NowSecure static analysis: APK Vulnerable to the Janus Exploit

[ivyv19]

Finding Description

The app is vulnerable to the Janus exploit.

Janus (CVE-2017-13156) exposes a critical flaw in Android's APK validation process when using the V1 signature scheme. It allows an attacker to modify an Android APK, and potentially insert malicious code, without altering its digital signature. This means that the tampered app will appear legitimate and unchanged to Android's APK signature verification process which will allow the installation of the compromised app in the vulnerable Android devices.

Determining whether an app is vulnerable to Janus depends on the combination of the app's signing scheme and its minimum API level:

• Apps with minimum API levels of 21-23 (Android 5 to Android 6) are vulnerable, as they only support the V1 signing scheme.
• Apps with minimum API levels 24-26 (Android 7 to Android 8.0) are vulnerable if they are signed only with the V1 scheme. Apps using the V2 signing scheme or later are not affected by this vulnerability.

Steps to Reproduce

This test statically analyzes the app looking for the combinations of app signing schemes and minimum API level required for the app to run that make the app be vulnerable to the Janus exploit.

Business Impact

By exploiting the Janus vulnerability, malicious actors can inject malicious code into apps, making them function as Trojans that appear legitimate to both the user and the system. This can lead to unauthorized access to sensitive user information, data theft, and the spread of malware. For businesses, this can result in significant reputational damage, potential legal liability, and a loss of customer trust that is critical to retaining users and revenue.

Remediation Resources

To mitigate the risks associated with the Janus vulnerability, developers and security teams should take the following steps:

• Increase the Minimum API Level: Ensure that your app targets at least API level 24 or higher, as these levels include enhancements that prevent the Janus vulnerability. Using a higher API level will ensure that your app benefits from the enhanced security features and patches provided by Android.
• Use up-to-date signing schemes: Use APK Signature Scheme v2 or later, which covers the entire APK file and detects any modifications:
• API Level 24 (Android 7.0) adds support for APK Signature Scheme v2.
• API Level 28 (Android 9) adds support for APK Signature Scheme v3.

For more details on implementing these signature schemes, developers should consult this resource.

Risk and Regulatory Information

Severity: high

CVSS: 6.7

Policy Category: Needs Remediation

• CWE: 310, 326
• NIAP: FPT_TUD_EXT.1.6, FCS_COP.1.1(3)
• FISMA LOW: SC-13 CRYPTOGRAPHIC PROTECTION
• FISMA MED: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
• Risk OWASP: MSTG-CODE-1 (OWASP MASVS v1.5.0), MASVS-RESILIENCE-2 (OWASP MASVS v2.1.0)
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Se.Int.3
• PCI: May violate requirement 3.6.1
• HIPAA: May violate §164.312(a)(1): Standard: Access control.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
• CWE Top 25: 2021 CWE Top 25 Most Dangerous Software Errors

Application

• Platform: android
• Package: com.abclocal.wtvd.news

See more detail in the NowSecure Report

Evidence

| minSdkVersion | |---| | 23 |

[ivyv19]

Update: This finding has been dismissed by Ivy Valenzuela with reason "false positive" and note "dismiss". No additional action is required.

Powered by NowSecure Platform

[ivyv19]

Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.

Powered by NowSecure Platform

[ivyv19]

Update: This finding has been marked as resolved by Ivy Valenzuela. No additional action is required.

Powered by NowSecure Platform

[ivyv19]

Update: This finding has been marked as no longer resolved by Ivy Valenzuela. Additional action is required.

Powered by NowSecure Platform