With all the talk of Samsung galaxy NOTE 7 exploding in recent days, safety has become a concern when choosing a phone. It’s not too scary. Under the condition of ensuring personal safety, most users still choose Android phones with good quality and low price. However, due to the open source characteristics of Android system, uncertainty and system vulnerabilities in the use process may lead to privacy disclosure, economic loss, sensitive information disclosure and other security problems when using Android phones. That’s why so many of the phone security incidents in the news are reported.

So why is Android so insecure?

Since Android is open source, anyone can download the source code. This means that anyone can study the code, and it’s easier to find bugs in the system. The open system allows any vendor to manufacture Android devices, while hardware vendors and third-party ROM developers have varying levels of proficiency, making the system vulnerable to bugs.

When installing an Android application, the application will request a variety of permissions, which is the most ignored by ordinary users. Many applications will request permissions that are not needed when the application is being used, which can also be a potential problem in the future.

Android applications can apply for to read text messages, send messages, receive messages, call, read the directory, change directory, and other important rights, without Root replacement text messages, contacts, camera, input method, and application system functions, can be more flexible to develop third party applications, but also an opportunity for viruses and malware, Easy to cause privacy disclosure, SMS interception (account theft, network payment security problems), malicious deduction of fees, automatically send virus links to others in the address book and other problems.

The slow updating of security patches by handset makers is also a big problem. After a vulnerability is discovered, Google will update the system patch in a timely manner, and it may be more than six months before each vendor provides the update to users. Some manufacturers even don’t provide updates to their phones after they are released, leaving users at constant risk of known system vulnerabilities.

At present, the domestic third-party ROM market is lack of supervision, security is difficult to guarantee: now many mobile phone manufacturers for their own interests built-in various applications, but many users do not like the native system or built-in applications, often Root, and brush the third-party ROM, also created a prosperous market of third-party ROM. But the technical level of the third party ROM is uneven, the industry is also lack of supervision, system security is difficult to ensure, and once the mobile phone Root, virus, malicious software use to apply for the highest authority, can perform a lot of operations, will cause greater harm.

In addition to ordinary users, Android application developers also need to pay attention to the security of the Android system, as has been introduced before, Android system has a variety of reasons will lead to a variety of security problems, and users in the mobile phone Root, virus and other circumstances, will lead to ordinary APP completely no “privacy” at all, All kinds of private data are fully exposed. Therefore, developers need to consider the possibility of exposing the private data of the mobile phone after Root, and still ensure the data security, and not divulge the user’s important data and private information. As mobile phone manufacturers are slow to fix system vulnerabilities, developers cannot rely on system updates once bugs occur, and more often they need to find their own ways to avoid losses caused by bugs to users. In addition, Android is highly fragmented, and all versions of the system share the same share. In this case, the security risk of lower-version phones is greater. Although Google will strengthen security measures in each new system, lower-version systems are still exposed to the threat of known vulnerabilities in many cases.

Android application vulnerability distribution

A total of 180 Top10 applications from 18 industries were downloaded from the third-party application market for vulnerability analysis. 97% of the applications had vulnerabilities, and the total number of vulnerabilities was 15,159, with an average of 87 vulnerabilities for each application, and 23% of the Top10 applications had high-risk vulnerabilities. (Data from Alibaba)




The Top10 Android apps in the gaming category have 788 bugs, with an average of 79 bugs per app. Of these, 29% are high-risk Webview remote code execution vulnerabilities. About 19% are high-risk vulnerabilities. Game applications have high frequency of update and iteration, large amount of funds and users’ downloads, so the risk of vulnerabilities cannot be ignored.




In the financial category, Android apps have 669 vulnerabilities, with an average of 67 vulnerabilities per app, of which 22% are high-risk Webview remote code execution vulnerabilities. About 34% are high-risk vulnerabilities, the highest proportion among 18 industries.




The Top10 e-commerce applications have a total of 851 vulnerabilities, with each application containing an average of 85 vulnerabilities. About 27% of them are high-risk Webview remote code execution vulnerabilities, which can lead to serious consequences such as malicious applications being implanted, contacts and SMS being stolen, and mobile phones being remotely controlled. About 27% are high-risk vulnerabilities.




What exactly are these vulnerabilities, and how dangerous are they?

Sensitive information leakage vulnerability

Sensitive information can be divided into product sensitive information and user sensitive information and two aspects.

Product sensitive information: information leakage directly causes heavy losses to enterprise security or helps attackers to obtain internal information of enterprises, and may help attackers to try more attack paths. For example, login password, background login and database address, server deployment absolute path, internal IP, address allocation rules, network topology, page annotation information including (developer name or number, program source code), etc.

Sensitive user information includes: The protection of user privacy mainly considers that the information of natural persons can be identified through the data directly or by combining the data with other information. Once the data leakage event occurs, it can be used by malicious people to obtain improper profits.

Based on this standard reference, we suggest that the following fields be encrypted during database storage and transmission: password, mobile phone number, quick payment mobile phone number, Email, ID card, bank card, CVV code and validity period.

Sensitive information can be leaked by storing sensitive data in plaintext in codes, databases, and configuration files, printing sensitive information in logs, and transmitting sensitive information in plaintext during communication.

Once the sensitive information of the product is leaked, the server will be in danger and may be invaded and attacked. The disclosure of sensitive personal information will also lead to account theft and online banking theft, causing economic losses to ordinary users.

Related case: King’s Guard computer hacked for extortion or disclosure of sensitive private information

WebView remote code execution vulnerability

The addJavascriptInterface method in the WebView component is used to implement native Java and JavaScript interaction, but this function does not restrict method calls, allowing an attacker to call any Java class, This results in arbitrary attacks on the device by JavaScript code. The vulnerability can be used to achieve web page hanging horse, resulting in mobile phone poisoning.

Related case: About Android Webview security vulnerability remote command execution

Arbitrary debugging vulnerability

When the debuggable attribute value in androidmanifest.xml is set to true (the default is false), the program can be debugged at will. This vulnerability can be dynamically debugged, increasing the risk of APK being cracked and analyzed.

HTTPS man-in-the-middle hijack vulnerability

In a man-in-the-middle attack, the attacker creates an independent connection with the two ends of the communication and exchanges the data they receive, making the two ends of the communication think they are talking to each other directly through a private connection, but in fact the whole conversation is completely controlled by the attacker. In a man-in-the-middle attack, an attacker intercepts a conversation between two communicating parties and inserts new content.

An attacker can steal sensitive information such as account password in plain text, chat content, mailing address, telephone number and credit card payment information through man-in-the-middle attack, or even replace the original information with malicious links or malicious code programs through man-in-the-middle hijacking, so as to achieve the attack intention of remote control and malicious deduction of fees.

Related cases: There are a large number of HTTPS certificate non-verification vulnerabilities on various vulnerability platforms. For example, the vast majority of Domestic Android There is a trust all certificate vulnerability in APP, a trust all certificate vulnerability in amazon’s latest official Android version, SSL man-in-the-middle attack in Yahoo’s domestic access, and HTTPS communication content is completely captured due to the failure of HTTPS certificate verification on Ctrip’s latest Android client.

Encryption algorithm vulnerability

If the AES/DES/DESede encryption algorithm is used, the ECB mode is vulnerable to attacks, resulting in information leakage. Code generated in the secret key using plaintext hard coding, easy to crack. Using an insecure Hash algorithm (MD5 or SHA-1) to encrypt information is easy to crack. The generated random number is deterministic and may be cracked.

Cracking encrypted information can lead to information disclosure. If the encryption is the account number, password, bank card, ID card and other information, cracked can be used for fraud, number theft, theft brush, etc.

In addition to the vulnerabilities on the client side, security vulnerabilities on the server side can also be ignored. At present, a large number of services have been extended from the traditional PC terminal to the mobile terminal. Running business logic on the server is also a relatively safe and low-cost way to achieve. However, because the business logic is processed on the server side, if the client as the entry point is not strongly and effectively verified, the client is easy to be used as a breach by hackers to dig business risk vulnerabilities on the server side. Theoretically, all security problems of the Web server will also appear on the server side of the App. And Web security has developed for a long time, researchers, hackers are also a lot of mature technology, easier to be found vulnerabilities by hackers.

SQL injection Vulnerability

SQL injection attack is one of the common methods used by hackers to attack databases. The reason is that the validity of user input data is not verified, which leads to potential security risks for applications. A user can submit a piece of database query code and, based on the results returned by the program, obtain some of the data he wants to know. This vulnerability can lead to the disclosure of user information, which can be used by criminals to defraud and sell information.

Related cases: Multiple SQL injection vulnerabilities in Daiqile system can affect a large number of P2P lending sites

Unauthorized access vulnerability

A normal user A can only add, delete, modify and check some of his own information, but due to the negligence of the programmer, when adding, deleting, modify and check, he did not judge whether the information he needed to operate belonged to the corresponding user, so user A could operate other people’s information. This vulnerability can cause hackers to view, modify other users’ information, information disclosure, etc.

Related cases:

The bug allows hackers to access Uber driver and passenger information

Unrestricted interfaces lead to collision library vulnerabilities

Bump database is a kind of database that can be accessed by hackers by collecting leaked information of users and passwords on the Internet and generating corresponding dictionary tables. Many users use the same account password on different websites, so hackers can try to log in to WEBSITE B by obtaining users’ account on website A, which can be understood as A bump attack. Also easy to cause account theft, information leakage and other serious problems.

Related cases:

12306 Data leak cause exposed: mobile APP vulnerability caused by “collision library”

XSS holes

Cross Site Scripting is abbreviated to XSS so as not to confuse the acronym for Cascading Style Sheets (CSS). A malicious attacker inserts malicious Script code into a Web page. When the user browses the page, the Script code embedded in the Web will be executed, making the user information collapse, so as to achieve the purpose of malicious attack on the user.

Related cases: An invalid XSS for APP security can indirectly affect 180,000 local wealthy owners (including certified Tesla/rolls Royce/Ferrari owners, etc.)

Business logic vulnerability

Business logic vulnerability refers to that some logic branches cannot be processed properly or errors can be processed because the program logic is not strict or too complex. Common vulnerabilities include arbitrary password change (no old password authentication), password recovery vulnerability, and service data tampering. This vulnerability is easy to cause serious problems such as account theft, free shopping, money swiping and game currency swiping.

Related case: a loophole in a business logic of Youlou.com leads to unlimited red envelopes (red envelopes can be used for investment)

How to avoid these loopholes to the maximum extent

At present, most of the test teams of most applications lack the awareness and ability of security testing, and security testing is highly professional, involves a wide range of people, and talent is scarce. The cost of establishing a security team is too high, and it is difficult to do security testing.

Dandelion expert testing also noticed the problem above, in line with the beginner’s mind of better service to the developers, new product safety testing is also the last stage of grinding, will be launched in the near future, information can visit dandelion expert testing consulting service, we also can according to your requirements in the final stages of perfecting our products.