Your Android developer tools, both local and cloud-based, could be wide open for exploitation, hacking, or remote code execution (RCE), new research from Check Point revealed.
Android and Java developers who use popular integrated development environments (IDEs) like Google Android Studio, IntelliJ, and Eclipse, as well as those using APK reverse engineering tools like APKTool and Cuckoo-Droid, could have data stolen, machines remotely seized, and malicious code executed on them.
It's a simple trick that can be done as easily as simply tossing a fake AndroidManifest.xml file into a package. Then the attacker can just sit back and wait for the data to come to them.
A serious exploit
Check Point explains that the vulnerability starts in APKTool and similar platforms, which are used to break down APKs for platform compatibility checks and app testing. Many of the popular apps in that category fail to block XML external entity references (XXEs), which allow an attacker to see the entire contents of the victim's computer.
At that point, all an attacker needs to do is create a malicious AndroidManifest.xml that exploits the XXE vulnerability, and data from the victim's machine comes streaming over to the attacker.
SEE: 15 books every programmer should read (free PDF) (TechRepublic)
That malicious XML file, when loaded into one of the affected IDEs as part of an Android project, "start spitting out any file configured by the attacker." Not just files from inside the IDE's scope, either: anything anywhere on an attached drive.
It was also possible, the researchers found, to inject the malicious XML file into Android repositories inside of an Android Archive Library (AAR). Once retrieved from the repository, the AAR and the malicious XML file go to work exploiting the same vulnerability to transmit anything the attacker wants.
Unknown files cause known problems
Lastly, Check Point researchers found another vulnerability in APKTool that allowed RCE (arbitrary code execution) on affected machines.
Advanced APKTool users may be familiar with the UnknownFiles section of APKTOOL.YML. It's a small bit of code that allows users to add code from an atypical location and have it placed in the correct spot when the APK is compiled.
It's also an inroad to remote code execution.
SEE: The Complete Android Developer Course: Beginner to Advanced (TechRepublic Academy)
Manipulation of the UnknownFiles section, according to Check Point, "[means] it is possible to inject arbitrary files anywhere on the file system." That code can then be executed to allow an attacker RCE abilities.
Who does this vulnerability affect? Anyone who unknowingly decodes a malicious APK. So, anyone.
Stick to patched IDEs
Google, Jetbrains, and the team behind APKTools have all told Check Point that they fixed the holes that made them vulnerable. Check Point said "other IDE companies" have patched the vulnerability as well, but without stating who, it's tough to know if you're still at risk.
For now, stick to an IDE and toolset that's fixed the problem. The alternative could be devastating.
- The essential guide to Android happiness begins with Kotlin (TechRepublic)
- Google releases Android 8.1 developer preview with Neural Networks API (ZDNet)
- 5 top takeaways for Android developers from Google I/O 2017 (TechRepublic)
- Android: A development headache you can't ignore (ZDNet)
- Research: DevOps adoption rates, associated hiring and retraining, and outcomes after implementation (Tech Pro Research)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.