While the success of Android as a mobile operating system is undeniable, it comes at the cost of being more vulnerable to threats than ever before. As a developer, then, your job becomes even more important to be aware of possible vulnerabilities and do the best you can to prepare for them. If you are just starting out, this post will help by outlining five common vulnerabilities in Android that should be at the back of your mind all the time.
As a developer, your biggest enemy is fragmentation. When a security loophole is found in an Android release, it gets fixed either as a system update or in the next release. But what about the devices still stuck with the older versions? Upgrading Android isn’t something people do enthusiastically, after all. This means that if you’re supporting a range of Android versions, you need to be watertight in your assumptions. Never assume that your app is secure just because it’s secure on the few versions of the few devices you tested on.
One of the worst things to hit the Android ecosystem is the Stagefright vulnerability. It relies on a buffer overflow exploit in the underlying Stagefright library, and as has been demonstrated by security researchers, requires no intervention by the device user. While security patches were promptly released, the security research estimates that 50% of the devices are still vulnerable to the attack.
Quadrooter is so-named because it’s a set of four vulnerabilities that affect Android devices running on Qualcomm chipsets. By leveraging any of these four vulnerabilities, hackers can gain root access to a device. Since Qualcomm is running on almost 65% of the world’s mobile devices, the magnitude of this vulnerability is scary. Patches were quickly rolled out towards the end of 2016, but devices not updated since then are at severe risk of being compromised.
Similar to the Clickjacking exploit on the Web, Tapjacking relies on making the end-user tap on a forged overlay that actually connect to the permissions manager. As a result, the attacker is able to gain privileged access to the device. The vulnerability relies on an Android loophole that allows screen overlays to be displayed while permission dialogs are open. While this was officially fixed in Android 7, there’s a large number of devices out there that are still vulnerable.
#5 ADB backup vulnerability
If you or your app uses the ADB tool to perform backups, you’re under very serious threat. Since the ADB tool doesn’t verify the contents of the backup, it’s very easy for a malicious person to inject something along with your backups, which will then be retrieved and active the next time. A chilling demonstration of this vulnerability is on GitHub, and it’s sad to see just how easy it can be.
Those are some of the most popular vulnerabilities in Android that still affect a large number of devices. The situation is even worse when we talk about device-specific and manufacturer-specific vulnerabilities, but that’s a topic for another day.
Build great, secure Android apps effortlessly.