Introduction

Improper platform usage, that name sounds as confusing as saying that rat's don't like cheese. In reality, this vulnerability entails a lot of issues:

• Misuse of Android intents
• Misuse of platform permissions
• Misuse of touchID
• Misuse of the keychain (iOS)
• Misuse of any other security mechanism that the phone has, for example keeping the screen unlocked for longer than the timeout timer due to background processes.

It's also important to understand this defect type is regarding the communication between the app and the API/webservice that that API consumes. Often the app will get a response from the server as to what security mechanisms need to be in place and even if that is not the case, we should ensure that the server refuses any calls that do not meet the standards.

M1.2016: Improper Platform Usage

Attack vector

The attack vector will be the same as for the OWASP top 10 and API top 10, due to the nature of mobile apps, they communicate with an API just like an other desktop application or website or even iOT device. These API entry points are going to be our entry point and that's why we need to intercept our traffic with burp suite. This will allow us to intercept the traffic from the mobile application to the API which we can later analyse.

Security Weakness

We have to meet a couple of requirements for this defect to be effective.

• There is an API/web service is exposed to the mobile app
• The API/web service has been insecurely implemented
• Through the mobile endpoints we are able to enter a sequence of invalid characters that produce unexpected results

If any of the above requirements is not met, we can't speak of platform misuse according to OWASP mobile top 10

Impact

This depends on what vulnerability is found as a result of this defect and how the impact of the defect can be demonstrated. For example an XSS might seem a direct critical defect but if the XSS can't execute any code, steal any cookies or steal any data, the XSS is going to be a lot less harmful.