Monday, May 9, 2016

Vulnerabilities tested by Google Play Store scanner

5:26 AM Posted by ASM , , , , ,
In case you haven't read about it yet, Google will start identifying security weaknesses in Apps pushed to the Play Store. Non conforming apps will be rejected until all security issues are fixed.


It is unclear yet what vulnerabilities are they covering yet, but here are the ones we did figure out and that you could easily be checked in your App before submitting it:
  • OpenSSL: Google checks for OpenSSL versions prior to 1.0.2f and 1.0.1r to check for the logjam vulnerability among others. This will probably change soon and often as the publicly disclosed vulnerabilities in OpenSSL are lately quite frequent unfortunately. For a complete list of OpenSSL vulnerabilities check this URL https://www.openssl.org/news/vulnerabilities.html#y2016. As always, make sure you have the latest version installed.
  • SSL/TLS certificate validation: Google checks TLS Certificate validation, probably using the open-source tool nogotofail https://github.com/google/nogotofail. The tool uses a probabilistic approach to test server validation. Implementing TLS certificate validation in okhttp is well documented. Using SSL pinning is even better and in the newer versions it is really simple to do, see https://github.com/square/okhttp/wiki/HTTPS. Generic implementations must ensure that their custom X509TrustManager must correctly implement the method public abstract void checkServerTrusted (X509Certificate[] chain, String authType)Some apps implementing SSL pinning, will report failed server certificate validation over insecure SSL connection (no certificate validation). This isn't a security risk by might yield wrong results by Google scanner.
  • Cordova: Apache Cordova is an open-source framework to write multi-platform mobile apps in HTML5/CSS3/JavaScript. Google checks for versions prior to 4.1.1 vulnerable to CVE-2015-5256.
  • MoPub: MoPub is an Advertising solution for Mobile. Prior to version 4.4.0, MoPub has suffered from insecure default webview settings and a memory corruption vulnerability. 
  • Vitamio: Vitmio is a multimedia framework for both Android and iOS and prior to version 5.0 has suffered a vulnerability due to insecure write permissions on library files, which could allow for code execution in the context of the vulnerable mobile application.
These are the ones that we have seen so far, we'll keep this updated with new ones in the future.

Popular Posts