Over 50% of US smartphone users are now actively using Android devices and the security aspect of Google’s mobile platform is under constant scrutiny. With new vulnerabilities and hacking POCs making the news on almost a daily basis, safety concerns are rising. So what lies ahead for this customizable and user-friendly, albeit vulnerable, mobile operating system? How can secure Android development minimize the risks? Let’s find out.
Stagefright is basically a set of 7 bugs that were exposed last month and took the world by storm due to their presence in basically all Android smartphones (95% of them to be precise, 2.2 Froyo and above). This vulnerability is located in the Android OS’s media library, which can be exploited by sending a contaminated MMS message to the phone. Once the phone auto-downloads the message, it gets infected.
The vulnerability designations are: CVE-2015-1538, CVE-2015-1539, CVE-2015-3824, CVE-2015-3826, CVE-2015-3827, CVE-2015-3828 and CVE-2015-3829.
While Google has already patched the issue in its Nexus devices, it still lingers within the vast majority of the Android devices in use today (more than 900 million). Android users are advised not to open MMS messages and also disable the auto-retrieving of MMS messages via the Hangouts app until the leading manufacturers roll out their security updates.
Stagefright Demo by zLabs
Unlike the iOS mobile platform, which runs exclusively on iPhones and iPads manufactured by Apple, Android has serious version fragmentation issues. Android phones are manufactured by dozens of companies worldwide, all running on different software versions. Budget and low-end models are frequently overlooked when it comes to version upgrades.
As evident in the table below, less than half of the Android devices being used today are powered by version 4.4 KitKat and above. This basically means that Android devices running on earlier versions such as Jelly Bean and Ice Cream Sandwich are vulnerable to all kinds of vulnerabilities that have been fixed in later versions, including the risky Stagefright flaw.
To make matters worse, security updates often don’t make their way to the phones due to carrier-specific technicalities and users opting to switch to custom/unofficial ROMs. For example, a Galaxy S6 Android phone sold by Verizon won’t get Samsung-issued security updates directly, but only when approved and pushed by the cellular vendor. There are many times when this doesn’t happen.
Certifi-Gate Vulnerability –Checkpoint’s research team, led by Ohad Bobrov and Avi Bashan, has coined this newly discovered issue Certifi-Gate. This flaw still resides in millions of devices.
The problem lies in the “Remote Support Tool (mRST)” plugin which is installed by most of today’s leading Android phone manufacturers. This plugin has numerous utility benefits, but due to its levels of permissions, manipulating it can have dire consciences. The POC shows how sending a simple text message to the phone can exploit this vulnerable plugin.
Dolphin and Mercury Browser Vulnerabilities – A remote code execution vulnerability was exposed in the Dolphin Android browser’s theme changing feature. Once the browser is exploited, the hacker can gain an arbitrary file write and turn it into code execution within the context of the browser on the user’s smartphone or tablet. Fortunately, a security patch is now available for download.
Another commonly used Android browser, Mercury, was found to be vulnerable. Problems ranged from insecure intent URI scheme implementation to path traversal flaws.
SwiftKey Vulnerability – A POC revealed in early 2015 showed that Samsung’s default keyboard application received language pack updates in plain text, a risky practice.
When on the same unprotected WiFi network, hackers can plant malicious code via these updates and hack away. Samsung acknowledged the issue and released a security patch via its proprietary KNOX client. Unfortunately, many Samsung users don’t even enable KNOX on their phones, leaving millions of phones vulnerable to the issue.
The SwiftKey Hacking. Source: Ryan Welton
Secure Android development should ideally involve the following 5 practices:
1 – Watch the Permissions
Vulnerable applications typically require a large (many of them not really needed) amount of permissions prior to installation, a situation often overlooked by the user/victim. These scenarios can be minimized with secure Android development, which involves minimizing the amount of permissions requested and using measures like <permissions> to protect sensitive Inter-Process Communication (IPC).
2 – Handle Input Validation Properly
With more and more applications relying on input from the user’s device, it’s extremely important to make sure that the input is validated properly. The Android platform offers countermeasures and tools to minimize input validation issues, something you should not neglect. Using type-safe languages is also a safe way to go about things and minimize vulnerabilities.
Things can get complicated while using native code. Any data read from files, received over the network or via an IPC can potentially introduce security threats. Buffer overflows, use after free and off-by-one errors are common problems faced in such instances. Careful handling of pointers and optimal management of buffers can help eliminate potential issues.
3 – Boost your Cryptography
Android offers developers a wide range of algorithms for safeguarding sensitive information with the help of cryptography. It’s recommended to use these existing cryptographic algorithms (like the ones used while implementing AES/RSA provided in the Cipher class) and not privately created ones. KeyStore can be used for long term storage and retrieval of keys in a secure manner.
4 – Prioritize the Use of Internal Storage over External Storage
Files created on internal storage are accessible only to the app by default in Android, making it a safe way to go. MODE_WORLD_WRITABLE and MODE_WORLD_READABLE modes for IPC files should be avoided as they don’t offer any control over data format. Sensitive data can be further protected by encrypting local files with a key that is not directly accessible to the application.
Developers should make a habit of not letting sensitive data files be stored on external storage, since this can potentially be removed physically or accessed/modified by other applications. But if the need to perform this can’t be avoided, developers should make sure the files are signed and cryptographically verified before being dynamically loaded.
5 – Don’t Load Code Dynamically
Loading code dynamically from outside the application APK can prove to be costly due to the various code injection and code tampering techniques used by hackers today. Once all modules are located within the application APK, they can’t be tampered with. Code should not be loaded from the network over unencrypted protocols or from external storages.
While these 5 Android development tips are important, there are many more practices and techniques that should be used to ensure the development of robust and secure applications. Besides raising the application security awareness, its also important to improve code integrity by using Static Code Analysis (SCA), a security solution that helps optimize secure Android development.
With the Android platform facing version fragmentation issues and pirate ROM distribution, only robust applications can keep the hackers away. Secure Android development is the call of the hour.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.