First, the main question "Android App" security vulnerability, speaking of Android application security vulnerabilities, if the system design problems, the main reason is the development process of omission caused. But in fact, it is not possible to blame all these responsibilities on the program ape head. So this answer will also be on the Android system design and ecological environment to do some elaboration. (If you want to learn about Android malware, you need to open a different topic.) )
1. Applying anti-compilation
Vulnerability: APK package is very easy to decompile into a readable file and can be re-packaged into a new apk with a little modification.
Use: Software hack, intra-purchase hack, software logic modification, insert malicious code, replace advertiser ID.
Recommended: Using tools such as Proguard to confuse code, important logic is implemented with the NDK.
Example: Anti-compilation re-packaging Flappybird, The Advertiser ID Exchange, the game to add a piece of malicious code and so on.
2. Storage and transmission of data
Vulnerability: Files on external storage (SD card) do not have rights management, and all applications are readable and writable. The developer puts the sensitive information in plaintext on the SD card, or the dynamically loaded payload is placed on the SD card.
takes advantage of the : Steal sensitive information, tamper with configuration files, modify payload logic, and repackage.
suggests : Do not put sensitive information on top of external storage; Verify file integrity when loading external resources dynamically.
Vulnerability : Use global read/write (Mode_world_readable,mode_ world_writeable) internal storage, or plaintext storage of sensitive information (user account password, etc.).
takes advantage of the : Global read-write sensitive information, or root reads plaintext information.
recommended : Not applicable to the global read-write internal storage method, the user account password is not stored in plaintext.
3. Password Disclosure
Vulnerability : Password plaintext storage Transmission.
Take advantage of :
The internal storage can be read and written after the
- root. The
- SD card is globally readable and writable.
- public WiFi capture to get the account password.
recommendations : A practical and proven encryption scheme. Do not store the password in plaintext on the SD card.
4. Component Exposure (Activity, Service, broadcast Receiver, Content Provider)
Vulnerability Span style= "FONT-SIZE:13PX;LINE-HEIGHT:22.1PX;" >:
- The component was not validated when it was called.
- No validation was made when other components were called.
use :
The
- invokes the exposed component, achieves an effect, obtains some information, constructs some data. (for example, to call exposed components to send text messages, tweets, etc.). The
- listens for exposed components and reads data.
suggestions : Validating input information, validating component calls, and so on. The android:exported is set to false. Verify the call source using android:protectionlevel= "signature".
5. WebView
Vulnerability :
The
- malicious App can inject JavaScript code into a Web page in WebView, which is not validated.
- Malicious Web pages can execute JavaScript, which in turn invokes methods registered in the APP, or use resources.
using
The
- malicious program embeds the Web App and then steals the user information. The
- Malicious Web page invokes the APP code remotely. What's more, calling Runtime from Java Reflection executes arbitrary code.
suggestions : Setjavascriptenabled (true) in WebView is not used, or the input is validated when used.
6. Other Vulnerabilities
- After the ROOT of the mobile phone can modify the app in the purchase, or install plug-in app and so on.
- Logcat leaks user-sensitive information.
- A malicious ad package.
- Use next Intent.
7. Summary
Most of the vulnerabilities in Android applications are due to the fact that developers do not validate input information, and because Intent is a special mechanism that needs to filter out all kinds of malicious behavior outside. Coupled with the market turmoil in Android apps, the level of developers is uneven. So now the vulnerabilities of Android applications, malware, fishing and so on are still increasing.
plus root for App sandbox damage, Android upgrade restrictions. The domestic Android environment is chaotic and miserable. So, if you want to make sure your app doesn't have a security hole, remember: Never trust the outside world.
last recommended: Love encryption Vulnerability Detection (http://safe.ijiami.cn/) service can be a key to identify the app potential vulnerabilities and malware virus; for applications hijacked, Love encryption provides a variety of encryption items and encryption methods, Resolves the risk of hijacking that may exist during process and data transfer.
Share: What are the common and often exploited security vulnerabilities in Android apps?