Link to this headingAndroid_Checklist.md

Link to this headingAndroid Insecure Sockets

Link to this headingOverview

All

Link to this headingRemediation Procedure

Link to this headingBlackbox

Link to this headingWhitebox

Check for the HttpURLConnection class

URL url = new URL("http://www.android.com/"); HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection(); try { InputStream in = new BufferedInputStream(urlConnection.getInputStream()); readStream(in); } finally { urlConnection.disconnect(); }

Check for the Socket Class

public void listenSocket(){ //Create socket connection try{ socket = new Socket("kq6py", 4321); out = new PrintWriter(socket.getOutputStream(), true); in = new BufferedReader(new InputStreamReader( socket.getInputStream())); } catch (UnknownHostException e) { System.out.println("Unknown host: kq6py"); System.exit(1); } catch (IOException e) { System.out.println("No I/O"); System.exit(1); } }

Link to this headingCertificate Pinning

Link to this headingOverview

Link to this headingRemediation Procedure

If you are using a new version of Android (API 24) then you can use the Network Security Configuration.
Add a similar configuration to your AndroidManifest.xml or the res/xml/network_security_config.xml file. For more information see the Official Android Documentation

<?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config> <domain includeSubdomains="true">appmattus.com</domain> <pin-set> <pin digest="SHA-256">4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=</pin> <pin digest="SHA-256">YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=</pin> </pin-set> </domain-config> </network-security-config>

Using OKHTTP framework. Use newer versions of the framework as older versions are vulnerable to a Public Vulnerability

CertificatePinner certPinner = new CertificatePinner.Builder() .add("appmattus.com", "sha256/4hw5tz+scE+TW+mlai5YipDfFWn1dqvfLG+nU7tq1V8=") .build(); OkHttpClient okHttpClient = new OkHttpClient.Builder() .certificatePinner(certPinner) .build();

Set a single Certificate Authority

// Load CAs from an InputStream // (could be from a resource or ByteArrayInputStream or ...) CertificateFactory cf = CertificateFactory.getInstance("X.509"); // From https://www.washington.edu/itconnect/security/ca/load-der.crt InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt")); Certificate ca; try { ca = cf.generateCertificate(caInput); System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN()); } finally { caInput.close(); } // Create a KeyStore containing our trusted CAs String keyStoreType = KeyStore.getDefaultType(); KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("ca", ca); // Create a TrustManager that trusts the CAs in our KeyStore String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); // Create an SSLContext that uses our TrustManager SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); // Tell the URLConnection to use a SocketFactory from our SSLContext URL url = new URL("https://certs.cac.washington.edu/CAtest/"); HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(context.getSocketFactory()); InputStream in = urlConnection.getInputStream(); copyInputStreamToOutputStream(in, System.out);

Link to this headingBlackbox

Install Certificate and set up proxy.
Verify that no traffic is intercepted.

Link to this headingWhitebox

Do a Check for Key classes like the ones below

  • SSLContext
  • CertificateFactory
  • X509Certificate
  • KeyStore

Link to this headingSQL Injection Android

Link to this headingOverview

Without proper access control, an attacker can obtain data from a SQLite databases using SQL Injection.

Link to this headingRemediation Procedure

Use SQL Parameterized Queries and validate ids using a valid access control.

... id = this.getIntent().getExtras().getInt("id"); cursor = db.query(Uri.parse(invoices), columns, "id = ? ", {id}, null, null, null); ...

Link to this headingBlackbox

Link to this headingWhitebox

Link to this headingAndroid Messaging

Link to this headingOverview

The program performs SMS operations without verifying the phone number.

Link to this headingRemediation Procedure

SMS operations must not be performed without cause or consideration. Malicious software exploits these APIs to steal money and data from unwary users.

Link to this headingBlackbox

Link to this headingWhitebox

Look for the sendTextMessage function

sms.sendTextMessage(recipient, null, message, PendingIntent.getBroadcast(SmsMessaging.this, 0, new Intent(ACTION_SMS_SENT), 0), null);

Link to this headingAndroid Application has debugable set

Link to this headingOverview

When debugging is enabled
Debugging messages help attackers learn about the system and plan a form of attack.

Link to this headingRemediation Procedure

Make sure that debug flags are not set in production applications.

Link to this headingBlackbox

Link to this headingWhitebox

Look for the debuggable=true flag in the AndroidManifest.xml. It should be an element in the application tag.

Link to this headingAndroid Application has backup set

Link to this headingOverview

The program uses Android’s backup service to save persistent application data to a remote cloud storage or locally depending on the backup Agent.

Android applications can be configured with this backup service by setting the allowBackup attribute to true (the default value) and defining the backupAgent attribute on the <application> tag.

Android however, does not guarantee the security of your data while using backup, as the cloud storage and transport vary from device to device.

Link to this headingRemediation Procedure

Make sure that backup flags are not set in production applications.

Link to this headingBlackbox

Link to this headingWhitebox

Look for the allowbackup=true flag in the AndroidManifest.xml. It should be an element in the application tag.

Link to this headingAndroid Application stores data in the external storage

Link to this headingOverview

The program requests permission to write data to Android’s external storage and stores sensitive data to the external storage.

Link to this headingRemediation Procedure

Files written to external storage are readable and writeable by arbitrary programs and users. Programs must never write sensitive information, for instance personally identifiable information, to external storage. When you connect the Android device via USB to a PC or other device it enables USB mass storage mode. Any file written to external storage can be read and modified in this mode. In addition, files in external storage will remain there even after the application that wrote them is uninstalled, further increasing the risk that any sensitive information stored in them will be compromised.

Link to this headingBlackbox

Link to this headingWhitebox

Check for this line in the AndroidManifest.xml file.

<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>

Check for Mentions of getExternalStorageDirectory

private void WriteToFile(String what_to_write) { try{ File root = Environment.getExternalStorageDirectory(); if(root.canWrite()) { File dir = new File(root + "write_to_the_SDcard"); File datafile = new File(dir, number + ".extension"); FileWriter datawriter = new FileWriter(datafile); BufferedWriter out = new BufferedWriter(datawriter); out.write(what_to_write); out.close(); } } }

Link to this headingInsecure SSL

Link to this headingOverview

The application implements a custom SSL interface.

When making a custom SSL interface there are many things to consider and implementing it without a library will introduce flaws into the application.
When applications that use custom SSL implementations applications may be vulnerable to vulnerable to a man-in-the-middle attack or other SSL vulnerabilities.

Android Hostname Verification Disabled

The use of AllowAllHostnameVerifier() or SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER turns off hostname verification when using SSL connections. This prevent SSLExceptions from triggering and could allow man-in-the-middle attacks.

Link to this headingRemediation Procedure

Link to this headingBlackbox

Link to this headingWhitebox

Example 1: The application sets the hostname verifier as below.

SSLSocketFactory sf = new CustomSSLSocketFactory(trustStore); sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); //sf.AllowAllHostnameVerifier()

When Android calls createSocket() make sure that there is a hostname verification of the SSL Certificate.

Look for Calls to getInsecure(). This disables all SSL Certificate Checks

Link to this headingAndroid Insecure use of Shared Preferences

Link to this headingOverview

Saving private information, such as customer passwords, secret keys, and session tokens in to the Android Shared Preferences is insecure.

By default the Android Shared Preferences can only be accessed by the same application or an application in the same user group. The file itself is an unencrypted file in the Application directory and could be accessed if an attacker has physical access to the device.

Many developers trust the file system as a safe storage location for data, but it should not be trusted implicitly, particularly when privacy is a concern.

Link to this headingRemediation Procedure

Link to this headingBlackbox

Link to this headingWhitebox

Example 1: The following code stores user preferences using Android’s SharedPreferences class. Among other values that are stored, the user supplied password is stored on the device in plain text.

SharedPreferences userPreferences = this.getSharedPreferences("userPreferences", MODE_WORLD_READABLE); SharedPreferences.Editor editor = userPreferences.editor(); editor.putString("username", userName); editor.putString("password", password); ... editor.language("language", language); ...

Link to this headingAndroid Exported Activity

Link to this headingOverview

By default the value of Activity, Receiver or a Service that contains a intent-filter is exported. When the explored flag is enabled the specified component is accessible to other applications on the Android device.

<activity android:name=".AndroidActivity"/> <intent-filter android:label="activityName"/> <action android:name=".androidAction"/> </intent-filter> ... </activity>

If target API is set to 16 or lower then the default exported activity is set to true

<provider android:name=".AndroidProvider"/>

Receiver without broadcastPermission:

When a receiver is registered in code without a broadcast Permission all broadcast will be captured by the receiver.

The code below shows an registerReceiver without the broadcastPermission.

... context.registerReceiver(broadcastReceiver, intentFilter); ...

Broadcast without receiverPermission:

When a Broadcast is sent without a receiver Permission it can be intercepted by a malicious application.

The code below shows an registerReceiver without the receiverPermission.

... context.sendBroadcast(intent); ...

Sticky Broadcast:

A Sticky Broadcast can not have a permission to specify with it and will always

Link to this headingRemediation Procedure

Use the registerReceiver function with a broadcastPermission.

registerReceiver(BroadcastReceiver receiver, IntentFilter filter, String broadcastPermission, Handler scheduler)

Use the sendBroadcast function with a receiverPermission.

sendBroadcastAsUser(Intent intent, UserHandle user, String receiverPermission)

Link to this headingBlackbox

Link to this headingWhitebox

Link to this headingPermission Protection level set to Normal

Link to this headingOverview

When declaring a custom permission, there are four protection Levels normal, dangerous, signature, and signature or system.

  • Normal permissions are granted to any application that requests them. (Depending on API level only after user confirmation)
  • Signature permissions are granted only to applications signed by the same developer key as the package that defines the permission.
  • Signature or system permissions are similar to signature permissions, but are also granted to packages in the Android system image.

Example 1: Below is an example of a custom permission declared with the normal protection level.

<permission android:name="custom.PERMISSION" android:label="@string/label_permission" android:description="@string/desc_permission" android:protectionLevel="normal"> </permission>

Link to this headingRemediation Procedure

Set protectionLevel to “signature” or “signature or system” depending on the needs of the application

Link to this headingBlackbox

Link to this headingWhitebox