Android known security issues

Android security updates: Everything you need to know

Source: Nick Sutrich / Android Central

Google has detailed the latest Android Security Bulletin and released the fixes for Pixel devices.

These are exploits and other security concerns that affect Android as a whole. Issues with the operating system, kernel patches, and driver updates may not affect any particular device, but these need to be fixed in the Android base by the folks maintaining the operating system code. That means Google and they’ve detailed the things they have improved for this month.

Updated factory images for Pixel devices that are still supported are available, and over-the-air updates are rolling out to users. If you don’t want to wait, you can download and flash the factory image or OTA update file manually, and here are some handy instructions to get you started.

The company that made your phone uses these patches to send an update out to you.

These changes have been released to the people making the best Android phones for at least 30 days, but Google can’t force anyone to deliver them to you. So if you’re using a phone from Samsung, LG, or anyone besides Google, you’ll need to wait for them to send an update and shouldn’t try to flash any of the above files. It might have already happened, as OEMs can send out the patch before the deadline Google must adhere to so that the exploits aren’t publicized.

Of course, Google has safety checks in place to prevent any problems on your phone because of any security exploits. Verify Apps and SafetyNet are at work anytime you add an app to your phone, and seamless updates to Google Play Services will keep them up to date regardless of any hold up from a manufacturer or carrier. Details about Android Enterprise Security can be found here.

Devices with Android 10 and later may also receive security updates as Google Play system updates thanks to Project Mainline.

Highlights of November 2021 security bulletin

• As usual, the Android Framework and Media Framework have had high-severity issues addressed.
• High-sensitivity vulnerabilities in the Android system components were patched.
• Qualcomm and MediaTek have closed source components for devices using these companies’ hardware.
• Tethering and Media Framework components were updated through Project Mainline.

Pixel-specific updates

Source: Hayato Huseman / Android Central

Every month, Google released some Pixel-specific patches that will affect phones currently being supported, including Pixel 3, Pixel 3a, Pixel 4, Pixel 4a, Pixel 5, and Pixel 5a. For November 2021, there are several bug fixes included with the security patch.

Full details for the November 2021 security bulletin are available at the Android Security website. Security patch notes for Pixel devices are detailed here and functional changes/bug fixes are detailed here.

You can see the Android Security website for details on all the bulletins, and Google also breaks down the separate Pixel-specific changes as well.

Samsung needs to bring back its iPod competitor

I don’t want to buy an iPod Touch. Since I want a reasonably priced PMP with acceptable audio hardware that can install a few crucial apps, I might have to.

VoLTE: How to use it and why you should care

VoLTE — or Voice over LTE — is the new standard for calling throughout the U.S., Canada, and parts of Europe. Not only does it facilitate much higher call quality between cell phones, but it allows devices to stay connected to LTE while on a call, improving data speeds for everyone.

PlayStation reportedly planning service to compete with Xbox Game Pass

Sony is planning to create a service similar to Xbox Game Pass, according to a new report. The service could launch as early as sometime in the spring of 2022, with multiple tiers.

These are the best USB-C cables you can find for Android Auto

Android Auto is an absolute necessity when driving, regardless of whether you’re headed out to the grocery store or for a long road trip. These cables will ensure your phone stays protected and charged, no matter what.

Источник

A Security Analyst’s Guide to Network Security Configuration in Android P

As data privacy becomes increasingly important, Google has been introducing mobile OS enhancements to safeguard all data that traverses Android mobile devices and endpoints. Set for release in August, network communications in Android 9.0 P (Pie) will default to TLS. Android mobile app developers will either need to update their back-end services to support HTTPS or implement the Android Network Security Configuration feature to prevent app connections from failing.

Discover more about the security features in Android Pie in our upcoming webinar.
>>> View the recording here

When Android 6.0 Marshmallow was released, Google introduced the manifest attribute android:usesCleartextTraffic as a means to protect against accidental use of cleartext traffic. Android 7.0 Nougat extended this attribute by introducing the Android Network Security Configuration feature, which allows developers to be more prescriptive about secure communications. Network Security Configuration is an XML file in which developers customize network security settings for an Android app.

Some of you may think this sounds familiar. iOS uses a similar client side check known as App Transport Security. While there are quite a few similarities in what protections Network Security Configuration offers when compared to NSAppTranportSecurity, the two take very different approaches to network security on their individual platforms. To learn more about ATS, check out my previous blog.

Let’s examine several benefits of using Network Security Configuration in Android mobile apps and dive into best practices for implementing this feature.

1. Protect against regressions to cleartext traffic

Security is more about layers of protection than a single iron wall. The Android Network Security Configuration feature provides a simple layer to protect apps from unintentionally transmitting sensitive data in unencrypted cleartext.

If you don’t know what “unencrypted communications” means, think of it this way — let’s say your office has a policy to send all shipments via UPS. A new intern joins the office and is tasked with shipping equipment to an office across the country. Oblivious to the policy and with all the best intentions, the intern sets up all shipments to be sent through an unknown, less expensive service. The Android Network Security Configuration feature is like the shipping/receiving manager who examines all inbound and outbound shipments and stops the shipment before the equipment gets into the hands of an unvetted delivery system. It can be used to prevent the accidental use of untrusted, unencrypted connections.

One of the biggest changes in Android 9 is that cleartextTrafficPermitted is set to false by default. This means that if you don’t see this flag explicitly set to false, and the app is targeting API levels lower than 28, the flag will be honored as true.

Another capability of the cleartextTrafficPermitted flag being used in the Network Security Config is the ability to enforce the true setting on specific domains and subdomains:

2. Set up trusted Certificate Authorities for secure connections

Trusted Certificate Authorities (CA) act as the circle of trust. In the previous example, the office policy was to ship with UPS, but that policy could be expanded to FedEx, DHL, and so forth. Essentially, who do you trust to securely send app data and prevent man-in-the-middle attacks? Developers can use the Android Network Security Configuration feature to designate which CAs they trust to issue certificates and ensure secure communications.

To start, Android Network Security Configuration gives developers a few options in terms of what CAs they should be trusting. By default, the trust anchor used by Android 7+ (Nougat, Oreo and Pie) will be the pre-installed system CA certificates, noted as system :

In Android 6 (Marshmallow) and below, your default trust-anchor will also include user installed certificate, noted as user :

Finally, you can set a custom trust anchor:

3. Implement certificate pinning

Implementing certificate pinning offers yet another layer of security. Let’s revisit the running example of shipping equipment. If trusted CAs are like UPS, FedEx, etc., then certificate pinning is akin to specifying which of those companies’ drivers you trust to send your shipment. The Android Network Security Configuration feature can be used to restrict communications with only specific certificates issued by a trusted CA.

We discussed different implementations of certificate pinning in a previous blog post. In the example below, we see we can pin to a specific domain and subdomains, set pins along with backups, and set an expiration date.

4. Debug app network connections

Another option offered in Android Network Security Configuration is debug-overrides . This feature allows you to have settings in the Network Security Config that will only be usable when android:debuggable is set to true . For example, you can configure a custom trust-anchor for a quality assurance/pre-production environment using a custom CA. This eases testing in a closed environment because the app store does not accept apps marked debuggable.

Free Mobile App Security Assessment

Implementation Advice

Now that you understand a few of the benefits of deploying Network Security Configuration, let’s cover some best practices for implementing this file.

First, check the app manifest to see if it uses this feature. Look for the attribute android:networkSecurityConfig , which would appear similar to this:

Once you’ve located the Network Security Configuration file, it’s time to check how to permit cleartext traffic.

The example code snippet below shows a bad example of how someone might use Network Security Configuration.

While this ensures all traffic to example.com and cdn.example2.com is sent over HTTPS, the default configuration for all traffic sent to other domains can be cleartext. This completely defeats the intended purpose of the Network Security Configuration feature — to improve the privacy of all data transmitted through Android devices.

If your mobile app must send data in cleartext, then do this to only allow encrypted communications to certain domains. In addition, carefully scrutinize endpoints that HTTP is explicitly allowed to check for sensitive data and other API-related issues:

Another thing to consider regarding the cleartextTrafficPermitted flag is it defaults to true on Android 8 and lower. Because of this, explicitly set the flag to false in all apps’ Network Security Configuration.

Let’s look at another example below:

In this example, we see the app is accepting user certs within the app’s trust anchor. This means that user-installed certs will be trusted by the app the same way system pre-installed certs are. When configuring the trust-anchors used by the app, it’s best to limit trust only to the system certs and, when necessary, to a custom CA built within the app. This can help prevent MITM attacks where an attacker is able to install a cert on the device. As part of the the protections introduced as part of Android 7, by default a user-installed certificate isn’t trusted like pre-installed certificates. As stated earlier, Android 6 and below accept user certs by default, so it’s important to explicitly select system and/or a custom CA when necessary and exclude user in all apps.

Let’s look at an example implementation of pinning:

The example above reveals two potential issues within the app. First, there is no expiration set for the pin-set . Second, there is no backup pin. A smart strategy is to set an expiration for certificates and have multiple backup pins. It is not unheard of to have four pins in rotation. If you do not explicitly set an expiration date for the pin, your app will fail to connect after expiration occurs. But if you set an expiration and the pin expires, the app will fail over to the system CA on the device instead of failing to connect.

Finally, let’s talk about the Network Security Config debug-overrides .

While the debug feature can help eliminate debug network code in an app, make sure to remove any debug CAs from the app. As a best practice, avoid leaving unnecessary information in your app that could present a security risk, especially if the internal CA certificates are included with final production build of the app.

From the perspective of a security analyst, knowing how to read and spot issues in the Network Security Configuration is important. As we can see, we are able to find some potential issues in the app before install. But keep in mind that these findings alone aren’t proof that your app’s network connections are secure.

You’ll still need to determine if your app is performing hostname verification, because Network Security Configuration will not protect against those types of issues. Make sure your third-party libraries honor Network Security Configuration. If they don’t, these protections may cause issues in your app. In addition, Network Security Configuration is not honored by lower-level network connections such as websockets. Finally, keep in mind that network-related issues in mobile are only a small part of the overall scope in mobile testing.

Overall, Android Network Security Configuration offers a lot of simple network security features for Android. If your app does not currently take advantage of Network Security Configuration, you will need to use it in the coming year.

Coinciding with the release of Android P, Google has begun enforcing target API levels in the app stores to reduce mobile OS fragmentation and push users to current releases. The current requirement is 26, although Google plans to incrementally increase that number with each new release. By this time next year, API Level 30 (Android Q) will probably be out. That means if your app uses HTTP, it must be declared in the Network Security Configuration file because the mandatory target API level will be 28 by then.

You can learn all about other security enhancements in the Android P release during NowSecure’s webinar — watch here.

What to read next:

A 3-Part Mobile App Security Testing Checklist to Build Your Program

To help security analysts and developers craft a more effective list of mobile testing requirements, we’ve assembled a Mobile App Security Testing Checklist of three key questions to address

Источник