Android And iOS Apps Contain Multiple Vulnerabilities
Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).
Description
Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access.
Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps, and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge (adb).
Kryptowire, in collaboration with DHS S&T and the NCCIC, previously discovered and reported the following vulnerabilities.
CWE-295: Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Vulnerable app:
(CVE-2017-13105) Virus Cleaner ( Hi Security ) – Antivirus, Booster, 3.7.1.1329
CWE-798: Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Vulnerable apps:
(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS
(CVE-2017-13101) musical.ly – your video social network, 6.1.6, 2017-10-03, iOS
(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS
(CVE-2017-13103) Pinterest, 6.37, 2017-10-24, iOS
(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS
(CVE-2017-13105) Virus Cleaner ( Hi Security ) – Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android
(CVE-2017-13106) CM Launcher 3D – Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android
(CVE-2017-13107) Live.me – live stream video chat, 3.7.20, 2017-11-06, Android
(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android
The CVSS score below reflects a worst-case scenario of code execution as a system user, however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.
Impact
The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire.
Solution
Apply an update
If available, update your device’s system version of Android and apply any available Google Play / Apple Store updates to installed apps.
Use caution installing third-party apps
Apps should be installed only from official sources. Users should consider if any given third-party app is necessary to the usage of the device and take appropriate action.
Vendor Information
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| cheetah mobile | Affected | 07 Nov 2017 | 14 Aug 2018 |
| distinctdev | Affected | 07 Nov 2017 | 14 Aug 2018 |
| Gameloft | Affected | 07 Nov 2017 | 14 Aug 2018 |
| Hi Security Lab | Affected | 22 Dec 2017 | 14 Aug 2018 |
| Live Me | Affected | 07 Nov 2017 | 14 Aug 2018 |
| Affected | 07 Nov 2017 | 14 Aug 2018 | |
| psafe | Affected | 07 Nov 2017 | 14 Aug 2018 |
| Tik Tok | Affected | 07 Nov 2017 | 14 Aug 2018 |
| UberEats | Affected | 07 Nov 2017 | 14 Aug 2018 |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.