OWASP Mobile Top 10 - M2: Inadequate Supply Chain Security

Threat Agents & Attack Vectors.

Attackers can manipulate mobile applications by injecting malicious code into the supply chain, modifying code during development, or exploiting vulnerabilities in third-party libraries and SDKs. This can lead to data theft, device compromise, or backend server breaches.

Exploitability & Security Weakness:

• Exploitability: AVERAGE – Attackers can inject malicious code during development, compromise app signing keys, or exploit third-party components.
• Prevalence: COMMON – Poor coding practices, weak app signing processes, and insecure third-party libraries contribute to this risk.
• Detectability: DIFFICULT – These attacks can be hard to identify without strong security measures.

Technical & Business Impacts:

• Impact: SEVERE
  • Data Breach: Theft of login credentials, financial data, and personal information.
  • Malware Infection: Attackers can introduce malware into apps, causing device compromise.
  • Unauthorized Access: Attackers can modify or delete data, disrupting services.
  • System Compromise: Entire app or backend infrastructure may be taken over.
  • Financial Losses: Costly breach investigations, customer loss, and regulatory fines.
  • Reputational Damage: Loss of trust, brand reputation, and user confidence.
  • Supply Chain Disruption: Delays in service delivery and operational impact.

Am I Vulnerable?

You may be at risk if you:

• Use unverified third-party libraries or outdated components.
• Lack robust security testing and validation.
• Have weak security monitoring for insider threats.

Prevention Measures:

• Adopt secure coding practices, code reviews, and rigorous testing.
• Ensure secure app signing and distribution.
• Use only trusted third-party components and regularly update them.
• Implement strong security controls for app updates and patches.
• Continuously monitor supply chain security incidents.

Example Attack Scenario.

An attacker injects malware into a mobile app during development, signs it with a valid certificate, and distributes it via an app store. Users unknowingly install the infected app, which steals sensitive data, leading to identity theft and financial fraud.