ASLR/PIC protection is not implemented for certain components of the binary package.
ASLR (Address space layout randomization) is a security feature introduced in Android that randomizes how an app is loaded and maintained in memory.
ASLR/PIC randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash.
It also complicates the process of dumping allocated memory of the application.
This is a best practice as it is free and does not impact functionality of the app but does harden the app from a security perspective.
Buffer overflow exploits have led to severe vulnerabilities such as the major WhatsApp remote takeover vulnerability in 2019
Evaluation Criteria
This is a warning as some of the components listed in the context table below may be 3rd party or unable to be remediated.
The table should be checked and a determination made if remediation is possible for the affected components.
Steps to Reproduce
This test examines the individual components of the compiled binary to see if they were compiled using Position Independent Code (PIC).
Business Impact
Libraries in this app do not protect against a specific type of attack that can allow an attacker to execute unintended actions.
These custom actions could potentially give them access to sensitive information from the app or the device.
Remediation Resources
Because the Android NDK handles this automatically, it may be worthwhile to switch over to using that capability to manage native libraries.
More information can be found at https://developer.android.com/ndk.
If using the provided NDK is not an option, then the issue is likely in the compiler settings for the native libraries that caused the vulnerability to pop up.
Make sure that the -fstack-protector-all and -fpic flags are set in the build.gradle file (typically in the cmake/cppFlags).
The third possibility is that there is a third party library causing this problem.
As an example the hybrid framework Flutter will not compile using stack canaries because of the way Dart mitigates buffer overflows.
The libraries and their mitigations should be evaluated and handled according to the company's security standards.
Finding Description
ASLR/PIC protection is not implemented for certain components of the binary package. ASLR (Address space layout randomization) is a security feature introduced in Android that randomizes how an app is loaded and maintained in memory. ASLR/PIC randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash. It also complicates the process of dumping allocated memory of the application. This is a best practice as it is free and does not impact functionality of the app but does harden the app from a security perspective. Buffer overflow exploits have led to severe vulnerabilities such as the major WhatsApp remote takeover vulnerability in 2019
Evaluation Criteria
This is a warning as some of the components listed in the context table below may be 3rd party or unable to be remediated. The table should be checked and a determination made if remediation is possible for the affected components.
Steps to Reproduce
This test examines the individual components of the compiled binary to see if they were compiled using Position Independent Code (PIC).
Business Impact
Libraries in this app do not protect against a specific type of attack that can allow an attacker to execute unintended actions. These custom actions could potentially give them access to sensitive information from the app or the device.
Remediation Resources
Because the Android NDK handles this automatically, it may be worthwhile to switch over to using that capability to manage native libraries. More information can be found at https://developer.android.com/ndk.
If using the provided NDK is not an option, then the issue is likely in the compiler settings for the native libraries that caused the vulnerability to pop up. Make sure that the
-fstack-protector-all
and-fpic
flags are set in the build.gradle file (typically in thecmake/cppFlags
).The third possibility is that there is a third party library causing this problem. As an example the hybrid framework Flutter will not compile using stack canaries because of the way Dart mitigates buffer overflows. The libraries and their mitigations should be evaluated and handled according to the company's security standards.
Risk and Regulatory Information
Severity: low CVSS: 1.6
Application
See more detail in the NowSecure Report