Description

Insecure connections from servers to the database. Encryption does not address all communications with the database, including transmissions from clients and transmissions from middle tiers.

Impact

- Data can be modified, replayed and no longer confidential. Also, lost packets can be detected. - Intercept sensitive information that travels over an intranet.

Recommendation

- Set up encrypted communications channels. Enable Oracle Database encryption for data that is sent over a network. - Ensure that connections only come from a physically secure terminal, or from an application web server with a known IP address. - In the case of a sensitive database, ensure that connections only come from certain points in the network.

Threat

Anonymous attacker from adjacent network.

Expected Remediation Time

⏱️ 60 minutes.

Details

https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering#owasp-masvs

Requirements

Fixes