Annual inventory check: 2017 how to defend against the top ten high-risk vulnerabilities of mobile apps in 2018 and 2017 of mobile apps

Annual inventory check: 2017 how to defend against the top ten high-risk vulnerabilities of mobile apps in 2018 and 2017 of mobile apps

From a large wave of Android banking Trojan attacks in January to disclosure of citizen information leaks in the 3.15 gala; from the ransomware Wanncry variant in May to mobile attacks, by November, mobile phones had changed to mining machines. in 2017, mobile internet security incidents continued to surge, and hacking methods had evolved, triggering a series of new security threats and challenges.

Faced with the ever-evolving security threats, more mobile app development enterprises are aware that the security of mobile apps cannot only rely on mobile security vendors, and the security of mobile app vulnerabilities must also be paid attention.

To enable mobile app developers and mobile Internet enterprises to better understand mobile app vulnerability security issues, the mobile security lab of pay-as-you-go security summarizes and analyzes mobile app Vulnerability Data in 2017 Based on the omni-channel application monitoring platform, the following data conclusions are published for reference by users, developers and enterprises:

In 2017, the total number of mobile applications on the entire network was 5.6 million + (versions are not accumulative), an increase of 2016 compared with 4.30%, of which 0.85 million + high-risk vulnerability applications included a total of 8.4 million + high-risk vulnerabilities, on average, each mobile app contains at least 1.5 high-risk vulnerabilities.

In addition, based on the omni-channel application monitoring platform, this module analyzes the security vulnerabilities that cause huge user harm and provides the top 10 high-risk mobile application vulnerabilities in 2017 (ranked by severity ):

2017 top 10 high-risk vulnerabilities in mobile apps

1. WebView Remote Code Execution Vulnerability

Security experts pointed out that all Android API level 16 and earlier versions have remote code execution security vulnerabilities. Many popular Android apps have been exposed to high-risk Trojan vulnerabilities: when you click a message or a URL in the circle of friends, the user's mobile phone will automatically execute the code command of the Trojan, as a result, malicious fee deduction software is installed, fraudulent text messages are sent to friends, address book and text messages are stolen, and remote control is triggered. A large number of TOP applications, such as QQ, quickplay, and Baidu browsers, are affected to varying degrees.

2. Interface hijacking

Security experts said such vulnerabilities could steal key user information, such as accounts, passwords, and bank cards. Users may enter their account and password information into the counterfeit interface without notice, and malicious programs will then return the data to the server to complete phishing attacks. On June 25, November 2017, a vulnerability found in the AndroidMediaProjection function service that allows malicious programs to capture users' Screen Content and recording audio without the user's knowledge, more than 78% of Android devices are affected by this vulnerability.

3. Permission Vulnerability

Security experts suggested that this type of vulnerability could cause attackers to maliciously Read File Content, obtain sensitive information, and undermine integrity. Alternatively, attackers can call sensitive user permissions in Manifest files, resulting in leakage of user privacy data, phishing charges. In October 30 to November 5, 2017, the national Internet Emergency Response Center detected 73 malicious program variants stealing users' personal information through independent monitoring and sample exchange, exploiting this vulnerability to infect 29243 users, this poses a serious security threat to user information security.

4. tampering and secondary packaging Vulnerabilities

Vulnerabilities of this type include: adding or modifying code to client programs, modifying client resource images, Configuring Information and icons, adding advertisements, promoting products, and recreating new client programs, this results in a large number of pirated applications generating revenue from food-sharing developers. In addition, malicious secondary packaging with malicious code can also achieve application phishing, resulting in theft of login account passwords and payment passwords, the SMS verification code is intercepted, and the account and amount of the transfer target are modified. The modified Apk package not only seriously harms the developer's copyright and economic interests, but also causes malicious attacks on app users.

5. SharedPref read/write Security Vulnerability

Security experts believe that when creating a data storage file in the SharedPreference folder, a mobile application with the SharedPref read/write security vulnerability is set to globally readable or writable, as a result, any third-party application can perform file read/write operations, increasing the risk of sensitive information leakage. In middle June, Amazon and xiaohongshu website users suffered Information Leakage crisis due to such vulnerabilities. A large amount of personal information leaked led to a sharp increase in phone fraud, resulting in a user being cheated amounting to 0.43 million, more than 50 users of xiaohongshu suffered more than 0.8 million losses.

6. The WebView component ignores the SSL certificate verification error vulnerability.

Security experts said that WebViewClient is called when a certificate authentication error occurs when the Android WebView component loads a webpage. onReceivedSslError method. If handler is called by this method. this certificate is vulnerable to man-in-the-middle attacks, resulting in privacy leakage. The monitoring platform shows that up to 2017 of mobile apps had this type of vulnerability in 17.59%, with countless affected users.

7. Fixed port monitoring risk vulnerability

According to security experts, 15.24% of mobile apps currently have fixed port monitoring vulnerabilities because these apps keep receiving data after enabling the Socket service, however, the authenticity of the data source and content is not verified.

8. Weak data encryption Vulnerability

According to analysis by security experts, developers do not perform sufficient checks on sensitive data during application development and directly interact with the third-party libraries embedded in the data, which may lead to leakage, theft, and monitoring of sensitive data. News about the disclosure of personal sensitive data of citizens emerged one after another in 2017. In November, the leakage of million student data from qudian, including the amount of student loans and late payments, was reported, the privacy information, such as the phone number of the student's parents, the phone number of both men and women, and the password of the student's credit account, were leaked.

9. Risks of Dynamic Registration broadcast exposure

Android can declare a receiver in the configuration file or dynamically register a receiver to receive broadcast information. Attackers can impersonate an APP to construct a broadcast and send it to the attacked receiver, attackers can execute sensitive behaviors or return sensitive information on the attacked APP. If attackers receive harmful data or commands, the attacker may leak data or cause denial of service, this may cause information leakage and even property loss.

10. business logic Vulnerabilities

Security experts believe that business logic vulnerabilities may cause users to be exposed to brute force cracking of verification codes or passwords, replay attacks, spam messages, and even sensitive information (such as passwords or credit card data) are exposed and other threats. In March 2017, the mobike APP experienced a business logic vulnerability, and it was worth a RMB 110. Some netizens used this vulnerability to recharge the account multiple times. They paid a total fare of 1500 yuan, but only paid 15 yuan. In 2017, the OfO small yellow bicycle client ignored this type of vulnerability, resulting in a loss of tens of millions in China and Japan in the "red packet war" of shared bicycles.

In addition, mobile app development involves many third-party sdks, including payment, statistics, advertising, social networking, pushing, and map. In addition to the top ten high-risk security vulnerabilities, in 2017, third-party SDK security vulnerabilities of mobile apps have a huge impact on users.

Once the SDK vulnerability is exploited, attackers can use the SDK's own functions to launch malicious attacks. For example, if a user opens a camera without notice, the attacker can steal a two-factor authentication token by sending a text message, or convert the device into a botnet part.

With the disclosure of various system vulnerabilities and serious fragmentation of the Android system, the security of mobile application vulnerabilities will be further deepened and evolved. The announcement of the top ten high-risk vulnerabilities of mobile apps is expected to attract the attention and attention of users and mobile Internet companies on mobile app vulnerabilities.