Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1564 | .009 | Hide Artifacts: Resource Forking |
Configure applications to use the application bundle structure which leverages the |
| Enterprise | T1574 | Hijack Execution Flow |
When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.[2] |
|
| .002 | DLL Side-Loading |
When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.[2] |
||
| Enterprise | T1559 | Inter-Process Communication |
Enable the Hardened Runtime capability when developing applications. Do not include the |
|
| .003 | XPC Services |
Enable the Hardened Runtime capability when developing applications. Do not include the |
||
| Enterprise | T1647 | Plist File Modification |
Ensure applications are using Apple's developer guidance which enables hardened runtime.[3] |
|
| Enterprise | T1593 | Search Open Websites/Domains |
Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys. |
|
| .003 | Code Repositories |
Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys. |
||
| Enterprise | T1078 | Valid Accounts |
Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). |
|
| Mobile | T1626 | Abuse Elevation Control Mechanism |
Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. |
|
| Mobile | T1517 | Access Notifications |
Application developers could be encouraged to avoid placing sensitive data in notification text. |
|
| Mobile | T1513 | Screen Capture |
Application developers can apply the |
|
| Mobile | T1635 | Steal Application Access Token |
Developers should use Android App Links[5] and iOS Universal Links[6] to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE[7] should be used to prevent use of stolen authorization codes. |
|
| .001 | URI Hijacking |
Developers should use Android App Links[5] and iOS Universal Links[6] to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE[7] should be used to prevent use of stolen authorization codes. |
||
| Mobile | T1474 | Supply Chain Compromise |
Application developers should be cautious when selecting third-party libraries to integrate into their application. |
|
| .001 | Compromise Software Dependencies and Development Tools |
Application developers should be cautious when selecting third-party libraries to integrate into their application. |
||
References
- Apple Inc. (2021, February 18). App security overview. Retrieved October 12, 2021.
- Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020.
- Apple Inc.. (2021, January 1). Hardened Runtime: Manage security protections and resource access for your macOS apps.. Retrieved March 24, 2021.
- Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019.
- Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.
- Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020.
- N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.