Sensitive Information Data Type Declaration missing

Sensitive Information Data Type Declaration missing

Risk: medium

Description

This vulnerability arises when the declared data type for sensitive information does not align with how it is used, potentially allowing unauthorized access or exposure of the sensitive data.

Recommendation

To mitigate the vulnerability of checks if the sensitive information data type declaration matches usage, developers should regularly review and update the data type declarations to ensure they accurately reflect how the sensitive information is being used in the code. Additionally, implementing strict access controls and encryption techniques can help protect sensitive data from unauthorized access or misuse. Regular security audits and testing can also help identify and address any potential vulnerabilities in the code.

Links

• Android Privacy Guidelines
• Privacy Policies for Mobile Apps
• Apple Privacy Manifest
• CWE-359: Exposure of Private Information ("Privacy Violation")

Standards

• OWASP_MASVS_L1:
• OWASP_MASVS_L2:
• OWASP_MASVS_RESILIENCE:
• CWE_TOP_25:
• GDPR:
  • ART_5
  • ART_6
  • ART_7
  • ART_9
  • ART_11
  • ART_13
  • ART_15
  • ART_16
  • ART_17
  • ART_32
• CCPA:
  • CCPA_1798_100
  • CCPA_1798_105
  • CCPA_1798_110
  • CCPA_1798_115
  • CCPA_1798_120
  • CCPA_1798_125
  • CCPA_1798_130
  • CCPA_1798_135
  • CCPA_1798_140
  • CCPA_1798_150
• PCI_STANDARDS:
• OWASP_MASVS_v2_1:
  • MASVS_PRIVACY_1
  • MASVS_PRIVACY_2
  • MASVS_PRIVACY_3
  • MASVS_PRIVACY_4
• OWASP_ASVS_L1:
• OWASP_ASVS_L2:
• OWASP_ASVS_L3:
• SOC2_CONTROLS:
  • CC_2_3
  • CC_5_3