CWE-940
Improper Verification of Source of a Communication Channel
AI Translation Available
The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
Status
incomplete
Abstraction
base
Affected Platforms
Mobile
Extended Description
AI Translation
When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality.
Technical Details
AI Translation
Common Consequences
access control
other
Impacts
gain privileges or assume identity
varies by context
Potential Mitigations
Phases:
architecture and design
Descriptions:
•
Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack.
When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.