Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

ID: M1013

Version: 1.0

Created: 25 October 2017

Last Modified: 17 October 2018

Version Permalink

Live Version

Techniques Addressed by Mitigation

Domain	ID	Name	Use
Enterprise	T1078	Valid Accounts	Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).
Mobile	T1517	Access Notifications	Application developers could be encouraged to avoid placing sensitive data in notification text.
Mobile	T1413	Access Sensitive Data in Device Logs	Application developers should be discouraged from writing sensitive data to the system log in production apps.
Mobile	T1513	Screen Capture	Application developers can apply `FLAG_SECURE` to sensitive screens within their apps to make it more difficult for the screen contents to be captured.^[1]
Mobile	T1416	URI Hijacking	Developers should use Android App Links^[2] and iOS Universal Links^[3] to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE^[4] should be used to prevent use of stolen authorization codes.

References

Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019.
Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.