How to use this tool to detect whether there is an Android-DirtyStream vulnerability

[0nlyuAarOn]

Hello, may I ask how to use this tool to detect whether there is an Android-DirtyStream vulnerability, or whether the tool can detect an Android-DirtyStream vulnerability?

[iammyr]

Hi 0nlyuAarOn, the Android-DirtyStream attack leverages one main vulnerability in some Play 3rd-party apps (unverified untrusted input as filename and file path) and a series of "features" that just so happened to play in its favour (the substitution of \<sharedprefefs filename>.bak with \<shareprefs filename> for recovery reasons, the loading of app modules and native libraries). AOSP changes are ongoing to reduce the impact of the latter (features facilitating attacks like this one). Also the following linters are either published or under way to cover this attack:

• 2 published linters on misconfigured FileProvider
• 5 work-in-progress linters to more thoroughly warn against bad practices that lead to path traversal and other control bypasses related to FileProvider and ContentResolver
• 1 work-in-progress linter to discourage the use of sharedPreferences (in favour of DataStore) and another one to recommend to ensure only read-only files are under /verified-split/ .