search

amitshekhariitbhu / Android-Debug-Database

A library for debugging android databases and shared preferences - Make Debugging Great Again
https://outcomeschool.com
Apache License 2.0
8.39k stars 872 forks source link

Severe security issues when Android-Debug-Database is running #93

Open jasta opened 6 years ago

jasta commented 6 years ago

This library uses a plain TCP server socket to accept incoming debug requests and provide arbitrary access to database files in the hosting application. This leaves those applications extremely vulnerable to malicious apps being installed which connect to that port and "scrape" the database contents looking for security sensitive information like authentication tokens or privacy sensitive data.

To work around this, use UNIX domain sockets, as Stetho does: https://github.com/facebook/stetho/blob/master/stetho/src/main/java/com/facebook/stetho/server/LocalSocketServer.java https://github.com/facebook/stetho/blob/master/stetho/src/main/java/com/facebook/stetho/server/SecureSocketHandler.java

If you're interested, I'm love to talk about expanding Stetho's generalization to actually host your project on top of Stetho so you can remove a bunch of server boilerplate and get a lot of security and features from stetho for free. Stetho currently for example already hosts 2 different kinds of services from the same socket (chrome://inspect and also the dumpapp command-line tools). We could easily generalize this to support any arbitrary number of other projects like yours.

amitshekhariitbhu commented 6 years ago

Great we should handle these things. But this library is not mean to ship in production.

amitshekhariitbhu commented 6 years ago

Let's discuss to implement this.

jasta commented 6 years ago

These security issues expose developers too. An attacker could easily use a malicious app intending specifically to attack developers and extract critical things like oauth token on potentially major services from these developers.

This was a major concern at Facebook since it would be such a valuable target to get a Facebook employee to install something malicious even if temporarily that could steal data from our apps that use stetho. Anyway, stetho has a solid solution you can either copy or we can refactor as a standalone piece .

andrevdk commented 6 years ago

Hello, I want to add some information here. I am using a very complex SDK which is not available on the market, just for internal business and it is very secure. When using this library in my application, the SDK blocks every feature because it detects this security issue generated by this library so I can't use the library and the SDK in the same time. This is another reason for fixing this issue :).