View: Weaknesses in Mobile Applications
Incomplete
Type: Implicit
Objective
CWE entries in this view (slice) are often seen in mobile applications.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | This weakness occurs when an application unintentionally reveals sensitive data to someone who shouldn't have access to it. |
| CWE-250 | Execution with Unnecessary Privileges | This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege creates security risks by opening doors to new attacks or making existing weaknesses more dangerous. |
| CWE-295 | Improper Certificate Validation | This vulnerability occurs when an application fails to properly verify the authenticity of a digital certificate, or performs the verification incorrectly, allowing untrusted connections to appear legitimate. |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | This vulnerability occurs when an application accepts a valid SSL/TLS certificate without properly verifying that it actually belongs to the specific host it's connecting to. Even a correctly signed certificate from a trusted authority can be misused if the hostname check is missing or flawed. |
| CWE-312 | Cleartext Storage of Sensitive Information | This vulnerability occurs when an application stores sensitive data like passwords, credit card numbers, or personal information in plain text, without any encryption. This unsecured data is kept in files, databases, caches, or logs that could be accessed by unauthorized users or systems. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | This vulnerability occurs when an application fails to adequately protect sensitive personal data, allowing access to individuals who either lack proper authorization or haven't provided necessary consent for its use. |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | A race condition occurs when multiple processes or threads access a shared resource simultaneously without proper coordination, creating a timing window where the resource's state can be unexpectedly altered, leading to unpredictable behavior or security vulnerabilities. |
| CWE-511 | Logic/Time Bomb | A logic or time bomb is malicious code intentionally placed within software to trigger harmful actions when a specific condition is met or a predetermined time is reached. |
| CWE-602 | Client-Side Enforcement of Server-Side Security | This vulnerability occurs when a server incorrectly trusts the client to enforce critical security rules, such as input validation or access controls, instead of performing these checks itself. |
| CWE-672 | Operation on a Resource after Expiration or Release | This vulnerability occurs when a program continues to use a resource—like memory, a file handle, or a network connection—after it has been freed, closed, or is no longer valid. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after it is no longer needed. This leads to a gradual accumulation of unused resources, known as a resource leak. |
| CWE-798 | Use of Hard-coded Credentials | This vulnerability occurs when software contains built-in, unchangeable authentication secrets like passwords or encryption keys within its source code or configuration files. |
| CWE-920 | Improper Restriction of Power Consumption | This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to actively manage and limit its own energy usage. |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | This vulnerability occurs when an application saves sensitive information to a storage location that lacks proper access restrictions, allowing unauthorized users or applications to view or modify the data. |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver | This vulnerability occurs when an Android app's Broadcast Receiver accepts an Intent without confirming it originated from a trusted, authorized source, such as the operating system. |
| CWE-926 | Improper Export of Android Application Components | This vulnerability occurs when an Android app makes a component (like an Activity, Service, or Content Provider) available to other apps without enforcing proper security checks. This allows unintended or malicious applications to interact with the component, potentially leading to data theft, unauthorized actions, or application compromise. |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | This vulnerability occurs when an Android app uses an implicit intent to send sensitive data, allowing any other app on the device to potentially intercept and read that information. |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | This vulnerability occurs when an app implements a custom URL scheme handler but fails to properly verify which other apps or sources are allowed to trigger it. |
| CWE-940 | Improper Verification of Source of a Communication Channel | This vulnerability occurs when an application accepts incoming communication requests without properly checking where they originate from, allowing potentially malicious sources to establish a connection. |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel | This vulnerability occurs when an application establishes an outgoing communication channel but fails to correctly define or enforce the intended recipient. This misdirection can allow data to be sent to an untrusted or malicious destination. |
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.