IMCAFS

Home

mobile security application vulnerability analysis report

Posted by tzul at 2020-04-17
all

Preface

With the development of mobile Internet and the popularization of smart phones, all kinds of apps based on Android system have explosive growth, but at the same time, a problem that can not be ignored is becoming more and more important: security.

The vulnerability scanning mode is mainly divided into static and dynamic. The vulnerability types of static scanning mainly include SQL injection risk, WebView series, file mode configuration error, HTTPS non verification certificate, database configuration error, etc. The vulnerability types of dynamic scanning mainly include denial of service attack, file directory traversal vulnerability, file cross domain access, etc.

This report selects the same number of popular apps in 11 categories of Android apps, whose active users can cover 83% of mobile Internet users. According to the vulnerability detection of these apps by Alibaba mobile security center, the following conclusions are drawn:

Nearly 97% of Android apps tested have vulnerability problems, and the average number of vulnerabilities is as high as 40.

Security app has the most vulnerabilities, with 499 vulnerabilities, accounting for 21% of the total.

News and tourism apps are relatively the most insecure, with a total of 240 vulnerabilities, of which 30% are high-risk.

Game apps are relatively the safest, with a total of 57 vulnerabilities, of which high-risk vulnerabilities account for about 2%.

From the test results, the security problems of android app are not optimistic. The existence of vulnerabilities, especially high-risk vulnerabilities, will have a great impact on app developers and even users. How to discover potential risks in advance and protect the interests of developers and users is the responsibility of Alibaba mobile security team.

1、 Android App vulnerability status

To understand the overall status of android app, the report classifies app into 11 categories: health, entertainment, safety, education, news, tourism, games, social networking, shopping, finance and reading. Select the same number of popular apps in 11 types of apps, and use Alibaba Ju security's vulnerability scanning products for static and dynamic detection. The scanning results are as follows:

From the perspective of vulnerability category, the first one in android app vulnerability is SQL injection vulnerability, accounting for 38.2%, followed by WebView vulnerability, accounting for 35.4%, as shown in the left figure.

From the perspective of vulnerability risk level, high-risk vulnerabilities account for 20.7% and low-risk vulnerabilities account for 79.3% in android app, among which high-risk vulnerabilities are mainly concentrated in WebView series and HTTPS certificate not verified.

SQL injection type vulnerability accounts for 38.2%, mainly due to unfiltered user input in the code, so attackers can commit malicious SQL query statements to achieve their evil purposes. Although most of SQL injection belongs to low and medium risk vulnerabilities, it can still cause sensitive data, the highest authority of the system to be stolen and other problems.

Some high-risk vulnerabilities of WebView are mainly caused by the use of dangerous functions such as addjavascriptinterface and the use of non verification certificates in the code. These vulnerabilities can execute code remotely and install malware remotely to users.

HTTPS related high-risk vulnerabilities are mainly caused by HTTPS's use of the parameter verification certificate such as allow ﹣ all ﹣ hostname ﹣ verifier, which does not verify the host and other information. These vulnerabilities can cause the attacker to easily hijack the HTTPS session, sniff the user password and other sensitive information.

There are huge security problems in high-risk vulnerabilities, but from the test results, many Android apps have high-risk vulnerabilities, and its security is worrying.

2、 Analysis of Android App vulnerability

This chapter will further analyze the vulnerability scanning results of app. First, it will analyze the static and dynamic detection results of the vulnerability, and then summarize the causes of the vulnerability.

2.1 vulnerability analysis of various types of apps

2.1.1. Analysis of static scanning results of vulnerabilities

Using Alibaba Ju security's vulnerability scanning product, static scanning is performed on 11 popular apps with the same number of categories. The security situation of all kinds of apps is different:

Nearly 97% of the tested apps have security vulnerabilities, and the average number of vulnerabilities is 40.

The security class app has the most vulnerabilities.

Among all the detected vulnerabilities, the total number of security app vulnerabilities is up to 499 (about 21%), of which high-risk vulnerabilities account for about 2%. As a whole, even security app has many security problems.

News and tourism apps are the most insecure

The total number of vulnerabilities in news and tourism apps is more than 230 (about 10% of the total), and the high-risk vulnerabilities account for as much as 30%, which is relatively the most insecure of all apps.

Game apps are relatively safest

No matter the total number of vulnerabilities or the proportion of high-risk vulnerabilities in game apps, they are relatively the safest among all apps.

2.1.2 analysis of dynamic scanning results of vulnerabilities

Using Alibaba Ju security's vulnerability scanning product, we dynamically scan 11 popular apps of the same number in 11 categories. The scanning results are almost denial of service attack vulnerabilities, and no vulnerabilities such as file directory traversal and file cross domain access are found.

As can be seen from the following data figure, there are more or less denial of service vulnerabilities in all kinds of apps, especially in the financial category (37), entertainment category (35), shopping category (32), security category (28), while the total number of denial of service vulnerabilities in the game category is relatively the least (3).

Denial of service vulnerability is actually a component exposure problem. Once a component is exposed, specific malicious data can be written to the component, resulting in the collapse of the app, resulting in a denial of service, thus affecting the interests of app developers and users.

2.1.3 summary

The above analysis data shows that the security problem of android app is not optimistic. We need to further explore the causes and solutions of the vulnerability to avoid the vulnerability and make up for the impact of the security problem.

2.2 cause analysis of APP vulnerability

There are many types of vulnerabilities in android app, such as SQL injection, WebView series vulnerabilities, file mode configuration errors, HTTPS does not verify certificates, denial of service attacks, etc. the causes of the vulnerabilities can be summarized into the following two categories:

2.2.1App problems of developers themselves

a) Irregular coding

Many companies have no requirements for coding specifications, or app developers do not code according to the coding specifications, which is easy to cause sensitive information disclosure, such as log printing problems, not turning off the log printing function in the release version, etc.

b) Insufficient safety awareness

Many parameters of Android functions need to be used with caution, such as the common function openfileoutput. If the mode parameter is set to context.mode'world'readable or context.mode'world'writeable, it is easy to disclose the data of android app. In addition, the interface processing needs to be more rigorous. For example, an interface is exposed to allow users to run the input information. If the information is not processed, it is easy to cause denial of service attacks and other security issues.

2.2.2 discovery of 0day on Android

The discovery of 0day on Android can lead to the insecure function of Android App before. When there is no patch on Android system, it is necessary to patch android app in time. However, due to the fact that many android app developers are not sensitive to vulnerability information and other reasons, it is not timely patched, which leads to the existence of vulnerability.

In a word, the security problem of Android App may be a low-level mistake made by developers to a large extent. The more effective solution is to be able to use SDL coding process in the process of code writing, at the same time use vulnerability scanning products to detect the app, and constantly repair the security problems of its own app. Security is no small matter, all app developers should pay attention to it.

Three, summary

This test uses the same number of popular apps in 11 categories, and scans nearly 2500 vulnerabilities in total. On average, each android app has 40 security vulnerabilities, and about 97% of the test apps have more or less security vulnerabilities. These data reflect the severity of Android App vulnerability. In the app market, many Android apps have potential security risks. Once used, it will have a great impact on users and developers.

From the result of vulnerability detection, the vulnerability of android app is not optimistic. Can these problems be avoided? Is there an automated vulnerability scanning product for app developers? Can we reduce the degree of damage to the interests of developers and users? The answer is yes. In addition to enhancing the security awareness of app developers, using security products to scan and detect vulnerabilities before app release can find hidden security issues as early as possible, protect the interests of developers and users.

How to discover potential risks in advance and protect the interests of developers and users is the responsibility of Alibaba mobile security team. The product will be officially released on October 22, 2014. Please look forward to more developments. Please pay attention to the official Weibo of Alibaba mobile security team