Open ivyv19 opened 1 month ago
Update: This finding has been dismissed by Ivy Valenzuela with reason "false positive" and note "dismiss". No additional action is required.
Powered by NowSecure Platform
Update: This finding has been marked as no longer dismissed by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
Update: This finding has been marked as resolved by Ivy Valenzuela. No additional action is required.
Powered by NowSecure Platform
Update: This finding has been marked as no longer resolved by Ivy Valenzuela. Additional action is required.
Powered by NowSecure Platform
Finding Description
The app is vulnerable to the Janus exploit.
Janus (CVE-2017-13156) exposes a critical flaw in Android's APK validation process when using the V1 signature scheme. It allows an attacker to modify an Android APK, and potentially insert malicious code, without altering its digital signature. This means that the tampered app will appear legitimate and unchanged to Android's APK signature verification process which will allow the installation of the compromised app in the vulnerable Android devices.
Determining whether an app is vulnerable to Janus depends on the combination of the app's signing scheme and its minimum API level:
Steps to Reproduce
This test statically analyzes the app looking for the combinations of app signing schemes and minimum API level required for the app to run that make the app be vulnerable to the Janus exploit.
Business Impact
By exploiting the Janus vulnerability, malicious actors can inject malicious code into apps, making them function as Trojans that appear legitimate to both the user and the system. This can lead to unauthorized access to sensitive user information, data theft, and the spread of malware. For businesses, this can result in significant reputational damage, potential legal liability, and a loss of customer trust that is critical to retaining users and revenue.
Remediation Resources
To mitigate the risks associated with the Janus vulnerability, developers and security teams should take the following steps:
For more details on implementing these signature schemes, developers should consult this resource.
Risk and Regulatory Information
Severity: high
CVSS: 6.7
Policy Category: Needs Remediation
Application
See more detail in the NowSecure Report
Evidence
| minSdkVersion | |---| | 23 |