Writable executable files were found within the application and zip files were discovered in-transit over the network.
This indicates the high probability of a remote code execution vulnerability.
A remote attacker could execute arbitrary code by intercepting and modifying insecure communications in the app resulting in data exfiltration or changing how the functions.
Executable code should be completely controlled and protected as it is crucial to apps processes, security and privacy.
Once an attacker had RCE, they can leverage the app as a phishing vector, malware, to steal confidential data, monitor the user or display offensive content.
This vector could also be used to bypass controls used by the app to protect intellectual property.
Steps to Reproduce
While the app is running on a physical device, the application looks for ZIP files sent over insecure channels, as well as writable executable code.
If both of these are found, that indicates remote code execution is possible.
Business Impact
This app allows other apps to change how it works.
Other apps on the device could inject code to modify how the app works, or gain access to confidential data on the device or network.
Remediation Resources
If possible, do not allow app to have write access to executable files.
Many times apps actually need write permissions as they write the file.
As soon as the file is written, permissions should be changed to read-only for scripted or interpreted code like Dex files or .jar;
and change to read and execute permissions for native binaries.
Also, avoid transmitting zip files over the network in an insecure manner.
If necessary, ensure SSL/TLS is used along with proper certificate validation or pinning techniques.
Finding Description
Writable executable files were found within the application and zip files were discovered in-transit over the network. This indicates the high probability of a remote code execution vulnerability. A remote attacker could execute arbitrary code by intercepting and modifying insecure communications in the app resulting in data exfiltration or changing how the functions. Executable code should be completely controlled and protected as it is crucial to apps processes, security and privacy. Once an attacker had RCE, they can leverage the app as a phishing vector, malware, to steal confidential data, monitor the user or display offensive content. This vector could also be used to bypass controls used by the app to protect intellectual property.
Steps to Reproduce
While the app is running on a physical device, the application looks for ZIP files sent over insecure channels, as well as writable executable code. If both of these are found, that indicates remote code execution is possible.
Business Impact
This app allows other apps to change how it works. Other apps on the device could inject code to modify how the app works, or gain access to confidential data on the device or network.
Remediation Resources
If possible, do not allow app to have write access to executable files. Many times apps actually need write permissions as they write the file. As soon as the file is written, permissions should be changed to read-only for scripted or interpreted code like Dex files or .jar; and change to read and execute permissions for native binaries. Also, avoid transmitting zip files over the network in an insecure manner. If necessary, ensure SSL/TLS is used along with proper certificate validation or pinning techniques.
For more detail and an example of this vulnerability, refer to this blog post. Details and code snippets on how to securely handle data on the device can be found at https://developer.android.com/topic/security/data.
Risk and Regulatory Information
Severity: critical CVSS: 9.8
Application
See more detail in the NowSecure Report