Android Development Tools Riddled with Nasty Vulnerabilities

Java/Android developers are exposed to vulnerabilities affecting the development tools, both downloadable and cloud based, used in the Android application ecosystem, Check Point warns.

Check Point security researchers have discovered several vulnerabilities impacting the most common Android Integrated Development Environments (IDEs), namely Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, along with major reverse engineering tools for Android applications, including APKTool, the Cuckoo-Droid service, and more.

The bugs were reported to the impacted IDE companies in May 2017 and have been already resolved in Google and JetBrains tools.

According to Check Point, their research focused on APKTool (Android Application Package Tool), which emerges as the most popular tool for reverse engineering third party Android apps, and which allows developers to decompile and build APK files.

Both of the tool’s features, however, are plagued by vulnerabilities, the researchers argue. The program’s source code revealed an XML External Entity (XXE) vulnerability in a function called “loadDocument,” which is being used in both core functionalities.

Because of this vulnerability, the entire OS file system of APKTool’s user is exposed, which allows an attacker exploiting the vulnerability to “potentially retrieve any file on the victim’s PC.” For that, a malicious “AndroidManifest.xml” file that exploits the issue is needed.

The researchers also analyzed the XML parser called “DocumentBuilderFactory” that is being used in the APKTool project and discovered multiple vulnerable implementations of the XML parser within other projects. It also led to the discovery that IDEs such as Intellij, Eclipse, and Android Studio are affected as well.

“By simply loading the malicious ‘AndroidManifest.xml’ file as part of any Android project, the IDEs start spitting out any file configured by the attacker,” the security researchers explain.

The researchers uploaded a malicious project library to GitHub and cloned it to an Android Studio project, which demonstrated that an attack abusing this vulnerability is successful. Other attack vectors were discovered as well, such as injecting a malicious AAR (Android Archive Library) containing the XXE payload into repositories.

“It is possible, for example, to upload an infected AAR to a public repository such as the central Maven repository. Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system,” Check Point says.

Next, the researchers discovered a vulnerability in APKTool that could allow an attacker to execute commands on the victim’s PC.

The issue was discovered in the configuration file “APKTOOL.YML,” which is employed for the advanced use of the tool, and which contains a section called “unknownFiles” that “allows users to include a non-standard file location that will be placed correctly on the rebuild process of an APK.”

The selected files are saved in a ‘Unknown’ folder and modifying the path of the “unknownFiles” section can result in injecting arbitrary files anywhere on the file system, because APKTool “does not validate the path of which the unknown files will be extracted from the packed APK.”

Injecting arbitrary files in the filesystem can lead to remote code execution, and any APKTool user/service is vulnerable when attempting to decode a crafted malicious APK.

“It is impossible to estimate the number of users of this well-known open source project. Yet, knowing that among them are some large services and companies, we contacted APKTool developer and IDE companies and are pleased to report that they all fixed the security issues and released updated and improved versions of their products,” Check Point concludes.

Related: Google to Warn Android Users on Apps Collecting Data

Related: Android’s December 2017 Patches Resolve Critical Flaws

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: