Flaws in Development Tools Expose Android App Makers to Attacks

Millions of computers and servers that are used to develop, test and analyze Android applications were put at risk by vulnerabilities in widely used development tools.

The flaws were discovered by researchers from Check Point Software Technologies and allow injecting or extracting arbitrary files to and from affected systems, leading to exposure of sensitive data or a complete compromise.

The Check Point researchers initially found an XML External Entity (XXE) vulnerability in Apktool, a popular application that’s used to decompile and build APK (Android Application Package) files. The flaw was located in the tool’s XML parser, which wasn’t properly restricted and exposed the entire filesystem.

An attacker could exploit the flaw by including a malformed AndroidManifest.xml file in an APK that would then be processed by the tool. The exploit could grab any file from the victim’s system and send it to a remote server.

The Check Point researchers later realized that the vulnerable “DocumentBuilderFactory” XML parser used by Apktool was also used by integrated development environments (IDEs) popular in the Android development community. These included Google’s Android Studio, JetBrains’ IntelliJ IDEA and Eclipse.

“By simply loading the malicious ‘AndroidManifest.xml’ file as part of any Android project, the IDEs start spitting out any file configured by the attacker,” the Check Point researchers said in a blog post.

The flaw can also be exploited by including the XXE payload into an Android Archive Library (AAR) hosted on any public or official repository like Maven and which would then be imported by developers into their IDEs.

“Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system,” the researchers said.

Upon further analysis of Apktool, the researchers also found a separate path traversal vulnerability that could have allowed a malicious APK to write files to any location on the file system. The researchers built a proof-of-concept exploit that could install a backdoor on any web-based APK analysis service using Apktool on the back end.

The same technique can be used to attack a developer’s computer and can be used to plant malicious files in sensitive locations where they would be executed. As such, the flaw can lead to remote code execution.

“All the attacks methods demonstrated above are cross-platform and generic and, as the APKTool is designed to work on top of several operating systems, it is also possible to attack any system on which it operates without restriction or limitation,” the researchers said.

The flaws were reported to all affected IDEs in May and their developers have since released fixes. So, if you’re an Android developer, or you import Android application files and code into your development environment, make sure you update Apktool and your IDE.

These flaws are the perfect example of how developers can be compromised through the software supply chain. It’s a well-known fact that very few companies maintain an inventory of all the components and libraries that their developers use, not to mention track vulnerabilities in them.

Attackers can exploit flaws in third-party components to compromise development systems and then inject malicious code into the applications developed on those systems in order to compromise their end users.

There have been several supply-chain attacks this year, including the CCleaner one that affected 2 million users, where attackers compromised developers in order to inject malware into their projects. These are powerful and hard to detect attacks that pose a new challenge to companies, whether they’re developing or consuming applications, or both.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 58 posts and counting.See all posts by lucian-constantin