NowSecure static analysis: Not Using Built-in Binary Protection (ASLR/PIC) Exposes Components to Memory Corruption Attacks

[lcimeni]

Finding Description

ASLR/PIC protection is not implemented for certain components of the binary package. ASLR (Address space layout randomization) is a security feature introduced in Android that randomizes how an app is loaded and maintained in memory. ASLR/PIC randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash. It also complicates the process of dumping allocated memory of the application. This is a best practice as it is free and does not impact functionality of the app but does harden the app from a security perspective. Buffer overflow exploits have led to severe vulnerabilities such as the major WhatsApp remote takeover vulnerability in 2019

Evaluation Criteria

This is a warning as some of the components listed in the evidence table may be 3rd party or unable to be remediated. The table should be checked and a determination made if remediation is possible for the affected components.

Steps to Reproduce

This test examines the individual components of the compiled binary to see if they were compiled using Position Independent Code (PIC).

Business Impact

Libraries in this app do not protect against a specific type of attack that can allow an attacker to execute unintended actions. These custom actions could potentially give them access to sensitive information from the app or the device.

Remediation Resources

Because the Android NDK handles this automatically, it may be worthwhile to switch over to using that capability to manage native libraries. More information can be found at https://developer.android.com/ndk.

If using the provided NDK is not an option, then the issue is likely in the compiler settings for the native libraries that caused the vulnerability to pop up. Make sure that the -fstack-protector-all and -fpic flags are set in the build.gradle file (typically in the cmake/cppFlags).

The third possibility is that there is a third party library causing this problem. As an example the hybrid framework Flutter will not compile using stack canaries because of the way Dart mitigates buffer overflows. The libraries and their mitigations should be evaluated and handled according to the company's security standards.

Risk and Regulatory Information

Severity: low CVSS: 1.6

• CWE: 119
• NIAP: FPT_AEX_EXT.1.1
• ioXt: SD114
• FISMA LOW: SI-3 MALICIOUS CODE PROTECTION, SC-39 PROCESS ISOLATION
• FISMA MED: SI-16 MEMORY PROTECTION
• Risk OWASP: Mobile Top 10: M7-Client Code Quality
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Im.I.6, May violate D3.PC.Se.B.1
• PCI: May violate requirement 6.5
• HIPAA: May violate §164.312(c)(1): Standard: Integrity.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
• CWE Top 25: 2020 CWE Top 25 Most Dangerous Software Errors

Application

• Platform: android
• Package: com.grammarly.android.keyboard

See more detail in the NowSecure Report

[lcimeni]

Update: The fix for this finding has been verified by NowSecure.

Powered by NowSecure Platform