Detailed Security Risk Assessment Report
Group 3 was contracted to perform a risk assessment of the SplitPay system and its various components.
- Anurodh Acharya
- Gautam Kumar
- Krishna Paudel
Executive Summary
CSS 517 Group 3 was contracted to perform a risk assessment of the SplitPay system and its various components. The primary objective of the assessment was to determine the potential vulnerabilities and exploits associated with the technologies used.
The assessment was conducted according to the standard penetration testing practices including but not limited to NIST 800-300 guidelines, OWASP DevSecOps guidelines, etc.
From the assessments performed, we have identified the SplitPay system to be susceptible to high-risk vulnerabilities. The high-risk vulnerabilities include Unsecured HTTP protocol usage, SQL Injection, Service Unavailability, etc. If an attacker finds one or some of the vulnerabilities that currently exist in the SplitPay system, complete compromise of the system is possible.
We recommend SplitPay remediate its system by changing the app to use the HTTPS protocol, performing input sanitization or validation, updating its application libraries with the latest patch, and having a disaster recovery plan.
DETAILED ASSESSMENT
1. Introduction
1.1 Purpose
The purpose of the risk assessment is to identify threats and vulnerabilities associated with the SplitPay system. The risk assessment results will be used to identify risk mitigation strategies for the identified threats.
1.2 Scope of this risk assessment
The SplitPay system consists of Server-Client architecture where apps installed in android devices act as clients and a server is hosted on the cloud. The client app is built using Android SDK and Java programming while the server-side web service is written in PHP. The client-side app allows users to enter free text, emails, phone numbers, etc. that is sent to the server’s MySQL database. The app also has integration with PayPal and can also access the geolocation/camera of the users.
The scope of this risk assessment includes the components described above except PayPal integration. PayPal is a third-party payment gateway/service which is used by the application, and as per the SRS document, the payment securities are all performed by PayPal itself. Thus, in this assessment, we will be reviewing the client-side android application, its features, and the server-side implementation of SplitPay only.
2. Risk Assessment Approach
2.1 Participants
| Role | Participant |
|---|---|
| System Owner | John Doe |
| System Custodian | John Doe |
| Security Administrator | John Doe |
| Database Administrator | John Doe |
| Network Manager | John Doe |
| Risk Assessment Team | Anurodh Acharya, Krishna Paudel, Gautam Kumar |
2.2 Techniques Used
| Technique | Description |
|---|---|
| Review of SRS Documentation | The assessment team reviewed the provided SRS document that included information like softwares used, security requirements, etc. |
2.3 Risk Model
According to NIST, the risk is a function of the likelihood of a threat event’s occurrence and potential adverse impact should the event occur.
Risk = Threat Likelihood × Magnitude of Impact
Threat Likelihood
| Likelihood | Definition |
|---|---|
| High (1.0) | The source of threat is highly likely to attack the vulnerability exposed by the system. |
| Medium (0.5) | Likely to be exploited but the system might have enough controls to prevent it. |
| Low (0.1) | The threat actors are less likely to attack or the controls can successfully stop/prevent the attacks. |
Magnitude of Impact
| Impact | Definition |
|---|---|
| High (100) | The attack can cause catastrophic damage to the system including the breach of CIA (Confidentiality, Integrity, Availability). |
| Medium (50) | The attack can cause significant damage to the system but the impact can be reduced. |
| Low (10) | The attack can cause minor damage to the system through which the organization can recover easily. |
Risk Matrix
| Impact Low (10) | Impact Medium (50) | Impact High (100) | |
|---|---|---|---|
| Likelihood High (1.0) | Low Risk (10) | Medium Risk (50) | High Risk (100) |
| Likelihood Medium (0.5) | Low Risk (5) | Medium Risk (25) | Medium Risk (50) |
| Likelihood Low (0.1) | Low Risk (1) | Low Risk (5) | Low Risk (10) |
3. System Characterization
3.1 Technology components
| Component | Description |
|---|---|
| Applications | SplitPay Android Application (Android SDK) / Java |
| Databases | MySQL |
| Operating Systems | Android OS, Linux CentOS |
| Networks | Hosted by Godaddy.com |
| Interconnections | Integration to PayPal |
| Protocols | TCP/IP and HTTP |
3.2 Physical Location(s)
| Location | Description |
|---|---|
| User base | USA, UK |
| Server Side | Hosted in GoDaddy.com, Tempe, AZ |
3.3 Data Used By System
| Data Type | Description |
|---|---|
| Personally Identifiable Information (PII) | 1. Name |
- Phone Number
- Geolocation | | Financial Information | 1. Transaction Details
- PayPal Account Details
- Debit/Credit card details from the receipt | | File System | 1. Access to Camera and images |
3.4 Users
| Users | Description |
|---|---|
| Android App Users | SplitPay users who use the application to track their bills/expenses and share with each other. They can even be part of a group sharing the expenses. |
4. Vulnerability Statement
The following potential vulnerabilities were identified:
| Vulnerability | Description |
|---|---|
| HTTP (Unsecured Protocol) | The application uses an unsecured HTTP protocol to transfer the data which allows the attacker to intercept the packet and read the data in it. Any data passed to and from the server will not be encrypted. |
| SQL Injection | The application fails to sanitize user inputs and no validation is in place for the user inputs within the application. Attackers might add SQL Injection statements to get access to the backend of the SplitPay system. |
| Impersonation | Since the application does not use a password to do an identity check, anyone who gets hold of the device will be able to use the app and see the bills/group members/transactions, etc. |
| Unchecked User Input | The app does not perform the integrity check on input passed by the user. The input text could lead to vulnerabilities like XSS, Remote File Inclusion attacks, etc. |
| Service Availability | The application is hosted within a private/external hosting service. Any downtime to the hosting service will cause the application to not work properly including chances of data loss. |
| Unpatched Software | The application uses Android SDK, PHP, and MySQL which would need continuous patching as it is available. There is no indication in the SRS document about the softwares being patched. This can cause potential risk as unpatched software can have major vulnerabilities including zero-day. |
| Disaster Recovery | Disaster Recovery is not set up and documented which makes it vulnerable to environment-related disasters. This could cause significant outages and even loss of data in extreme circumstances. |
5. Threat Statement
The team identified the following potential threat sources and associated threat actions applicable to the SplitPay:
| Threat-Source | Threat Actions |
|---|---|
| Adversarial | • Individual |
| • Group | |
| • Organization | |
| Accidental | • User |
| • Privileged User/Administrator | |
| Structural | • Information Technology (IT) Equipment |
| • Environmental Controls | |
| • Software | |
| Environmental | • Natural or man-made disaster |
| • Unusual Natural Event (e.g., sunspots) | |
| • Infrastructure Failure/Outage |
End of SplitPay Risk Assessment.