What are the security vulnerabilities of Android applications?

First of all, the subject asked about the security vulnerability of "Android application". Speaking of security vulnerabilities in Android applications, if we put aside the system design problems, the main reason is the omission in the development process. But in fact, we can't blame all these responsibilities on Cheng. So this answer will also explain the Android system design and ecological environment. (If you want to know about Android malware, you need to open another topic. 1. Application decompilation vulnerability: APK packages are very easy to decompile into readable files, and can be repackaged into new APK with minor modifications. Utilization: software cracking, internal purchase cracking, software logic modification, inserting malicious code, replacing advertiser ID. Suggestion: Use tools such as ProGuard to confuse code, and use NDK to realize important logic. For example: decompile and repackage FlappyBird, change advertiser ID, insert malicious code into the game, and so on. 2. Vulnerabilities in data storage and transmission: the files on the external storage (SD card) have no authority to manage, and all applications can read and write. Developers put sensitive information on the SD card in plain text or dynamically load the payload on the SD card. Utilization: stealing sensitive information, tampering with configuration files, modifying payload logic and repackaging. Suggestion: don't put sensitive information on external storage; Verify file integrity when dynamically loading external resources. Vulnerability: Use globally readable internal storage mode (mode _ world _ writable) or store sensitive information (user account password, etc.). ) clear text. Usage: read and write sensitive information globally, or read plaintext information after root. Suggestion: The globally readable internal storage mode is not applicable, and the user account password is not stored in plaintext. 3. Password leakage vulnerability: password plaintext storage and transmission. Purpose: Read and write memory after root. SD card can be read and written globally. Public *** WiFi grabs the package to get the account password. Suggestion: A practical and mature encryption scheme. Do not store the password in plain text on the SD card. 4. Vulnerability of component exposure (activity, service, broadcast receiver, content provider): the component was not verified when it was called. Other components were called without authentication. Use: Call exposed components to achieve some effect, get some information, and construct some data. (For example: calling exposed components to send short messages, Weibo, etc.). ). Monitor exposed components and read data. Suggestions: Verify input information, verify component calls, etc. Android:exported is set to false. Use Android: protectionlevel = "signature" to verify the call source. 5.WebView vulnerability: A malicious App can inject JavaScript code into a webpage in WebView, and the webpage has not been verified. Malicious web pages can execute JavaScript, call methods registered in the App in turn, or use resources. Exploitation: Embedding malicious programs in Web App, and then stealing user information. Malicious web pages call App code remotely. What's more, call the runtime to execute arbitrary code through Java reflection. Suggestion: Do not use setJavaScriptEnabled(true) in WebView, or validate the input when using it. 6. Other mobile phones with vulnerabilities after ROOT can modify in-app purchases or install plug-in applications. Logcat leaked user sensitive information. Malicious advertising package. Use the next intention. 7. To sum up, most of the vulnerabilities in Android applications are caused by developers not verifying the input information. In addition, due to the special mechanism of intention, it is necessary to filter out all kinds of malicious behaviors outside. Coupled with the chaotic Android application market, the level of developers is uneven. So now there are more and more vulnerabilities, malware and phishing in Android applications. Coupled with root's destruction of the App sandbox, Android upgrade restrictions. The domestic Android environment is a mess, which is terrible. So, if you want to make sure that your application has no security holes, remember: never trust the outside world.