Data Leakage
- Local file sensitive data cannot be stored in plaintext, not pseudo-encrypted (Base64, custom algorithm, etc.)
- Android:allowbackup=false. Prevent ADB backup from exporting data
- Data leakage from Activity intent. For example, through Getrecenttask and then find the corresponding intent to get the data.
- Broadcast Intent, the use of locabroadcast in their own applications, to avoid being received by other applications, or setpackage do limit.
- Clipborad data leaks.
- WebView settings Setsavepassword (false) This will save the password in plaintext.
- Log to close to prevent important data leaks. Use the Boolean constant switch or Proguard direct optimization.
- Read prevention of keyboard events,/dev/input/event can read to keys and touch screen. The keyboard recommends random layout customization.
- For screenshots android5.0 and later Window.setflag (layoutparam.flag_secure) no recording screen.
attack surface exposed by client
- The use of external data is not verified, such as app upgrade, plug-in installation, etc., need to verify the legitimacy of these data.
- Zip unzip the directory to cover the risk. Allow in Zip: /.. /file such a path. If you unzip to the current directory, it is possible to overwrite the files in the parent directory.
- Android components improper exposure, do not need to export the need exported = False.
- Local port open issue, Socket server. Try not to open this interface. If you want to, also just bind to 127.0.0.1, do not expose to the LAN, avoid malicious code scanning port inside the LAN. In addition, the app can see which app is connecting to the port by reading the proc via the port. (The SELinux limit is collected). The other is to use this method to not implement some particularly sensitive functions.
- Dos attacks on open components. The Open Activity Service receiver needs to verify the legitimacy of the incoming intent, as well as the related type conversion protection. Prevent malicious code attacks.
- Pendingintent, do not send pendingintent to third-party apps. Prevent data from being modified.
the hijacking of the interface
- The Rogue hover box, which covers a hover box on top of our app, misleads the user into clicking on an unreasonable button. This time you need to set setfiltertoucheswhenobscured to False, the other window is overwritten, do not accept the button.
- Fishing window, when the user opens our interface, the malicious program also opens a similar fishing interface. We need to do the necessary checks when the key interface is onpause, such as to see if the top of the stack is its own interface. (Restricted after 5.0?) )
- ContentProvider SQL injection. The parameter contains a malicious sql;–. The simplest is to do the SQL parameter check.
- ContentProvider openFile Convenient catalogue risk.
WebView Remote Method Invocation Vulnerability
- 4.2 The following phone addjavascriptinterface can cause a vulnerability. JS Gets the Java class after getclass, and then calls the related function. The system itself takes a searchbox_xxx and needs to remove itself.
Unsecured network communication
- Man-in-the-middle attack
- Sensitive data is not transmitted in plaintext.
- Malicious wifi can be easily created by Kali Linux. Go fishing at the mall.
- Encryption algorithm
- RC4 is obsolete and not recommended for use.
- SHA256 best, not recommended MD5 SHA1
- RSA to 2048 bit, to padding.
- The symmetric encryption key is not placed in the code. Can be negotiated after saving on local encrypted storage.
- AES does not use the ECB mode, initialization vectors do not use fixed constants.
- Securerandome do not use Setseed () and do not pass in fixed values
- HTTPS man-in-the-middle attack
- The cookie is set to secure flag, or the cookie is transmitted in an HTTP session.
- Do not use SSLV3 and lower versions
- Do not handle certificate-related checks yourself in the program.
- SSL Certificate Verification
- WebView Onreceivedsslerror do not do what you do after the treatment.
- There are times when some mobile certificates are incomplete in the Android system, but you cannot ignore the certificate errors.
- Do not overwrite TrustManager. checkservertrusted do not rewrite.
- Hostnameverifier do not rewrite. Do not check the hostname.
- How to deal with it?
- Import the certificate through Trustmanagerfactory.
- Certificate bindings. Is that I only recognize this certificate. Do Veriry yourself. Lowest cost. The certificate can be self-signed. # Binary Attack #
- Various black Production QQ Group forum, see Snow Forum.
- RePack, insert malicious code
- Reverse analysis
- Run-time debug, modify data, etc.
- Tools
- Apktool,dex2jar, JEB.
- IDA Pro (view so code, F5 Assembly to C code)
- Xposed,cydia Substrate Injection Frame
- Protection
- Theoretically there is no 100% effective method for geo-binary attacks.
- But why do we have to do this? Raise the threshold, raise the cost, and raise the cost of his interest (he can go and find some soft persimmon to make money in this time)
- Proguard do confuse
- Security check
- Check if APK has been modified
- Check the signature (not reliable, here the code can be modified). But there is no stronger than none. Black production are some batch automation, can prevent some.
- Increased difficulty
- Put it in the native code.
- Multi-point Check
- Check the code do not put in the exit point, placed in a relatively hidden place. And then exit the program from somewhere else.
- and the network request, pass parameters to server,server return illegal data and so on.
- Anti-debug, anti-injection
- Debuggable = False
- debug.isdebuggerconnected for inspection.
- Monitor JDWP thread (hook socket for data filtering)
- Multi-process Ptrace protection. A process can only be ptrace once. (Multiple processes require pipe communication to monitor whether the ptrace process exits, listens, and the main program exits)
- Check Tracerpid, after trace is not 0 (can also be bypassed)
- Check if GDB android_server gdbserver is on the phone (can be renamed)
- Check to see if the xposed framework is running.
- Check if Hook (java,got, inline)
- Check whether the device is rooted or running on emulator.
- Check Jailbreak (IOS)
- String obfuscation encryption
- The strings in Java native are to be confused. The code is placed on the native layer.
- Hide the function name of the native layer, Dlsym
- OBFUSCATOR-LLVM confuses the natived code. Supports several modes such as SUB FLA BCF.
- Other native protection
- Check signature in So
- JNI Function Name Confusion
- Delete all symbols that do not require export. Set in the compilation options.
- Elf tricks, set some data to make the tool crash.
- So overall encryption. Add shell. Open-source UPX.
- Specific function encryption.
- Application Hardening
- Non-customized scheme, no confusion, no string encryption.
- Hook system code, etc., there is a relatively large compatibility issues.
- Affects the startup speed.
- No so layer protection.
Automated Scanning Tools
- 360 Catch the Worm Hunter
App Auto Check escalation mechanism
- A malicious attack is detected and escalated to the server to understand the risk side.
Overview of Android App Security
