Despite the popularity of mobile devices and the ever-increasing number of vulnerabilities found in their applications, the focus on mobile app security is still overshadowed by other security topics such as web applications. It can be tricky to stay informed on new risks in mobile application development specifically.
Many mobile security issues stem from back-end service issues rather than client-side mobile app vulnerabilities. Back-end issues fall within web application territory, however, a unique approach is required for identification and reporting of client-side mobile app vulnerabilities. Because each mobile application is a unique implementation, developers often make the same mistakes. It’s a great idea to stay up to date on these security vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) system is the most widely used reference for publicly known software vulnerabilities and is accessible through the U.S. Government’s National Vulnerability Database (NVD). Though the database can be searched using keywords such as “Android” and “iOS” to spot some mobile app entries, unwanted results will appear such as platform vulnerabilities and many mobile apps CVEs will be missing.
Fortunately, the Common Platform Enumeration (CPE) 2.3 specification has a "configuration" string that contains a label for the operating system of the affected software. For example, mobile app CVEs such as CVE-2019-1948 have either "android" or "iphone_os" listed towards the end of the CPE string. However, spotting mobile app CVEs, such as the one shown in Image 1: Example Mobile App CVE, is not as simple as browsing through a list of mobile apps on the NVD website.