With more and more private information being utilized by web applications, information security has become a critical issue. Incidents involving the harvesting of sensitive data take place on a constant basis all over the world. This stealing and manipulating of private information by malicious attackers is commonly known as privacy violation.
Passwords, certificates, credit card details, social security numbers, addresses, mobile numbers and email IDs are usually targeted in these malicious attacks. Despite security regulations (OWASP Top-10, PCI DSS, HIPPA, MISRA, etc) that are being enforced in the various industrial sectors today, privacy violation is still a common occurrence.
Most of today’s web and mobile applications require the use of private data to provide their users with added functionality. But low security-awareness amongst developers can cause improper handling of this sensitive data. Privacy violation takes place when sensitive information enters the program server/database and is illegally accessed by malicious attackers.
There are three common occurrences of Privacy Violation:
Unprotected storage of user data.
Most privacy violation occurs when passwords, login details and personal information used by the application are stored in plain-text format. This insecure way of programming eventually puts the application user’s private information at risk.
Misplaced trust and unsafe handling of sensitive information.
This aspect is often overseen by application developers, who often trust the operating environment in which the program runs. Even restricted areas such as file systems and registries are not safe as authorized users cannot be trusted unconditionally.
Display of sensitive data on end-devices.
Sensitive information is displayed on end-devices such as mobile phone screens and computer monitors, enabling malicious attackers to harvest the information with the help of various screen-capture tools and internet sniffers.
The following code has a statement that writes the user’s password to the application’s log file in a vulnerable plain text format:
pass = getPassword(); dbmsLog.println(id+":"+pass+":"+type+":"+tstamp);
Many developers trust file-systems as secure storage locations for sensitive information, but this is improper from the security standpoint as unauthorized users can gain access to the file-systems and harvest this private information.
A most effective solution involves proper encryption and masking of the sensitive data before it’s stored on the file system or the server/database.
Let’s assume a mobile application offering some geo functionality is required to determine the user’s current US state location. This application declares its interest in the ACCESS_FINE_LOCATION permission in the application’s manifest.xml:
The getLastLocation() then returns a location based on the application’s location permissions. The permission mentioned above is the most accurate one possible:
locationClient = new LocationClient(this, this, this); locationClient.connect(); Location userCurrLocation; userCurrLocation = locationClient.getLastLocation(); deriveStateFromCoords(userCurrLocation);
This use of escalated privilege is unnecessary and violates the user’s privacy as the US state can be determined with the less intrusive ACCESS_COARSE_LOCATION permission. The use of the ACCESS_FINE_LOCATION permission discloses the user’s exact location, sensitive information that can be redistributed without their prior knowledge or harvested by malicious hackers.
- Identity theft (passwords, login details, etc).
- Personal data leakage (location, health information, etc).
- Harvesting of sensitive data saved in plain-text via data queries and statistics.
- Information exposure through error messages – self-generated, externally-generated and server error generated.
Due to the dynamic nature of this vulnerability, most security tools and solutions don’t have the ability to recognize sensitive unprotected fields of information. CxSAST offers customized queries that can identify vulnerable elements in the application code and detect events of privacy violation. The following security standards are supported by Checkmarx’s security solution:
This commonly-acknowledged security standard is published by The Open Web Application Security Project (OWASP), the world’s largest application security non-profit organization. More and more companies from various industrial sectors are embracing this list, which consistently encompasses today’s most critical web application security flaws.
The PCI-DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express and is now the benchmark of application security in the financial sector. CxSAST helps secure financial applications by locating credit card numbers; social security numbers or emails lurking around in the code thanks to its customizable open query engine.
The HIPPA standard defines how electronic (online) financial and administrative transactions should be executed by companies providing health plans and other health care provisions. Checkmarx’s solution includes the set of queries that scan your application’s source code and identify sections that are non-compliant with HIPAA.
SANS Institute, a cooperative research and educational organization, offers resources that have been used by over 165,000 InfoSec professionals worldwide. CxSAST fully complies with the SANS 25 standard. This includes the 25 most dangerous software security errors that exist today – including insecure interaction between components and risky resource management.