Mobile Application as a Critical Infrastructure Cyberattack Surface

Mykhaylova, O та Fedynyshyn, T та Datsiuk, A та Fihol, B та Hulak, Hennadii (2023) Mobile Application as a Critical Infrastructure Cyberattack Surface Cybersecurity Providing in Information and Telecommunication Systems II 2023, 3050. с. 29-43. ISSN 1613-0073

Текст O_Mykhaylova_T_Fedynyshyn_A_Datsiuk, B_Fihol_H_Hulak_CPITS-II-2023_3050.pdf Download (896kB)

Анотація

Mobile applications are becoming increasingly crucial for critical infrastructure, ensuring effective management and reliable communication in today’s world. Postal services play a key role in logistics and serving citizens, providing a connection between people, the transfer of goods, and even delivering payments to the socially vulnerable segments of the population in remote regions. Mobile apps are increasingly becoming an integral part of postal services, offering convenience, speed, and ease of use for users, as well as access to additional features, such as scanning package barcodes and receiving notifications about shipment statuses. This article is dedicated to the security assessment of a mobile application of one of Ukraine’s postal operators, which undeniably constitutes an element of the state’s critical infrastructure. The research aims to evaluate the security of this app, considering potential threats and vulnerabilities that might arise during its operation. The study includes an analysis of the recommendations from popular security standards—ISO/IEC 27001:2022 and NIST Special Publication 800-163, and the application of static and dynamic analysis techniques to verify the security requirements established by OWASP Mobile Application Security Verification Standard (MASVS). The primary tool selected for this research is MobSF (Mobile Security Framework)—an automated, all-in-one framework for penetration testing, malware analysis, and security assessment of mobile apps (Android/iOS). The attack and the exploitation scenario of the identified vulnerabilities were verified in real time in an emulated environment. This article presents the vulnerabilities discovered in the mobile application. Our findings indicate the absence of usage confirmation and improper authorization for critically important functions, allowing malicious actors to remotely access the user’s personal information, including name, contacts, and address, by only knowing the user’s system identifier. Further, we propose countermeasures to protect the infrastructure and prevent adversaries from conducting reconnaissance and launching remote attacks using compromised accounts. The authors urge considering the possibility of applying the DevSecOps methodology when developing critical infrastructure information system applications.

Тип елементу :	Стаття
Ключові слова:	Mobile application security, OWASP, MASVS, critical infrastructure, NIST, NIST SP 800-163, risk management, risk tolerance.
Типологія:	Це архівна тематика Київського університету імені Бориса Грінченка > Статті у наукометричних базах > Scopus
Підрозділи:	Це архівні підрозділи Київського університету імені Бориса Грінченка > Факультет інформаційних технологій та математики > Кафедра інформаційної та кібернетичної безпеки імені професора Володимира Бурячка
Користувач, що депонує:	Павло Миколайович Складанний
Дата внесення:	11 Груд 2023 11:05
Останні зміни:	11 Груд 2023 11:05
URI:	https://elibrary.kubg.edu.ua/id/eprint/47127

Actions (login required)

Перегляд елементу