The sub-techniques beta is now live! Read the release blog post for more info.

Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

ID: M1013
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1078 Valid Accounts

Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).

Mobile T1517 Access Notifications

Application developers could be encouraged to avoid placing sensitive data in notification text.

Mobile T1413 Access Sensitive Data in Device Logs

Application developers should be discouraged from writing sensitive data to the system log in production apps.

Mobile T1513 Screen Capture

Application developers can apply FLAG_SECURE to sensitive screens within their apps to make it more difficult for the screen contents to be captured.