Weaknesses in Mobile Applications
A view in the Common Weakness Enumeration published by The MITRE Corporation.
Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.
CWE entries in this view (slice) are often seen in mobile applications.
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of ot...
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
The product does not validate, or incorrectly validates, a certificate.
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the dat...
The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the am...
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is ...
The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.
The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logica...
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
The product stores sensitive information in a file system or device that does not have built-in access control.
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...
The Android application uses an implicit intent for transmitting sensitive data to other applications.