dynamically. This type of attack is classified as CWE-285 (Improper Authorization) according to...
Continuous collection of GPS location is a vulnerability affecting mobile app security. It occurs when an app collects user location data over a period of time without user consent or knowledge. This type of data collection can lead to privacy and security risks as it can give an attacker access...
Cordova Cross-site Scripting (XSS) is a type of vulnerability classified by CWE-79, Cross-site Scripting, which occurs in Android, iOS, and Mobile App platforms. XSS vulnerabilities occur when an application or webpage does not sanitize user input properly, allowing malicious code to be executed as part of the application. This type...
Cordova debug mode enabled is an IT vulnerability that is categorized under Resiliency in the Common Weakness Enumeration (CWE) directory. It is a vulnerability that affects Android and Mobile App platforms. This vulnerability occurs when the debug mode for a Cordova application is enabled. This mode allows for the application...
Credentials exposed in logs is a type of Information Leakage vulnerability. This vulnerability occurs when a mobile app, for either iOS or Android, transmits sensitive data such as login credentials in an insecure format, usually in plaintext, over an insecure network. This type of vulnerability is listed in the CWE...
Debug Symbols Present in the Application (CWE-599) is a vulnerability found in iOS and Mobile App software applications. This vulnerability occurs when debug symbols are left in the final application, which can be used by attackers to reverse engineer the application and discover vulnerabilities. As listed in the OWASP Testing...
Dependency Confusion is a type of authorization vulnerability where an attacker can use a form of name confusion to insert malicious code into a system. Dependency Confusion occurs when an application looks for a dependency library with a specific name, and an attacker is able to manipulate the library search...
Facebook SDK debug mode enabled is a configuration management vulnerability (CWE-732) that affects Android, iOS and Mobile App software. This vulnerability occurs when the debug mode of the Facebook SDK is enabled, which allows attackers to bypass security measures, modify data, and take control of the application. Reference to the...
Insecure App Transport Security (ATS) Settings is a vulnerability in the network communication of iOS and Mobile Apps. According to the Common Weakness Enumeration (CWE) directory, this vulnerability is classified as CWE-319. This vulnerability occurs when an application does not properly configure the secure connection between the client and the...
Insecure File Provider Paths Setting is a vulnerability categorized as an Input Validation vulnerability (CWE-20) that occurs in Android and Mobile App ecosystems. This vulnerability can allow attackers to access files on a device through file provider paths that are not properly configured. It can also allow attackers to manipulate...
Insecure Filesystem Access is a type of authorization vulnerability that occurs when an application does not restrict access to the filesystem of a device, such as a computer or mobile phone. This type of vulnerability can be exploited by malicious actors to access files stored on the device, including confidential...
Insecure hostname validation check (CWE-295) is a type of input validation vulnerability that occurs when an application or system does not properly validate the hostname of requests from a client. This vulnerability is common in mobile applications (iOS and Android) and can lead to man-in-the-middle attacks. According to the OWASP...
Insecure password storage is a vulnerability of the Identity Management CWE-257 category, which occurs in Android, iOS and Mobile App. It is defined as the lack of encryption and secure storage of user credentials, such as passwords, on client systems. This can allow attackers to gain access to sensitive user...
Insecure Shared Preferences Permissions is a type of Authorization vulnerability as identified in the Common Weakness Enumeration (CWE) directory that affects Android and Mobile App systems. It occurs when access to shared preferences is misconfigured, allowing malicious actors to access and modify shared preferences without authentication or authorization. This can...
Insecure whitelist is a common configuration management vulnerability, listed as CWE-759, which occurs when an application or system incorrectly implements a whitelisting process. This vulnerability is common in Android, iOS and Mobile App environments and can be used to bypass authentication and authorization controls. According to the OWASP Testing Guide,...
Insecure whitelist configuration is a type of vulnerability in Configuration Management that allows an attacker to access a system by bypassing a whitelist. This vulnerability is registered in the Common Weakness Enumeration (CWE) directory as CWE-639. It is also described in the OWASP Testing Guide. This vulnerability affects Android, iOS,...
iOS URL Scheme Hijacking is a type of input validation vulnerability which occurs in mobile applications on iOS. It is classified in CWE-601 as “URL Redirection to Untrusted Site ('Open Redirect')”. This vulnerability occurs when an application uses URL schemes to pass data to other applications, and is not properly...
iOS URL Scheme Injection is a type of input validation vulnerability that occurs on mobile devices running iOS and in mobile applications. This vulnerability can allow attackers to inject malicious URLs into applications, allowing them to gain access to various data or functions within the application. The Common Weakness Enumeration...
IPA contains only bitcode is an IT vulnerability that affects iOS and Mobile App. It occurs when bitcode is uploaded to an IPA file without the source code. This vulnerability is listed in the CWE directory (CWE-1911) and is described in the OWASP Testing Guide as an insecure direct object...
IPA Frameworks List vulnerability is a type of platform usage vulnerability that affects mobile applications and iOS devices. This vulnerability was first documented in the CWE directory (CWE-921) as a vulnerability that allows an attacker to bypass the application’s security features and gain access to the underlying framework. The OWASP...
IPA Plist files are configuration files used in Apple's iOS and Mobile App platforms. These files are used to control how the application behaves and what features are available. Unfortunately, these files can be manipulated by malicious actors to enable features that can be used to gain access to sensitive...
iTunes UI File Sharing Enabled is an Authorization vulnerability that allows a user to access sensitive data stored in an iOS application or mobile app. This vulnerability is classified as CWE-284 and is described in the OWASP Testing Guide as “insufficient authorization or authentication for an operation involving sensitive data”....
List of calls to dangerous low-level C functions is a vulnerability related to authorization in iOS and Mobile App. It is defined in the Common Weakness Enumeration (CWE) directory as CWE-415: Double Free, which is a type of memory access error where a program attempts to free the same memory...
Mach-O encrypted is a type of IT vulnerability that occurs when an application in the Mobile App platform is not properly secured and can be exploited by malicious actors. This vulnerability is classified as CWE-732 under the Common Weakness Enumeration (CWE) directory and is listed as "Insecure Cryptographic Storage"...
Mach-O Entitlements is a type of IT vulnerability that is classified as an Authorization issue. This vulnerability is present in both iOS and Mobile App operating systems, and it is listed as CWE-269 in the Common Weakness Enumeration directory. According to the OWASP Testing Guide, Mach-O Entitlements is a type...
No Multi-factor authentication (CWE-287) is a vulnerability in authentication protocols that allows an attacker to gain access to systems or applications using only a single set of credentials. This vulnerability can be found in Infrastructure, Mobile App and Web and API. According to the OWASP Testing Guide, this vulnerability is...
Description
No password change functionality is a vulnerability in the identity management of IT infrastructure, mobile apps and web and API applications. It is classified as CWE-257, which is described as "Failure to Change a Password in a timely manner". According to OWASP Testing Guide, this type of vulnerability occurs when...
No sensitive data stored outside App is a vulnerability (CWE-311) that can arise when an application does not properly secure the data that it stores on remote systems or out of its own scope. This can lead to data theft or data leakage to malicious actors. The vulnerability can occur...
Notification spoofing is an authorization vulnerability which occurs when a malicious user impersonates another user or an application and sends an unauthorized notification. This type of attack is usually done by sending a malicious notification to a user or application, often in order to gain access to sensitive data or...
Obfuscated methods is a type of resiliency vulnerability that occurs in mobile applications. It is defined in the CWE directory (CWE-600) as, “The software uses obfuscated methods to protect its code, data, or resources, but the obfuscation is not strong enough to prevent the code, data, or resources from being...
Password hash disclosure is an information leakage vulnerability, listed in CWE-209, which occurs when an application discloses the hashed form of a password, usually in plain text, making it easier for attackers to brute force guess the plain text password. Password hashes can be disclosed through web and API applications,...
Password Hash with Insufficient Computational Effort (CWE-521) is a Cryptography vulnerability related to the use of weak password hashing algorithms. This type of vulnerability occurs in Mobile Apps, Infrastructure, Web and API. It happens when an application does not use a strong enough hashing algorithm for passwords, which can be...
Showing entries 1 to 50 of 72 entries.