The number of Smartphone users surpassed the 3.4 Billion mark in 2020. The experts are expecting this figure to reach 3.8 Billion by the end of year 2021. These numbers are an indication of people preferring Smartphones for personal and business activates. Although the desktop/laptop usage rules the enterprises, the advancement in Smartphone technology has really challenged their dominance. The modern Smartphones are equipped with dynamic applications, blazing fast computing technology, AI-enabled assistance, adequate storage capabilities, and round the clock connectivity features to replace many of the traditional computing devices. From security perspective, the huge induction of Smartphone in the market is a security risk; especially the Smartphone applications. In this article, we shall cover the top Android applications’ vulnerabilities that can challenge the data security and privacy of the users.
How Android Applications Work?
Before discussing the Android application vulnerabilities, it is important to understand how Android applications work. The Android system is a multi-user Linux OS where each application is assumed as a unique user. Android Applications are usually written in C++, Java, and Kotlin languages. Each Android application comprises of the following four components.
- Broadcast receivers
- Content providers
The activity serves as an entry point for the users to interact with the application; the service is application processes running in the background; the broadcast receiver is responsible for delivering system events; the content provider is app’s data management facility. It shares data with other apps if the application grants the permission. The Android Software Development Kit (SDK) tools are used to compile the application codes into an Android Package (.APK) file. This (.APK) installs the application on Android devices. Each installed application runs in an isolated environment with a unique ID under the principle of least privilege. Despite the unique id and sandbox environment, many apps require the services of other apps to operate or communicate. In this way, Android apps deliberately or unwillingly share data with other apps on the system.
Android Applications Vulnerabilities
Following is a brief discussion about some critical Android-application vulnerabilities that do exist in 2021.
1) Insecure Authentication
Insecure authentication is a serious Android application issue. The vulnerability is listed in OWASP top 10 mobile security vulnerabilities. The insecure authentication allows the attacker to anonymously execute the requests without access tokens. The applications are unable to identify the user performing the requests. Hence, it is impossible to log the user activities or perform the security audit. Trace-route of an attack is also nearly impossible due to weak or no authentication vulnerability in Android apps.
2) Improper Certificate Validation
Improper certificate validation is the incapability or failure of android applications to validate the SSL/TLS certificate. An attacker creates a fake certificate and sends to the user application. The application with the poor validation system assumes the certificate is from a trusted body, thus allowing the adversary to eavesdrop on the post certification-validation communication through man in the middle attack.
3) Binary Protection Failure
Many Android applications including the financial apps are vulnerable to binary code reverse engineering attacks. Adversaries are able to decompile the apps data to find and target the weaknesses in the applications. For example, some applications use hard-coded API keys in the binary files. The attackers can easily claim those keys if there is no binary code protection. Binary obfuscation is the process of hardening the mobile applications source code so that an attacker should not be able to tamper the application. However, different research studies show that a large number of Android applications lack the ability of applying the binary obfuscation techniques to safeguard the source code.
4) Insecure Data Storage
Insecure data storage is an old Android applications vulnerability that still exists in 2021. According to Positive Technologies’ 2019 mobile applications threat report, the insecure data storage problem was present in 76% of mobile applications tested by the company. Many applications that store the sensitive data in local or external storage instead of sandbox environment are vulnerable to insecure data storage issues. The opportunity allows the hackers to steal sensitive data from such applications without physical access.
5) Data Transport Vulnerability
Some android applications fail to implement the SSL/TLS security (they use for authentication) for network traffic. The data without transport layer security is vulnerable to eavesdropping or interception due to no encryption or security measures adopted by the application. An application using the HTTPS protocol is often vulnerable to such attack due to fake SSL/TLS certificates used for connection validations.
6) Bruteforce Attacks
Bruetforce is a common mobile application attack. Many Android applications use a four or six digit pin as a security challenge. Some applications don’t apply the restrictions on number of attempts made to guess the secret pin. Such mobile applications can easily be broken with a simple bruteforce attack.
7) Data Leakage Problems
Data leakage or information sharing is a very common Android applications problem. Majority of the Android apps including finance & eCommerce collect sensitive user information. Oftentimes, the collected data is shared with other applications or third-party services unintentionally, accidentally, or without the consent of the user. The NowSecure, a mobile apps security software and services provider, conducted a security test of 250 popular Android applications offering finance, retail, and traveling services. The results showed that 70% of the apps were vulnerable to data leakage problems.
8) Session Mishandling
Some Android apps are designed to have a never ending or long sessions to improve the user experience. Although, this strategy is helpful from business perspective, the feature is also helpful for the attackers. If a rogue user manages to get access to the session token, he can impersonate as a legitimate user and even get administrative privileges by improvising the attack.
9) Weak Cryptography
Data security is incomplete without cryptography. Mobile applications are also dependent on cryptographic measures to secure the sensitive data. However, some Android apps use weak cryptography that results in data exposure to unintended users. 100% dependence on built-in data encryption processes, use of custom and unapproved encryption protocols, and storing of cryptographic keys on the application’s local file system (poor key management) are few examples of weak cryptographic approaches.
10) Insecure Inter-process Communication
Insecure inter-process is another critical vulnerability found in Android applications. The building blocks of an android application are known as application components. These components communicate with each other to serve the end users. One of the core components of Android applications is called broadcast receiver. Its role is to deliver events to the apps so that they can respond to system-wide broadcast messages. If an attacker manages to register a malicious code as a legit broadcast receiver instance, any sensitive information shared among android components can be intercepted by the malware. Such instance allows an attacker to remotely access the data processed by the vulnerable applications.
Android and iOS are two widely used mobile platforms. Both have advantages and disadvantages in terms of services and security. Android is expected to capture 87% of the market share in 2022. This dominance over other mobile operating systems will also create more security challenges for Android developers. The aforementioned application vulnerabilities are main security threats in 2021 that must be addressed to safeguard the data and privacy of billions of Android users.