Skip to main content

Unauthorized access to files - Debug APK

Description

The debug APK is available to anyone on the Internet.

Impact

  • Host an APK in AWS.
  • Download the debug APK without any authentication, being able to analyze the application and find vulnerabilities easily.

Recommendation

Protect the APK behind some kind of authentication.

Threat

Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

Sensitive resources are restricted to be read only by authorized users

BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: APK-BUCKET
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- "s3:Download"
Effect: Deny

Non compliant code

An S3 AWS service allows the source code to be downloaded by anyone

BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: APK-BUCKET
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- "s3:Download"
Effect: Allow
Restriction: None

Requirements