-
Type:
Task
-
Resolution: Done
-
Priority:
Medium
-
Affects Version/s: None
-
FLW Sprint 37, FLW Sprint 38, FLW Sprint 39
-
FLW Mobile App
-
All
The application does not detect or block execution on rooted/jailbroken devices.
Impact:
Sensitive data and logic can be tampered with or extracted.
| Vulnerability Name | Vulnerable URL | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| Android Application | APP runs on Rooted Device | CWE-250 | 3.4 | Low | Rooting allows access to system files of the operating system, which can be modified or deleted, with possible irreversible impact on the hardware itself. It allows circumventing the security restrictions put in place by Android OS, which, in turn, can facilitate an easily infected device through trojan- and malware- infected apps (if not protected by anti-virus software). | Though rooting can be done by an informed user for advanced app-related code manipulation, hackers tend to exploit it by injecting malware in the device. | Following options are most appropriate based on the assessed sensitivity of the application and the issues explained above: 1. Attempt full root detection across Android and prevent use from devices where it is detected despite the risk of preventing legitimate users from using the application. 2. Perform full Android root detection and prevent use from devices where it is detected but just provide a warning/disclaimer on Android devices to avoid the false positive risk. 3. Just provide a warning/disclaimer on all devices. |
https://owasp.org/www-project-mobile-top-10/2014-risks/m10-lack-of-binary-protections | Step 1: During security assessment it was identified that the application does not implement root detection mechanisms, allowing it to run on rooted devices. |
