Abstract
The global sales market is currently led by devices with the Android operating system. In 2015, more than 1 billion smartphones were sold, of which 81.5% were operated by the Android platform. In 2017, it is estimated that 267.78 billion applications will be downloaded from Google Play. According to Qian, 90% of applications are vulnerable, despite the recommendations of rules and standards for the safe software development. This study presents a classification of vulnerabilities, indicating the vulnerability, the safety aspect defined by the Brazilian Association of Technical Standards (Associacao Brasileira de Normas Tecnicas - ABNT) norm NBR ISO/IEC 27002 which will be violated, which lines of code generate the vulnerability and what should be done to avoid it, and the threat agent used by each of them. This classification allows the identification of possible points of vulnerability, allowing the developer to correct the identified gaps
Highlights
Android is currently the most used mobile platform in the world
This study presents a vulnerability classification which considers: the vulnerabilities identified by the project Open Web Application Security Project (OWASP) Mobile Security Project; classifies them according to the ABNT NBR ISO/IEC 27002 safety aspects that may be violated and the types of code to Android development that generate this vulnerability, indicating whether the risk should warn or stop the mobile application development process
OWASP recommends, in order to avoid this type of attack, that: requests for authentication are performed on the server, whenever possible; weak passwords or the device id should not be allowed by the system for authentication; and that the user credentials are not stored on the device, otherwise, they must be encrypted
Summary
This study presents a classification of vulnerabilities, indicating the vulnerability, the safety aspect defined by the Brazilian Association of Technical Standards (Associação Brasileira de Normas Técnicas - ABNT) norm NBR ISO/IEC 27002 which will be violated, which lines of code generate the vulnerability and what should be done to avoid it, and the threat agent used by each of them. This classification allows the identification of possible points of vulnerability, allowing the developer to correct the identified gaps.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have