logo

Call to Non-ubiquitous API

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when software relies on an operating system function that isn't available on all versions of the target platform. This can cause crashes, unexpected behavior, or security failures when the software runs in an environment where the API is missing.

Extended Description

Operating systems evolve, and security-critical APIs are not universally present. Functions introduced in newer OS versions will be absent in older ones, while deprecated functions may be removed entirely. If your application unconditionally calls these non-ubiquitous APIs, it can lead to portability issues, sudden crashes (denial of service), or inconsistent security enforcement across different user environments. To avoid this, developers should proactively check for API availability at runtime or during compilation, using feature detection or version checks. Alternatively, provide fallback mechanisms or clear minimum system requirements. Relying on deprecated security APIs is especially risky, as they are often phased out due to known weaknesses, leaving your application vulnerable even on platforms where they still exist.
Common Consequences 1
Scope: Other

Impact: Quality Degradation
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 3
Phase: Implementation
Always test your code on any platform on which it is targeted to run on.
Phase: Testing
Test your code on the newest and oldest platform on which it is targeted to run on.
Phase: Testing
Develop a system to test for API functions that are not portable.
Modes of Introduction
Architecture and Design
Implementation
Related Attack Patterns
Related Weaknesses
ChildOf: Use of Function with Inconsistent Implementations (CWE-474)
Taxonomy Mapping
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns