Book a Pentest

M2: Inadequate Supply Chain Security

Mobile apps depend on package repositories, third-party SDKs, advertising libraries, CI/CD services, and device-side frameworks. Inadequate supply chain security means those dependencies are integrated without sufficient validation, exposing the app to tampered binaries, malicious updates, or insecure engineering tooling. Attackers routinely hijack developer accounts, poison update feeds, or distribute trojanised SDKs that collect data or inject code at runtime.

Typical Weakness Patterns

  • Using third-party SDKs without reviewing their security posture, update cadence, or data access requirements.
  • Accepting unsigned or improperly signed artefacts from build servers, package registries, or OTA update channels.
  • Allowing CI/CD runners with broad credentials to build release binaries without isolation or attestation.
  • Failing to pin dependency versions or verify checksums, enabling dependency confusion or typosquatting attacks.

Detection Cues

  • SBOM generation that highlights unknown or unapproved libraries embedded in the mobile binary.
  • Monitoring vendor advisories, Git commits, and supply-chain telemetry for unexpected changes in bundled SDK behaviour.
  • Build pipeline logging that flags unsigned artefacts, missing reproducible build evidence, or untracked updates.

Mitigation

  • Maintain an approved component list and require security review for every new SDK or service dependency.
  • Enforce code signing, checksum verification, and provenance attestation (e.g., SLSA, Sigstore) on all build outputs.
  • Segregate CI/CD credentials, enable MFA for developer accounts, and use ephemeral build agents with minimal privileges.
  • Continuously generate and review SBOMs, and perform rapid patch management when upstream components disclose vulnerabilities.