-
Type:
Task
-
Resolution: Done
-
Priority:
Medium
-
Affects Version/s: None
-
FLW Sprint 37, FLW Sprint 38, FLW Sprint 39
-
FLW Mobile App
-
All
The app is built with the android:debuggable="true" flag.
Impact:
Allows attackers to hook into the app, modify behavior or extract sensitive data.
| Vulnerability Name | Vulnerable URL | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| AndroidManiFest.xml | Improper Platform Usage - Debuggable | CWE-319 | 5.7 | Medium | "This covers the misuse of platform features and failure to use platform security controls. This includes misuse of Touch ID, the Keychain, Android intents, platform permissions, or other security features that are a part of the mobile operating system." "This can result in data loss, in the best case for one user, and in the worst case for many users. It may also result in the following technical impacts: extraction of the app's sensitive information via mobile malware, modified apps or forensic tools." Unsafe and not required permission should not be set. |
This can result in data loss, in the best case for one user, and in the worst case for many users. It may also result in the following technical impacts: extraction of the app's sensitive information via mobile malware, modified apps or forensic tools. |
Unsafe and not required permission should not be set. | https://cwe.mitre.org/data/definitions/319.html | Step 1: During security assessment we observed that application has set Debuggable to true. |
