What are the vulnerabilities of apps that are often exploited by hackers?

First of all, when it comes to app security vulnerabilities, you should be familiar with the application of apes, and if you throw away the problem of open source for Android, the main reason is that negligence in the development process or the code is not rigorous. But these responsibilities can not be blamed on the program ape head, and sometimes because of the boss time is very tight and so many substantial reasons. By the national mobile application security Testing Team Love Beta (ineice.com) of the CTO to us on the Android system of open source design and ecological environment.

1. Applying anti-compilation
Vulnerability: APK package is very easy to decompile into a readable file, a little modification can be re-packaged into a new APK.
Use: Software hack, intra-purchase hack, software logic modification, insert malicious code, replace advertiser ID.
Recommendation: Use tools such as Proguard to confuse the code, and important logic is implemented with the NDK.
Example: Anti-compilation re-packaging Flappybird, The Advertiser ID Exchange, the game to add a piece of malicious code and so on.

2. Storage and transmission of data
Vulnerability: Files on external storage (SD card) do not have rights management, and all applications are readable and writable. The developer puts the sensitive information in plaintext on the SD card, or the dynamically loaded payload is placed on the SD card.
Exploit: Steal sensitive information, tamper with configuration files, modify payload logic, and repackage.
Recommendation: Do not put sensitive information on top of external storage, and verify file integrity when loading external resources dynamically.
Vulnerability: Use global read-write (mode_world_readable,mode_world_writeable) internal storage, or plaintext store sensitive information (user account password, etc.).
Use: read-only sensitive information globally, or root after reading plaintext information.
Recommendation: The global readable and writable internal storage method is not applicable, the user account password is not stored in plaintext.

3. Password Disclosure
Vulnerability: password plaintext storage, transmission.
Use:
Internal storage can be read and written after Root.
The SD card is globally readable and writable.
Public WiFi capture to get the account password.
Recommendation: A practical and mature encryption scheme. Do not store the password in plaintext on the SD card.

4. Component Exposure (Activity, Service, broadcast receiver,content Provider)
Loopholes:
The component was not validated when it was called.
No validation was made when other components were called.
Use:
Call an exposed component, achieve some effect, get some information, construct some data. (for example, to call exposed components to send text messages, tweets, etc.).
Listen for exposed components and read data.
Recommendation: Validate input information, validate component calls, and more. The android:exported is set to false. Verify the call source using android:protectionlevel= "signature".

5.WebView
Loopholes:
Malicious apps can inject JavaScript code into WebView pages, which are not validated.
Malicious Web pages can execute JavaScript in turn to invoke methods registered in the APP, or use resources.
Use:
Malicious programs embed Web apps and then steal user information.
Malicious Web pages invoke the APP code remotely. What's more, calling Runtime from Java Reflection executes arbitrary code.
Recommendation: Do not use setjavascriptenabled (true) in WebView, or validate the input when used.

6. Other Vulnerabilities
After the ROOT of the mobile phone can modify the app in the purchase, or install plug-in app and so on.
Logcat leaks user-sensitive information.
A malicious ad package.
Use next Intent.

7. Summary
The vulnerability of the app is mostly due to the fact that the developer does not validate the input information, and because of the special mechanism of Intent, it is necessary to filter out all kinds of malicious behavior outside. In addition to the Android application market confusion, the level of development staff is uneven. So now the vulnerabilities of Android applications, malware, fishing and so on are still increasing.

Plus root for App sandbox damage, Android upgrade restrictions. The domestic Android environment is chaotic and miserable. So, if you want to make sure your app doesn't have a security hole, remember: Never trust the outside world.

What are the vulnerabilities of apps that are often exploited by hackers?