Android Development Tools Riddled with Nasty Vulnerabilities

Java/Android developers are exposed to vulnerabilities affecting the development tools, both downloadable and cloud based, used in the Android application ecosystem, Check Point warns.
Check Point security researchers have discovered several vulnerabilities impacting the most common Android Integrated Development Environments (IDEs), namely Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, along with major reverse engineering tools for Android applications, including APKTool, the Cuckoo-Droid service, and more.
The bugs were reported to the impacted IDE companies in May 2017 and have been already resolved in Google and JetBrains tools.
According to Check Point, their research focused on APKTool (Android Application Package Tool), which emerges as the most popular tool for reverse engineering third party Android apps, and which allows developers to decompile and build APK files.
Both of the tool’s features, however, are plagued by vulnerabilities, the researchers argue. The program’s source code revealed an XML External Entity (XXE) vulnerability in a function called “loadDocument,” which is being used in both core functionalities.
网络安全意识电信诈骗防范
Because of this vulnerability, the entire OS file system of APKTool’s user is exposed, which allows an attacker exploiting the vulnerability to “potentially retrieve any file on the victim’s PC.” For that, a malicious “AndroidManifest.xml” file that exploits the issue is needed.
The researchers also analyzed the XML parser called “DocumentBuilderFactory” that is being used in the APKTool project and discovered multiple vulnerable implementations of the XML parser within other projects. It also led to the discovery that IDEs such as Intellij, Eclipse, and Android Studio are affected as well.
国内的信息安全外包产业比较落后,表面看起来可能是商业环境如信任问题引起的,这些问题可以通过法律合约来解决,实际上重要的是人们对安全服务的认识不够,以为网络安全就是配置系统设备,而我们渐渐明白,运维才是主要工作。
“By simply loading the malicious ‘AndroidManifest.xml’ file as part of any Android project, the IDEs start spitting out any file configured by the attacker,” the security researchers explain.
The researchers uploaded a malicious project library to GitHub and cloned it to an Android Studio project, which demonstrated that an attack abusing this vulnerability is successful. Other attack vectors were discovered as well, such as injecting a malicious AAR (Android Archive Library) containing the XXE payload into repositories.
“It is possible, for example, to upload an infected AAR to a public repository such as the central Maven repository. Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system,” Check Point says.
Next, the researchers discovered a vulnerability in APKTool that could allow an attacker to execute commands on the victim’s PC.
The issue was discovered in the configuration file “APKTOOL.YML,” which is employed for the advanced use of the tool, and which contains a section called “unknownFiles” that “allows users to include a non-standard file location that will be placed correctly on the rebuild process of an APK.”
The selected files are saved in a ‘Unknown’ folder and modifying the path of the “unknownFiles” section can result in injecting arbitrary files anywhere on the file system, because APKTool “does not validate the path of which the unknown files will be extracted from the packed APK.”
Injecting arbitrary files in the filesystem can lead to remote code execution, and any APKTool user/service is vulnerable when attempting to decode a crafted malicious APK.
“It is impossible to estimate the number of users of this well-known open source project. Yet, knowing that among them are some large services and companies, we contacted APKTool developer and IDE companies and are pleased to report that they all fixed the security issues and released updated and improved versions of their products,” Check Point concludes.
Related: Google to Warn Android Users on Apps Collecting Data

Normal 0 false false false EN-US X-NONE X-NONE Normal 0 false false false EN-US X-NONE X-NONE 猜您喜欢

网络安全公益短片中间人攻击防范
计算机信息安全基础测试题
学习管理系统LMS 学员操作演示
高校15岁大一新生因斗殴死亡 警方拘6名涉案学生
MOUSER MOSTLYFOTOS
适用于任何行业的EHS电子教学课程