Avoid stepping on the pit: Easy shield security old driver from the bottom of Android nine loopholes, with the resolution of recommendations

Source: Internet
Author: User
Tags ssl certificate

Android applications encounter a variety of vulnerabilities, how to understand the details of various security risks, and actively take appropriate defense measures become particularly important. In order to let everyone on the Android vulnerability has a very comprehensive understanding, NetEase Cloud Yi Shield Senior security engineer Xu Congxiang for everyone to understand the common nine big Android vulnerability, for you to learn the reference. (if the following dry content does not allow you to enjoy, welcome to the official website to apply for related products trial, face-to-face communication, to ensure that your security problems solved.

?

First major Category: Androidmanifest configuration-related risks or vulnerabilities

Program can be arbitrarily debugged

Risk Details: Android App apk config file Android manifest.xml in Android:debuggable=true, debug switch is turned on.

Hazard situation: app can be debugged.

Fix suggestion: Turn off the debug switch property in the Androidmanifest.xml configuration file, that is, set android:debugable= "false".

Any backup of program data

Risk Details: Android app apk profile Androidmanifest.xml android:allowbackup=true, data backup switch is turned on.

Hazard situation: App data can be backed up and exported.

Fix suggestion: Turn off the Androidmanifest.xml profile backup switch, that is, set android:allowbackup= "false".

Component exposure: It is recommended to verify the call source using android:protectionlevel= "signature".

Activity component Exposure

?

Risk Details: The activity component's property exported is set to TRUE or exported value is not set but Intentfilter is not empty, activity is considered to be exported, and activity can be aroused by setting the appropriate intent.

Hazard situation: Hackers may construct malicious data to carry out ultra vires attacks on exported activity components.

Fix recommendation: If the component does not need to share data or interaction with other apps, set the component to exported = "False" in the Androidmanifest.xml profile. If your component needs to share data or interaction with other apps, do permission control and parameter checking on the component.

Service component Exposure

Risk Details: The service component's attribute exported is set to TRUE or the exported value is not set but Intentfilter is not empty, the service is considered to be exported, and the service can be aroused by setting the appropriate intent.

Hazard situation: Hackers may construct malicious data to implement ultra vires attacks on exported service components.

Fix recommendation: If the component does not need to share data or interaction with other apps, set the component to exported = "False" in the Androidmanifest.xml profile. If your component needs to share data or interaction with other apps, do permission control and parameter checking on the component.

ContentProvider Component Exposure

?

Risk Details: The Content provider is considered to be exported when the ContentProvider component's properties exported set to True or Android api<=16.

Harm situation: Hackers may access data or files that the app itself does not want to share.

Fix recommendation: If the component does not need to share data or interaction with other apps, set the component to exported = "False" in the Androidmanifest.xml profile. If your component needs to share data or interaction with other apps, do permission control and parameter checking on the component.

Broadcastreceiver Component Exposure

Risk Details: The Broadcastreceiver component's properties exported is set to TRUE or the exported value is not set but Intentfilter is not empty, broadcastreceiver is considered to be exported.

Hazard situation: Exported broadcasts can result in data leaks or are ultra vires.

Fix recommendation: If the component does not need to share data or interaction with other apps, set the component to exported = "False" in the Androidmanifest.xml profile. If your component needs to share data or interaction with other apps, do permission control and parameter checking on the component.

?

Intent Schemeurls attack

Risk details: After Androidmanifast.xml set the scheme protocol, the corresponding activity can be opened via the browser.

Hazard situation: The attacker constructs the intent syntax by accessing the browser to evoke the appropriate components of the app, causing a denial-of-service, or perhaps evolving an ultra-vires call to the app or even upgrading to a power-up vulnerability.

Fix suggestion: The app checks the external call process and transmits data, configures the category filter, adds the Android.intent.category.BROWSABLE way to evade the risk

The second Category: WebView components and risks or vulnerabilities associated with server communications

WebView Native Java interface exists

Risk Details: The Android WebView component has a very special interface function Addjavascriptinterface, which enables native Java to interact with JS.

Hazard situation: at targetsdkversion less than 17 o'clock, an attacker can execute arbitrary code remotely using a function added by the Addjavascriptinterface interface.

Fix recommendations: Developers are advised not to use Addjavascriptinterface, using an alternative to injecting JavaScript and third-party protocols.

WebView Component Remote Code Execution (call getClassLoader)

Risk Details: Use targetsdkversion below 17 and bind the This object with Addjavascriptinterface in the context subclass.

Hazard situation: By calling getClassLoader, you can bypass Google's underlying restrictions on the GetClass method.

Fix recommendation: Targetsdkversion use a version greater than 17.

?

WebView Ignoring SSL certificate errors

Risk details: When WebView calls the Onreceivedsslerror method, it executes handler.proceed () directly to ignore the certificate error.

Hazard situation: Ignoring SSL certificate errors can cause a man-in-the-middle attack.

Fix suggestions: Do not rewrite the Onreceivedsslerror method, or the SSL certificate error problem according to the business scenario, to avoid the transmission of data plaintext.

WebView enabling access to file data

Risk details: Using setallowfileaccess (True) in WebView, the app can access file data in the private directory via WebView.

Hazard situation: In Android, Mwebview.setallowfileaccess (True) is the default setting. When Setallowfileaccess (true), under the file domain, arbitrary javascript code can be executed, and if a private directory file is bypassed by bypassing the same-origin policy, the user's privacy is compromised.

Fix recommendations: Use Webview.getsettings (). Setallowfileaccess (false) to prohibit access to private file data.

?

SSL Communication Service-side detection trusts any certificate

Risk Details: Custom SSLx509 TrustManager, overriding the Checkservertrusted method, do not do any server-side certificate validation within the method.

Hazard scenario: Hackers can use man-in-the-middle attacks to get encrypted content.

Fix suggestion: Strictly judge the service side and client certificate check, prohibit return null or NULL for exception event.

HTTPS Shutdown host name verification

Risk details: When you construct httpclient, the Hostnameverifier parameter is set with Allow_all_hostname_verifier or empty hostnameverifier.

Hazard situation: Shutting down the host school test can lead to hackers using man-in-the-middle attacks to obtain encrypted content.

Fix suggestion: The app does not verify the certificate's hostname when using SSL, trusts the legitimate certificate under any host name, causes the encrypted communication to be restored to plaintext communication, and the encrypted transmission is compromised.

?

SSL Communication Client detection trusts any certificate

Risk Details: Custom SSLx509 TrustManager, overriding the Checkclienttrusted method, do not do any server-side certificate validation within the method.

Hazard scenario: Hackers can use man-in-the-middle attacks to get encrypted content.

Fix suggestion: Strictly judge the service side and client certificate check, prohibit return null or NULL for exception event.

Open socket Port

Risk Details: The app-bound port listens for data that is sent externally after the connection is established.

Hazard scenario: An attacker could construct malicious data to test a port and launch a remote attack on an app that is bound to an IP 0.0.0.0.

Fix suggestion: If not necessary, only bind the ip127.0.0.1, and filter and verify the received data.

The third big category: Data security risks

Data storage:

SD card data is accessed by third party programs

Vulnerability Description: Discovery call getExternalStorageDirectory, storage content to SD card can be accessed by any program, there is a security risk.

Security advice: It is recommended to store sensitive information in the program's private directory and encrypt sensitive data.

Global file read-write Vulnerability-openfileoutput

Risk Details: Openfileoutput (Stringname,int mode) method when you create an internal file, the file is set to the global readable permission mode_world_readable.

Hazard situation: The attacker maliciously reads the contents of the file and obtains sensitive information.

Fix suggestions: Ask the developer to confirm that the file stores sensitive data, such as the existence of relevant data, please remove the file global readable properties.

Global file writable

?

Risk Details: Openfileoutput (Stringname,int mode) method when you create an internal file, the file is set to the global writable permission mode_world_writeable.

Harm situation: The attacker maliciously writes the contents of the file to destroy the integrity of the app.

Fix suggestions: Ask the developer to confirm that the file stores sensitive data, such as the presence of relevant data, remove the file global writable property.

Global files are readable and writable

Risk Details: Openfileoutput (Stringname,int mode) method when you create an internal file, the file is set to the global read-write permission.

Harm situation: The attacker maliciously writes the contents of the file or destroys the integrity of the app, or the attacker maliciously reads the contents of the file for sensitive information.

Fix the suggestion: Ask the developer to confirm whether the file stores sensitive data, such as the existence of relevant data, please remove the file global writable, write properties.

Private file leakage risk-getsharedpreferences:

Configuration file readable

Risk Details: The second parameter is set to Mode_world_readable when opening a file with Getsharedpreferences.

Hazard situation: Files can be read by other applications leading to information leaks.

Fix recommendations: If you must set the global readable mode for use by other programs, ensure that the stored data is not private data or stored after encryption.

Configuration file is writable

Risk Details: The second parameter is set to Mode_world_writeable when opening a file with Getsharedpreferences.

Hazard situation: Files can be written by other applications causing the file content to be tampered with, which could result in an impact on the application's normal operation or more serious problems.

Fix recommendations: The second parameter is set to Mode_private when using Getsharedpreferences.

Configuration file readable and writable

Risk details: When opening a file with Getsharedpreferences, set the second parameter to mode_world_readable or mode_world_writeable.

Hazard situation: The current file can be read and written by other applications, resulting in information leaks, tampering with the contents of the file, affecting the normal operation of the application or more serious problems.

Fix Recommendation: The second parameter is set to Mode_private when using Getsharedpreferences. Prohibit use of Mode_world_readable | mode_world_writeable mode.

Data encryption:

PlainText Digital Certificate Vulnerability

The digital certificate used by the APK can be used to verify the legal identity of the server and to encrypt and decrypt the transmitted data during communication with the server to ensure the confidentiality and integrity of the transmitted data.

If the digital certificate stored in plaintext is tampered with, the client may connect to the fake server, causing the user name, password and other information to be stolen, and if the plaintext certificate is stolen, it may cause the transmission data to be intercepted and decrypted, the user information is compromised, or the client will be sent a request Tampering with user data in the server or causing the server to respond unexpectedly.

AES Weak encryption

Risk details: The "aes/ecb/nopadding" or "aes/ecb/pkcs5padding" mode is used in AES encryption.

Hazard situation: ECB is the file block after the same encryption of file blocks, crack encryption only need to decrypt a file block, reducing the difficulty of cracking and file security.

Fix recommendations: Prohibit the use of AES-encrypted ECB mode, explicitly specifying the encryption algorithm: CBC or CFB mode, can be filled with pkcs5padding. The AES key length is at least 128 bits and 256 bits are recommended.

?

Unsafe use of random numbers

Risk Details: Call the Setseed method in the SecureRandom class.

Hazard situation: The generated random number is deterministic, there is the possibility of being cracked.

Fix suggestions: Initialize pseudo-random number generators with/dev/urandom or/dev/random.

Aes/des hard-coded keys

Risk details: When using AES or des plus decryption, the key is hardcoded in the program.

Hazard situation: You can easily decrypt the app communication data by getting the key through decompile.

Fix recommendations: Encrypt the key after storage or deformation for encryption and decryption operations, do not hard-coded into the code.

Data transfer: With the above duplication, you can also put the WebView series of loopholes in this small category.

Fourth class: File directory Traversal class vulnerability

Provider file directory Traversal

Risk Details: When provider is exported and the OpenFile method is covered, the content Query URI is not effectively judged or filtered.

Hazard scenario: An attacker could use the OpenFile () interface for file directory traversal to achieve the purpose of accessing any readable file.

Fix suggestions: Generally there is no need to overwrite the OpenFile method, if necessary, to the submitted parameters ". /"Directory jump character or other security check.

Unzip decompression Vulnerability

Risk details: Unzip the zip file and use GetName () to get the compressed file name without verifying it.

Hazard situation: The attacker can construct a malicious zip file, the extracted files will be extracted directory jump to other directories, overwriting the corresponding file resulting in arbitrary code execution.

Fix suggestions: When extracting files, determine if there is a file name. /special characters.

Category five: File format Parsing vulnerability

?

FFmpeg file Read

Risk Details: Video decoding is performed using the lower version of the FFmpeg library.

Hazard situation: There may be a local file read vulnerability in some versions of FFmpeg, which can be used to obtain local file content by constructing a malicious file.

Fix suggestions: Upgrade the FFmpeg library to the latest version.

Android "Janus" vulnerability

Vulnerability Details: Add an attack Classes.dex file (a file) to the front of the original appapk, and the Android system calculates the hash value of a file at the time of verification and saves it with the "Classes.dex" string as key. Then Android calculates the original Classes.dex file (B), and again with the "Classes.dex" string as the key to save, this save will overwrite the hash value of a file, causing the Android system to think that the APK has not been modified to complete the installation, the APK program runs, The system takes precedence over the a file found first, ignoring B, which causes the vulnerability to occur.

Hazard scenario: This vulnerability could allow an attacker to bypass the signature scheme V1 signature mechanism of the Android system and then tamper directly with the app. And because other security mechanisms on Android are based on signature and checksum, the vulnerability is equivalent to bypassing the entire security mechanism of the Android system.

Fix suggestion: It is forbidden to install multiple APK files with the same name ZipEntry.

?

Category six: Memory Stack class vulnerability

No compiler stack protection technology is used

Risk details: In order to detect overflow in the stack, a stack canaries vulnerability mitigation technique is introduced. When all function calls occur, an additional random number called Canary is pressed into the stack frame, and when an overflow occurs in the stack, the canary is overwritten first and then the EBP and return address. Before the function returns, the system performs an additional security verification operation that compares the values of the canary and. Data copies stored in the stack frame, and if the two do not match, a stack overflow has occurred.

Hazard situation: Without the use of Stackcanaries stack protection technology, the system does not protect the program when a stack overflow occurs.

Fix suggestion: When compiling so with NDK, add: local_cflags: =-wall-o2-u_fortify_source-fstack-protector-all in the android.mk file

Non-use of address space randomization technology

Risk Details: Pie Full Name position independent executables, is an address space randomization technique. When so is loaded, the address in memory is randomly assigned.

Hazard situation: Do not use pie, will make the implementation of shellcode less difficult, attack success rate increased.

Fix suggestion: When the NDK compiles so, add local_cflags: =-fpie-pie to open support for pie.

LIBUPNP Stack Overflow Vulnerability

Risk Details: A LIBUPNP library file with a version below 1.6.18 is used.

Hazard situation: Constructing a malicious packet can cause a buffer overflow, resulting in code execution.

Fix suggestions: Upgrade LIBUPNP library to 1.6.18 or above.

Seventh Category: Dynamic class vulnerability

Dex File Dynamic Loading

Risk details: Using Dexclassloader to load an external apk, jar, or Dex file, when the source of the external file cannot be controlled or tampered with, there is no guarantee that the file being loaded is secure.

Hazard situation: Loading a malicious DEX file will result in arbitrary command execution.

Fix recommendation: Before loading an external file, you must confirm the security of the external file by using a checksum signature or MD5.

Dynamic registration of Broadcasts

Risk Details: Broadcasts that are dynamically registered with Registerreceiver are exported by default during the lifetime of the component.

Hazard situation: Exported broadcasts can result in denial of service, data leakage, or unauthorized invocation.

Fix recommendation: Use the Registerreceiver API with permission validation for dynamic broadcast registration.

Eighth Category: Risk or vulnerability caused by lax calibration or qualification

Fragment Injection

Risk Details: The extra value of the intent is not handled correctly by the Preferenceactivity subclass of the exported.

Hazard scenario: An attacker can bypass restricting access to an unauthorized interface.

Fix recommendation: When TARGETSDK is greater than or equal to 19 o'clock, the Isvalidfragment method is enforced, less than 19 o'clock, Isvalidfragment is added to the preferenceactivity subclass, In both cases, the legitimacy of the fragment name is verified in the Isvalidfragment method.

Implicitly intended invocation

Risk details: Implicit settings are used when encapsulating intent, only action is set, no specific receive object is qualified, and intent can be fetched and read by other applications.

Hazard situation: Intent the intent of an implicit invocation can be hijacked by a third party, resulting in the disclosure of internal privacy data.

Fix suggestion: You can change an implicit call to an explicit call.

Nineth class: Command-line invoke class-related risks or vulnerabilities

The dynamic link library contains the Execute command function

Risk details: In the native program, it is sometimes necessary to execute a system command that does not filter or test when the command is received by an externally passed parameter.

Hazard situation: An attacker may pass in arbitrary commands, leading to the execution of a malicious command.

Fix recommendations: Strict filtering of incoming parameters.

Avoid stepping on the pit: Easy shield security old driver from the bottom of Android nine loopholes, with the resolution of recommendations

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.