Flutter Mobile App Security- Owasp 2: inadequate supply chain security.

The last time we discussed Flutter security, we covered the first OWASP issue: improper platform usage. Today, we will continue our exploration and talk about the second OWASP issue: inadequate supply chain vulnerability. Let's dive in!

First, let's define inadequate supply chain vulnerability. This issue arises when vulnerabilities are exploited in our mobile application. For instance, if a hacker inserts malicious code into your codebase, the app could perform harmful actions when opened, such as stealing user data (e.g., payment information), spying through the camera, or recording audio.

There are various sources of inadequate supply chain security. During mobile app development, you might need to build a feature. Due to complexity or other reasons, you might search for a third-party solution, SDK, or template. If you don't follow best practices, you might choose a solution that contains malicious code, thus exposing your application to supply chain vulnerabilities.

Now, I believe most of us understand what inadequate supply chain vulnerability is. This security problem can arise from different sources, and there's no single fix. However, there are known sources of this problem, as illustrated in the image below:

Now, the question we should ask is: how can we detect this vulnerability? As OWASP states, it's DIFFICULT. This problem doesn't show obvious signs during the development phase, making it critically dangerous. Even if the application doesn’t contain critical user information, it can still be a pathway to the entire device, leading to severe consequences. However, we can protect ourselves by following these practices:

• Apply secure coding practices
• Review and test code thoroughly
• Secure app signing and distribution processes
• Choose the right third-party software components or libraries
• Implement sufficient security controls for data
• Ensure proper encryption and storage (discussed in OWASP M1)
• Avoid exposing sensitive data to unauthorized access

Imagine your mobile application or the one developed for your organization, falls victim to this vulnerability. Ask yourself: WHAT IS THE IMPACT?

The impact can vary from one app or organization to another, but it typically affects both technical and business aspects:

Technical Impacts

Severity: SEVERE

• Data Breach: Attackers can steal sensitive data like login credentials, personal data, or financial information, leading to identity theft or financial fraud.
• Malware Infection: Attackers can introduce malware into the app, infecting the user’s device, stealing data, or performing malicious activities. This malware can be hard to detect and remove, causing significant damage.
• Unauthorized Access: Attackers can gain access to the app’s server or the user’s device, modify or delete data, causing data loss and service disruption.
• System Compromise: Attackers can compromise the entire system, resulting in a complete loss of control, application shutdown, significant data loss, and long-term reputation damage.

Business Impacts

Severity: SEVERE

• Financial Losses: Organizations can incur costs from investigating the breach, notifying affected individuals and legal settlements. Loss of customer trust can also lead to revenue loss.
• Reputational Damage: The organization’s brand and customer trust can suffer long-term damage, affecting revenue and customer acquisition.
• Legal and Regulatory Consequences: Organizations can face fines, lawsuits, or government investigations, leading to significant financial and reputational damage.
• Supply Chain Disruption: The attack can disrupt the supply chain, causing delays or interruptions in goods or services delivery, resulting in financial losses and reputational damage.

(Source: OWASP organization - OWASP Mobile Top 10)

Real-World Examples of Supply Chain Attacks

SolarWinds Orion Attack: In 2023, cybercriminals infiltrated SolarWinds' software development environment and embedded malicious code within the Orion platform updates. Around 18,000 organizations installed backdoors on their systems through these updates, leading to unauthorized access to confidential data from numerous government agencies and private companies worldwide.

NotPetya Ransomware Attack: In 2017, the NotPetya attack targeted Ukrainian accounting software provider MeDoc via a harmful update mechanism. It propagated using the EternalBlue exploit, encrypting files and rendering systems inoperable for many global businesses, causing over $10 billion in financial damage.

CCleaner Malware Incident: In 2017, hackers introduced malware into the CCleaner installer, affecting over 2 million users and granting unauthorized access to their systems.

ASUS Live Update Attack: In 2023, the "Operation ShadowHammer" attack targeted the ASUS Live Update utility. Cybercriminals embedded malicious code into genuine updates, compromising thousands of computers globally. This sophisticated attack went undetected for months.

(Source: Supply Chain Attacks: Impact, Examples, and 6 Preventive Measures)

This topic is extensive, and one article isn't enough to cover everything. However, through research and sharing, we can learn as much as possible.

I hope you enjoyed reading this. Feel free to share your opinions or experiences. Thanks for reading, and stay tuned for the upcoming parts of our Flutter security articles based on OWASP organization guidelines.