Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Getting Security Issues in Android Signed apk

See original GitHub issue

Environment

OS: macOS High Sierra 10.13.4 Node: 10.1.0 Yarn: Not Found npm: 5.6.0 Watchman: 4.9.0 Xcode: Xcode 9.3.1 Build version 9E501 Android Studio: 3.2 AI-181.5540.7.32.5014246

Packages: (wanted => installed) react: 16.3.1 => 16.3.1 react-native: 0.55.4 => 0.55.4

Description

We are using the tool Codified Security to find out the security issues in the signed apk and we are getting the following security issues:

1. App creates a temp file : You need to fix this because:

Sensitive data might be written into a temp file. You can fix this by changing this in your code.

Avoid creating temp files. Common Weakness Enumeration

CWE-295 — The software does not validate, or incorrectly validates, a certificate.

Problem has been found in: com/facebook/cache/disk/DefaultDiskStorage.java try { paramString = new InserterImpl(paramString, paramObject.createTempFile(localFile)); return paramString; localStringBuilder.append(resourceId); localStringBuilder.append("."); return File.createTempFile(localStringBuilder.toString(), ".tmp", paramFile); }

com/facebook/react/modules/camera/ImageEditingManager.java

paramContext = localFile; } return File.createTempFile("ReactNative_cropped_image_", getFileExtensionForType(paramString), paramContext); } if ((localObject != null) && (! ((String)localObject).isEmpty())) { File localFile = ImageEditingManager.createTempFile(mContext, (String)localObject); ImageEditingManager.writeCompressedBitmapToFile(paramVarArgs, (String)localObject, localFile); com/google/android/gms/common/data/BitmapTeleporter.java try { localFile = File.createTempFile("teleporter", ".tmp", zali); }

2. TCP socket usage detected

You need to fix this because: TCP sockets need to be encrypted otherwise it may be vulnerable to the following attack mechanisms: DoS attacks, replay attacks, man in the middle (MITM) attacks, eavesdropping and subsequent impersonation. It’s highly recommended to use TLS or other methods to secure your connection. Common Weakness Enumeration CWE-941 — The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor. More information can be seen on the CWE website # PCI compliance. This app may be in breach of PCI-DSS 2.2.3, 2.3 and 4.1. SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. HIPAA compliance. Transmission Security This app may be in breach of HIPAA encryption requirements. SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. GDPR compliance. This app may be in breach of GDPR encryption requirements. SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. OWASP compliance. OWASP M3: Insufficient Transport Layer Protection This app may be in breach of OWASP encryption requirements.

SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. Problem has been found in: okio/Okio.java

import java.io.InterruptedIOException; import java.io.OutputStream;
import java.net.Socket;
  import java.net.SocketTimeoutException;

okhttp3/Connection.java

package okhttp3; import java.net.Socket;

okhttp3/ConnectionPool.java

import java.lang.ref.Reference; import java.net.Socket; 
import java.util.ArrayDeque;

okhttp3/OkHttpClient.java

import java.net.Proxy;
import java.net.ProxySelector; import java.net.Socket;
import java.net.UnknownHostException

okhttp3/interal/Internal.java

import java.net.MalformedURLException; 
import java.net.Socket;
import java.net.UnknownHostException;

okhttp3/internal/Util.java

import java.lang.reflect.Array; import java.net.IDN;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.IDN;
import java.net.ServerSocket;
import java.net.Socket;
import java.nio.charset.Charset;

okhttp3/internal/connection/RealConnection.java

import java.net.Proxy; import java.net.Proxy.Type; 
import java.net.Socket;
import java.net.SocketException

Object localObject2 = route.address();
 if ((((Proxy)localObject1).type() != Proxy.Type.DIRECT)
  && (((Proxy)localObject1).type() != Proxy.Type.HTTP)) {
localObject1 = new Socket((Proxy)localObject1);
} else {

okhttp3/internal/connection/StreamAllocation.java

import java.lang.ref.Reference; 
import java.lang.ref.WeakReference; 
import java.net.Socket;
import java.util.List;

okhttp3/internal/http2/Http2Connection.java

import java.io.IOException;
import java.net.InetSocketAddress; 
import java.net.Socket;
import java.util.Collection;

okhttp3/internal/platform/AndroidPlatform.java

import java.lang.reflect.Method; 
import java.net.InetSocketAddress; 
import java.net.Socket;
import java.security.cert.Certificate;

okhttp3/internal/platform/Platform.java

import java.lang.reflect.Field; 
import java.net.InetSocketAddress; 
import java.net.Socket;
import java.util.ArrayList;

okhttp3/internal/ws/RealWebSocket.java

import java.io.IOException;
import java.net.ProtocolException; 
import java.net.Socket;
import java.util.ArrayDeque;

com/facebook/react/modules/network/TLSSocketFactory.java

import java.io.IOException; 
import java.net.InetAddress; 
import java.net.Socket; 
import java.net.UnknownHostException;

Please suggest how we can resolve these issues.

Thanks

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:8 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
breadadamscommented, Mar 19, 2019

Darn, totally forgot to reply! After updating React-native (to 0.58.x) the issue went away (as there were specific updates to okhttp around TLS, one of the main culprits of the warnings).

1reaction
ferrannpcommented, Mar 19, 2019

Hello there 👋 this issue has been reported for an old version of React Native. Ideally we’d like everyone to be using 0.59 (see the awesome changes it brought) but we know updating can be a pain. We are going to close this issue because it’s from a version before 0.57, which is really old.

But please, if it’s actually still an issue with 0.59 please comment below and we can reopen it 😊

Read more comments on GitHub >

github_iconTop Results From Across the Web

Security tips - Android Developers
The most common security concern for an application on Android is whether the data that you save on the device is accessible to...
Read more >
Android vulnerability allows attackers to modify apps without ...
“[An attacker] can prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime then accepts the APK...
Read more >
Am I taking a risk if I give a distributor an unsigned apk?
If the update has been signed by a different key, then Android will not allow its installation. This is done to prevent your...
Read more >
Android Security: Adding Tampering Detection to Your App
The app signature will be broken if the .apk is altered in any way — unsigned apps cannot typically be installed. We can...
Read more >
Android bug allowed mods without changing app signatures
An attacker can leverage this duality. He can prepend a malicious DEX file to an APK file, without affecting its signature. The Android...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Jest breaking when importing component using state class property

Next page

[TextInput] Blur event is broken in v0.57.6