Look at exploits in Android, and how they are achieved. Look at two apps which are good examples of why it's important to think about security.
- There are three key points to keep in mind when developing an Android App. You need to design and code your application securely based on the best guidance available. As with any operating system, weaknesses in Android are discovered and exploited, and these form the basis of a growing set of guidelines produced by the Android community on how to keep your Android device and applications secure. You need to maintain knowledge of exploits as they are made public to understand new weaknesses that exist and to trigger new updates to your apps, if they include these weaknesses.
Finally, you need to verify the security of your app by testing it, and we've just covered the tools and techniques you need to do that. A good repository for maintaining awareness of exploits, is exploit-db.com. This website contains an up-to-date database of known exploits together with categorization of targets and their severity. This includes general operating system vulnerabilities, specific vendor implementations and applications. Let's do a search for Android exploits.
Here we can see 10 2017 vulnerabilities, all relevant to the generic Google Android operating system. If we scroll down, we can see earlier vulnerabilities, including those targeting specific handsets and applications. One of the better known exploits in the Android world is the Stagefright exploits. Let's take a deeper look at how this exploit works. The Stagefright attack was detected in 2015. And news headlines declared, there's a billion Android handsets could be taken over without their owner's knowledge.
The attacker sends a video via MMS text message to an app such a Google Hangouts. The app automatically plays the video which contains a malicious change to the video content so that the video rendering process with an Android is compromised and the backdoor can be inserted. The technical details of the attack are that two of the basic constricts of the video stream called TX3G atoms are modified so that when added together, they're triggering into your overflow.
This causes a buffer to be created, which is too small, which in turn leads to what is known as a heap overflow. By carefully crafting the video stream, the attacker can take advantage of this to insert a malicious payload. By the time the exploit had been detected, Google's continuous security improvement program had introduced the addressed space randomization feature which indirectly defeated the attack. This meant that 95% of the handsets were in fact protected. However, Google did correct the flow which led to the exploits.
As developers, we can't do much to protect against operating system floors. However, there's another class of weaknesses that we can protect against. Let's revisit the voter phone Australia SMS mailer out. This allows a voter phone service user to send a text message through to email. I've got the background email sender open, and if we look down towards the bottom of the code, we can see there's a hard-coded set of credentials to an email account. It's not so much that the password is a bad password, it's that it's there at all. These credentials provide access to the email account to which the SMS is sent and then forwarded.
This is a standard Gmail account, and it retains copies of sent email, so if we were to use these credentials to access the account, we'd find any SMS messages that have been processed through this app. This could be a significant privacy breech for users who've sent messages. Another app, which demonstrates a limited focus on security is the Revenssis App for doing online penetration testing. Here we can see the conduct Revenssis folder in the top level app. If we open it, we can see the extensive list of source codes which make up the app.
If we open up the resources folder, we can dive down through assets, purchase and CSS. To a number of PHP scripts, one of these activate a PHP is checking an activation code and removing it from one file and adding it to another. Check status.PHP is validating the payment status. Further down we can see there's a file called unassigned activation codes.PHP.
If we open this, we can see that it provides a complete list of currently unused activation codes which we can choose from to use to activate the product, thereby bypassing the requirement to purchase a code. I'll also revisit the LingXi.apk we saw earlier in the China mobile source code routine called D, we again see another example of sensitive information in the source code. This time, it's a crypto key. These apps are good examples of the kind of issues we want to avoid in a secure Android app.
In the front, we have a number of examples perhaps suggest this is not an uncommon issue.
- Understanding Android OS, app, and hardware security components
- Using the Trusted Execution Environment
- Developing Android apps with security in mind
- Analyzing existing applications
- Understanding Android vulnerabilities
- Securing Android apps
- Developing secure enterprise apps