On January 9, 2018, the disclosure of the latest attack threat model "App Cloning" attracted a lot of attention and caused panic among many netizens. At the beginning of the new year, the issue of network security has once again become a hot topic among the public.
Vulnerability description
The "application cloning" crisis refers to the cross-domain access vulnerability (CNVD-2017-36682) of Android WebView. Using this vulnerability, users' private data (including mobile phone application data, photos, documents and other sensitive information) can be remotely obtained, and users can also be stolen. The login credentials can achieve complete control over the APP user account without the victim's awareness, which is equivalent to remotely "cloning" user accounts, stealing private information, stealing accounts and funds, etc...
WebView is a control used by Android to display web pages. It is a control based on the Webkit engine to display web pages. In addition to the properties and settings of the general View, the WebView control function can also process URL requests, page loading, rendering, and page interaction.
Since this component is widely used on the Android platform, a large number of APPs are affected, posing a serious attack threat. Research shows that among more than 200 common Android applications on the market, 27 applications can be attacked in this way, accounting for more than 10%.
The principle of vulnerability
The Same Origin Policy is a security policy that prohibits JavaScript from making cross-site access. It is also a constraint provided by the browser's sandbox environment. The vague term "same host" has been used so far, while strictly speaking, "same origin" requires all of the following conditions to be met.
-
The host of the URL (FQDN: Fully Qualified Domain Name, fully qualified domain name) is the same
-
Scheme (protocol) consistent
-
The port number is the same
The reason for this vulnerability is that in the Android application, WebView enables file domain access and allows the file domain to access the http domain, and does not strictly restrict the path of the file domain. Attackers can remotely open and load malicious HTML files through URL Scheme, and remotely obtain all local sensitive data in the APP including user login credentials.
The prerequisites for the successful triggering of this vulnerability are as follows:
1. SetAllowFileAccessFromFileURLs or setAllowUniversalAccessFromFileURLsAPI in WebView is configured to true (minSdk<=4.1 defaults to true, minSdk>4.1 defaults to false);
2. WebView can be directly called externally, and can load external controllable HTML files.
Risk level
high risk
Vulnerability Scope
The vulnerability affects Android applications that use the WebView control, enable file domain access and are not developed in accordance with the security policy.
Vulnerability Protection Solution
1. Vulnerability scanning detection
1.1 In the code development audit stage, use Haiyun's SCAP for source code security audit
Using SCAP, this vulnerability can be discovered in time during the development phase, and the risk of this vulnerability can be avoided.
1.2 Before the APP is packaged and put on the shelves, use Hai Yun'an's MARS to do a black-box test and self-check, as follows:
Haiyun's MARS can locate the security detection problems of APP with a granularity of specific code classes, methods, calling functions, and calling modes, with high detection accuracy.
2. Development coding protection
Since google has not released the corresponding solution at present, the temporary solution is as follows:
1. When the file domain access is non-functional, manually configure the two APIs setAllowFileAccessFromFileURLs or setAllowUniversalAccessFromFileURLs to false. (Before Android 4.1, these two APIs were true by default and need to be explicitly set to false)
2. If you need to enable file domain access, set a whitelist of file paths to strictly control the access scope of the file domain, as follows:
(1) Fixed HTML files can be placed in the assets or res directory, and file:///android_asset and file:///android_res can also be accessed without opening the API;
(2) HTML files that may be updated are placed in the /data/data/(app) directory to avoid being replaced or modified by third parties;
(3) When whitelisting the file domain request, it is necessary to deal with the special case of "../../" to prevent the whitelist from being bypassed.
3. Prevent the WebView inside the App from being called by an untrusted third party. Check whether the activities of the built-in WebView are exported, and whether the activities that must be exported will call the built-in WebView through parameter transmission.
4. It is recommended to further protect the sensitive data in the APP directory. The client APP application device-related information (such as IMEI, IMSI, Android_id, etc.) is used as a key to encrypt sensitive data. Make it difficult for attackers to exploit related vulnerabilities to obtain sensitive information.
For more information, please visit the Haiyun'an website for further information and consultation