M1013 Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.
| Item | Value |
|---|---|
| ID | M1013 |
| Version | 1.0 |
| Created | 25 October 2017 |
| Last Modified | 17 October 2018 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.009 | Resource Forking | Configure applications to use the application bundle structure which leverages the /Resources folder location.2 |
| enterprise | T1574 | Hijack Execution Flow | When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.1 |
| enterprise | T1574.002 | DLL Side-Loading | When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.1 |
| enterprise | T1559 | Inter-Process Communication | Enable the Hardened Runtime capability when developing applications. Do not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true. |
| enterprise | T1559.003 | XPC Services | Enable the Hardened Runtime capability when developing applications. Do not include the com.apple.security.get-task-allow entitlement with the value set to any variation of true. |
| enterprise | T1647 | Plist File Modification | Ensure applications are using Apple’s developer guidance which enables hardened runtime.3 |
| enterprise | T1593 | Search Open Websites/Domains | Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys. |
| enterprise | T1593.003 | Code Repositories | Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys. |
| enterprise | T1078 | Valid Accounts | Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). |
| mobile | T1626 | Abuse Elevation Control Mechanism | Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. |
| mobile | T1517 | Access Notifications | Application developers could be encouraged to avoid placing sensitive data in notification text. |
| mobile | T1513 | Screen Capture | Application developers can apply the FLAG_SECURE property to sensitive screens within their apps to make it more difficult for the screen contents to be captured.4 |
| mobile | T1635 | Steal Application Access Token | Developers should use Android App Links6 and iOS Universal Links5 to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE7 should be used to prevent use of stolen authorization codes. |
| mobile | T1635.001 | URI Hijacking | Developers should use Android App Links6 and iOS Universal Links5 to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE7 should be used to prevent use of stolen authorization codes. |
| mobile | T1474 | Supply Chain Compromise | Application developers should be cautious when selecting third-party libraries to integrate into their application. |
| mobile | T1474.001 | Compromise Software Dependencies and Development Tools | Application developers should be cautious when selecting third-party libraries to integrate into their application. |
References
-
Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. ↩↩
-
Apple Inc. (2021, February 18). App security overview. Retrieved October 12, 2021. ↩
-
Apple Inc.. (2021, January 1). Hardened Runtime: Manage security protections and resource access for your macOS apps.. Retrieved March 24, 2021. ↩
-
Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019. ↩
-
Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020. ↩↩
-
Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020. ↩↩
-
N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016. ↩↩