Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.
Techniques Addressed by Mitigation
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1078 | Valid Accounts |
Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). |
|
Mobile | T1517 | Access Notifications |
Application developers could be encouraged to avoid placing sensitive data in notification text. |
|
Mobile | T1413 | Access Sensitive Data in Device Logs |
Application developers should be discouraged from writing sensitive data to the system log in production apps. |
|
Mobile | T1513 | Screen Capture |
Application developers can apply |
|
Mobile | T1416 | URI Hijacking |
Developers should use Android App Links[2] and iOS Universal Links[3] to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE[4] should be used to prevent use of stolen authorization codes. |