🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.
Schedule a Demo
An Android app is a software that runs on devices powered by the Android operating system. Android apps are commonly written in Java programming language and compiled to bytecode. These applications are basically Android Package Kits (APK files) that enable the distribution and installation of Android applications. This is similar to how .exe files are used in Windows OS. The second quarter of 2020 registered 2.96 million Android apps in total compared to 2.6 million in 2018 (on Google Play). And in 2018, high risk vulnerabilities were found in 43% Android applications.
An APK file contains the following components:
Unlike Windows, Android runs each of its applications in a sandbox environment. Application sandboxing or containerization limits the environment in which a code can be executed. It intends to protect the app from interacting with external malicious elements.
The Android operating system is based on the Linux system which uses the Linux kernel. But unlike the Linux system, each Android application is assigned a unique user ID. The system then sets permissions for a particular user ID, permitting that app alone to access certain features.
Typically, all Android apps have to request permission to access sensitive data such as contacts, SMSs, and cameras . All these system features are restricted with the help of the Permissions API. The application is permitted to access system features only if the user grants access.
Although Android applications are written in Java, the class files that contain Java virtual machine instructions (Java bytecode) are converted to Dalvik executable files (.dex files) that contain Dalvik bytecodes, before they are installed.
The kernel that is used by Android OS manages the working of each application on the device, where Dalvik virtual machine runs independent processes or applications under different user IDs.
Web applications have universal links to interact with other applications, unlike Android apps.
Android app-to-app communications are limited, however, it is achieved through the following methods:
An intent is used to request action from a different application component. It helps to coordinate the activities carried out by different applications. For example, selecting a photo from your gallery to set your WhatsApp display picture.
Deeplinks are links that direct you to a specific destination from an application.
Deeplinks is what makes it possible for users to share the link to a Medium article on Twitter.
A Binder enables inter-process communication (IPC) within a kernel. It allows processes to manage shared data. Object Linking and Embedding (OLE) by Microsoft is an example of an IPC.
Content providers manage the access to the central repository of data. They provide data to external applications. For instance, content providers grant access to applications to use the contacts and SMSs on a device.
Even though Android applications are typically sandboxed and isolated, limiting app-to-app communications, they can still be abused.
App misconfiguration or the developer’s bad coding practices make Android applications vulnerable to cyber attacks. Listed below are the most common Android application security issues that developers and users come across.
Hardcoded credentials are basically plain text passwords, API keys, tokens, etc. in the source code. Although it is quite common for Android applications to integrate third party APIs, they may not necessarily be for client-side API calls. When such credentials are exposed in plain text, they form easy targets for password guessing exploits.
Recently, CSC BHIM app suffered a data breach, exposing 70 lakh user records, due to an unsecured AWS database. Developers had allegedly coded AWS credentials into the app itself. In such cases, a static code analysis can debug the source code before the program is executed. It exposes any vulnerability within the static source code. This process is also automatable. However, there can be too many false positives.
Broken cryptography in Android applications uses weak algorithms for encryption and decryption, or implements a strong algorithm in an insecure way.
The widely used cryptographic hash function MD5 has been found to be vulnerable. Stream cipher RC4 is known for its simplicity and yet was discovered to have multiple vulnerabilities.
Finding weaker/vulnerable cryptography could be automated through static analysis.
Java decompilers decompile the Java bytecode into source Java code. Using such tools, we convert the APK to produce the source code. Even though they might not be the exact code the developer had written, the classes, methods, and the logic would be the same. This reveals hardcoded credentials or other flaws in the code that the developer may have used.
Most common developer bad coding practice involves custom cryptography which can be broken quite easily.
Transport security is needed when communicating with the server, this is enforced through HTTPS which uses Transport Layer Security (TLS) to encrypt the data. However, several developers inadvertly invalidate this protection. Several apps choose to trust any certificate given without verifying the trust chain. Such code makes through production when developers test the app in a local environment that may have self-signed certificates, they bypass SSL checks intentionally.
SSL verification could be disabled through code such as by establishing a non validating connection through a custom SSLSocketFactory will turn off all SSL validation.
These bypasses could easily be detected through static analysis.
WebView is a component powered by a browser engine that lets Android applications open web pages inside the application itself. As browsers are exposed to attacks through intents and deeplinks, it is not safe to open untrusted web pages within the application.
For instance, a Twitter user found a WebView bug in ArogyaSetu, which exposed internal files on the local database. The WebView was callable by intent and any app installed on the phone was capable of loading the URL in the WebView. An attacker who has control over the WebView can decide what web page should be opened. If JavaScript is enabled, attackers can execute JavaScript code inside the app, to perform malicious activities.
Creating files outside the Android sandbox allows users to view or alter the file content, and this could be a major security concern. Attackers exploit exposed sensitive data or app configuration data stored outside the app sandbox in a format that is readable and writable by any user.
Android core security features such as the application sandbox reduces security issues to a significant extent. But from the flaws discussed above, it should be noted that good coding practices also ensure the security of Android apps. Also:
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
What makes Android apps vulnerable to cyberattacks?
An Android app is a software that runs on devices powered by the Android operating system. Android apps are commonly written in Java programming language and compiled to bytecode. These applications are basically Android Package Kits (APK files) that enable the distribution and installation of Android applications. This is similar to how .exe files are used in Windows OS. The second quarter of 2020 registered 2.96 million Android apps in total compared to 2.6 million in 2018 (on Google Play). And in 2018, high risk vulnerabilities were found in 43% Android applications.
An APK file contains the following components:
Unlike Windows, Android runs each of its applications in a sandbox environment. Application sandboxing or containerization limits the environment in which a code can be executed. It intends to protect the app from interacting with external malicious elements.
The Android operating system is based on the Linux system which uses the Linux kernel. But unlike the Linux system, each Android application is assigned a unique user ID. The system then sets permissions for a particular user ID, permitting that app alone to access certain features.
Typically, all Android apps have to request permission to access sensitive data such as contacts, SMSs, and cameras . All these system features are restricted with the help of the Permissions API. The application is permitted to access system features only if the user grants access.
Although Android applications are written in Java, the class files that contain Java virtual machine instructions (Java bytecode) are converted to Dalvik executable files (.dex files) that contain Dalvik bytecodes, before they are installed.
The kernel that is used by Android OS manages the working of each application on the device, where Dalvik virtual machine runs independent processes or applications under different user IDs.
Web applications have universal links to interact with other applications, unlike Android apps.
Android app-to-app communications are limited, however, it is achieved through the following methods:
An intent is used to request action from a different application component. It helps to coordinate the activities carried out by different applications. For example, selecting a photo from your gallery to set your WhatsApp display picture.
Deeplinks are links that direct you to a specific destination from an application.
Deeplinks is what makes it possible for users to share the link to a Medium article on Twitter.
A Binder enables inter-process communication (IPC) within a kernel. It allows processes to manage shared data. Object Linking and Embedding (OLE) by Microsoft is an example of an IPC.
Content providers manage the access to the central repository of data. They provide data to external applications. For instance, content providers grant access to applications to use the contacts and SMSs on a device.
Even though Android applications are typically sandboxed and isolated, limiting app-to-app communications, they can still be abused.
App misconfiguration or the developer’s bad coding practices make Android applications vulnerable to cyber attacks. Listed below are the most common Android application security issues that developers and users come across.
Hardcoded credentials are basically plain text passwords, API keys, tokens, etc. in the source code. Although it is quite common for Android applications to integrate third party APIs, they may not necessarily be for client-side API calls. When such credentials are exposed in plain text, they form easy targets for password guessing exploits.
Recently, CSC BHIM app suffered a data breach, exposing 70 lakh user records, due to an unsecured AWS database. Developers had allegedly coded AWS credentials into the app itself. In such cases, a static code analysis can debug the source code before the program is executed. It exposes any vulnerability within the static source code. This process is also automatable. However, there can be too many false positives.
Broken cryptography in Android applications uses weak algorithms for encryption and decryption, or implements a strong algorithm in an insecure way.
The widely used cryptographic hash function MD5 has been found to be vulnerable. Stream cipher RC4 is known for its simplicity and yet was discovered to have multiple vulnerabilities.
Finding weaker/vulnerable cryptography could be automated through static analysis.
Java decompilers decompile the Java bytecode into source Java code. Using such tools, we convert the APK to produce the source code. Even though they might not be the exact code the developer had written, the classes, methods, and the logic would be the same. This reveals hardcoded credentials or other flaws in the code that the developer may have used.
Most common developer bad coding practice involves custom cryptography which can be broken quite easily.
Transport security is needed when communicating with the server, this is enforced through HTTPS which uses Transport Layer Security (TLS) to encrypt the data. However, several developers inadvertly invalidate this protection. Several apps choose to trust any certificate given without verifying the trust chain. Such code makes through production when developers test the app in a local environment that may have self-signed certificates, they bypass SSL checks intentionally.
SSL verification could be disabled through code such as by establishing a non validating connection through a custom SSLSocketFactory will turn off all SSL validation.
These bypasses could easily be detected through static analysis.
WebView is a component powered by a browser engine that lets Android applications open web pages inside the application itself. As browsers are exposed to attacks through intents and deeplinks, it is not safe to open untrusted web pages within the application.
For instance, a Twitter user found a WebView bug in ArogyaSetu, which exposed internal files on the local database. The WebView was callable by intent and any app installed on the phone was capable of loading the URL in the WebView. An attacker who has control over the WebView can decide what web page should be opened. If JavaScript is enabled, attackers can execute JavaScript code inside the app, to perform malicious activities.
Creating files outside the Android sandbox allows users to view or alter the file content, and this could be a major security concern. Attackers exploit exposed sensitive data or app configuration data stored outside the app sandbox in a format that is readable and writable by any user.
Android core security features such as the application sandbox reduces security issues to a significant extent. But from the flaws discussed above, it should be noted that good coding practices also ensure the security of Android apps. Also: