NowSecure static analysis: Application Code Can Potentially Be Replaced Using Janus Vulnerability

[lcimeni]

Finding Description

The application is vulnerable to the Janus exploit. This would allow malicious actors to possibly inject their own code into the binary package and release it as a legitimate version of the app. Additionally, this is indicative of the app allowing or using some very outdated security protections. Allowing an app to run on an Android operating system that low, and using a signing scheme that outdated are inherently dangerous as they are not updated to patch security vulnerabilities anymore.

Steps to Reproduce

There are two components that this test looks for: the minimum Android API level that is targeted by the application, and the signing scheme used to sign the app binary.

Business Impact

The application can potentially be replaced with a malicious app without users being aware. The app could then steal user data or perform any number of other attacks while masquerading as a legitimate app.

Remediation Resources

Recommended Fix

The application should target a minimum Android SDK level of 25 or higher, and use a signing scheme more recent than v1.

Code Samples

Sample AndroidManifest Targeting a minimum of 25 (.xml)

<uses-sdk android:minSdkVersion="25" android:targetSdkVersion="30" />

Sample Gradle configuration to set minimum SDK (.java)

android {
compileSdkVersion 28
buildToolsVersion "28.0.2"

defaultConfig {
applicationId "com.myapp.isawesome"
minSdkVersion 25
targetSdkVersion 30

Additional Guidance

• A Guide to Android Keysigning https://developer.android.com/studio/command-line/apksigner
• This resource details different ways of signing an app with a key/keystore and walks through ways to have Android Studio automatically sign the app and have it managed by Google: https://developer.android.com/studio/publish/app-signing#generate-key
• This article provides information on key rotation: https://source.android.com/security/apksigning/v3#proof-of-rotation-and-self-trusted-old-certs-structs
• NIST CVE liting for Janus Vulnerability https://nvd.nist.gov/vuln/detail/CVE-2017-13156

Risk and Regulatory Information

Severity: medium CVSS: 6.7

• CWE: 310, 326
• NIAP: FPT_TUD_EXT.1.6, FCS_COP.1.1(3)
• FISMA LOW: SC-13 CRYPTOGRAPHIC PROTECTION
• FISMA MED: SI-7 SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY
• Risk OWASP: Mobile Top 10: M5-Insufficient Cryptography
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Se.Int.3
• PCI: May violate requirement 3.6.1
• HIPAA: May violate §164.312(a)(1): Standard: Access control.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
• CWE Top 25: 2020 CWE Top 25 Most Dangerous Software Errors

Application

• Platform: android
• Package: com.grammarly.android.keyboard

See more detail in the NowSecure Report

[lcimeni]

Update: The fix for this finding has been verified by NowSecure.

Powered by NowSecure Platform