Attackers Can Encrypt Information Stored in SAP Mobile, Reveals Onapsis Security Advisories

By CIOReview | Friday, August 21, 2015

FREMONT, CA: Onapsis, provider of business-critical application security, releases three high risk vulnerabilities which could be used to gain access to sensitive business information within organizations that rely on SAP Mobile.

The three high risk vulnerabilities in SAP mobile platform include:

Predictable Encryption Passwords for Configuration Values:

With access to a vulnerable mobile device, attackers will be able to decrypt and modify sensitive configuration values used by SAP business applications.

Predictable Encryption Passwords for Secure Storage:

An attacker with access to a vulnerable mobile device will be able to read sensitive information, including encrypted log in credentials to access or modify business information.

Keystream Recovery:

This vulnerability allows an attacker to access a vulnerable mobile device to decrypt credentials and other sensitive information stored within and to connect the device to other business systems to access additional data.

SAP mobile platform is a mobile application development platform to build and deploy mobile apps that allow users to access SAP business-critical applications via the major mobile vendors including Apple, Samsung, Google, and Microsoft. It solves mobility challenges, supports mobile apps that fits business-to-enterprise (B2E) or business-to-consumer (B2C) use case, and helps balance device user requirements with enterprise requirements.

Based on the report by Onapsis, SAP has recently worked towards fixing the vulnerabilities.

“Nation states and organized crime syndicates are targeting SAP business applications because they hold the most sensitive data within a company. This makes it extremely critical for organizations to take proactive measures to protect SAP systems. In a recent study that our research labs put together, we found that over 95 percent of SAP systems assessed were exposed to vulnerabilities that could lead to full compromise of the company’s business processes and information. We are now seeing SAP security breaches are escalating in the news headlines so it is imperative that SAP security teams work closely with information security teams to solve this mounting problem,” said Ezequiel Gutesman, Director of Research, Onapsis.