Shulou(Shulou.com)05/31 Report--

Android nine loopholes and what is the solution proposal, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Android applications will encounter a variety of loopholes, how to understand a variety of security risks from the details, and actively take appropriate defense measures become particularly important. In order to give you a very comprehensive understanding of Android vulnerabilities, Xu Congxiang, a senior security engineer at NetEyun Yidun, gives you a detailed interpretation of the nine common Android vulnerabilities for your reference. If you don't enjoy the practical information below, you are welcome to apply for a trial of the relevant products on the official website and communicate face-to-face to ensure that your security problems are solved.

The first category: risks or vulnerabilities related to AndroidManifest configuration

The program can be debugged at will

Risk details: android:debuggable=true in the Android application apk configuration file Android Manifest.xml, the debug switch is turned on.

Hazard: app can be debugged.

Fix suggestion: turn off the debug switch property in the AndroidManifest.xml configuration file, that is, set android:Debugable= "false".

Arbitrary backup of program data

Risk details: android:allowBackup=true in the Android apk configuration file AndroidManifest.xml, the data backup switch is turned on.

Harm: app application data can be backed up and exported.

Fix suggestion: turn off the AndroidManifest.xml configuration file backup switch, that is, set android:allowBackup= "false".

Component exposure: it is recommended that you use android:protectionLevel= "signature" to verify the source of the call.

Activity component exposure

Risk details: when the property exported of the Activity component is set to true or when the exited value is not set but IntentFilter is not empty, activity is considered to be exported and activity can be called by setting the corresponding Intent.

Harm: hackers may construct malicious data to carry out ultra vires attacks against exported activity components.

Fix suggestion: if the component does not need to share data or interact with other app, set the component to exported = "False" in the AndroidManifest.xml configuration file. If the component needs to share data or interact with other app, perform permission control and parameter verification on the component.

Service component exposure

Risk details: when the property exported of the Service component is set to true or when the exited value is not set but IntentFilter is not empty, Service is considered to be exported and Service can be called by setting the corresponding Intent.

Harm: hackers may construct malicious data to carry out ultra vires attacks against exported Service components.

Fix suggestion: if the component does not need to share data or interact with other app, set the component to exported = "False" in the AndroidManifest.xml configuration file. If the component needs to share data or interact with other app, perform permission control and parameter verification on the component.

ContentProvider component exposure

Risk details: the property exported of the ContentProvider component is set to true or Android API

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.