Getting Security Issues in Android Signed apk
See original GitHub issueEnvironment
OS: macOS High Sierra 10.13.4 Node: 10.1.0 Yarn: Not Found npm: 5.6.0 Watchman: 4.9.0 Xcode: Xcode 9.3.1 Build version 9E501 Android Studio: 3.2 AI-181.5540.7.32.5014246
Packages: (wanted => installed) react: 16.3.1 => 16.3.1 react-native: 0.55.4 => 0.55.4
Description
We are using the tool Codified Security to find out the security issues in the signed apk and we are getting the following security issues:
1. App creates a temp file : You need to fix this because:
Sensitive data might be written into a temp file. You can fix this by changing this in your code.
Avoid creating temp files. Common Weakness Enumeration
CWE-295 — The software does not validate, or incorrectly validates, a certificate.
Problem has been found in:
com/facebook/cache/disk/DefaultDiskStorage.java
try { paramString = new InserterImpl(paramString, paramObject.createTempFile(localFile)); return paramString; localStringBuilder.append(resourceId); localStringBuilder.append("."); return File.createTempFile(localStringBuilder.toString(), ".tmp", paramFile); }
com/facebook/react/modules/camera/ImageEditingManager.java
paramContext = localFile; } return File.createTempFile("ReactNative_cropped_image_", getFileExtensionForType(paramString), paramContext); } if ((localObject != null) && (! ((String)localObject).isEmpty())) { File localFile = ImageEditingManager.createTempFile(mContext, (String)localObject); ImageEditingManager.writeCompressedBitmapToFile(paramVarArgs, (String)localObject, localFile);
com/google/android/gms/common/data/BitmapTeleporter.java
try { localFile = File.createTempFile("teleporter", ".tmp", zali); }
2. TCP socket usage detected
You need to fix this because: TCP sockets need to be encrypted otherwise it may be vulnerable to the following attack mechanisms: DoS attacks, replay attacks, man in the middle (MITM) attacks, eavesdropping and subsequent impersonation. It’s highly recommended to use TLS or other methods to secure your connection. Common Weakness Enumeration CWE-941 — The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor. More information can be seen on the CWE website # PCI compliance. This app may be in breach of PCI-DSS 2.2.3, 2.3 and 4.1. SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. HIPAA compliance. Transmission Security This app may be in breach of HIPAA encryption requirements. SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. GDPR compliance. This app may be in breach of GDPR encryption requirements. SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. OWASP compliance. OWASP M3: Insufficient Transport Layer Protection This app may be in breach of OWASP encryption requirements.
SSL and early TLS (versions lower than 1.2) are not considered strong cryptography. Problem has been found in: okio/Okio.java
import java.io.InterruptedIOException; import java.io.OutputStream;
import java.net.Socket;
import java.net.SocketTimeoutException;
okhttp3/Connection.java
package okhttp3; import java.net.Socket;
okhttp3/ConnectionPool.java
import java.lang.ref.Reference; import java.net.Socket;
import java.util.ArrayDeque;
okhttp3/OkHttpClient.java
import java.net.Proxy;
import java.net.ProxySelector; import java.net.Socket;
import java.net.UnknownHostException
okhttp3/interal/Internal.java
import java.net.MalformedURLException;
import java.net.Socket;
import java.net.UnknownHostException;
okhttp3/internal/Util.java
import java.lang.reflect.Array; import java.net.IDN;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.IDN;
import java.net.ServerSocket;
import java.net.Socket;
import java.nio.charset.Charset;
okhttp3/internal/connection/RealConnection.java
import java.net.Proxy; import java.net.Proxy.Type;
import java.net.Socket;
import java.net.SocketException
Object localObject2 = route.address();
if ((((Proxy)localObject1).type() != Proxy.Type.DIRECT)
&& (((Proxy)localObject1).type() != Proxy.Type.HTTP)) {
localObject1 = new Socket((Proxy)localObject1);
} else {
okhttp3/internal/connection/StreamAllocation.java
import java.lang.ref.Reference;
import java.lang.ref.WeakReference;
import java.net.Socket;
import java.util.List;
okhttp3/internal/http2/Http2Connection.java
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.util.Collection;
okhttp3/internal/platform/AndroidPlatform.java
import java.lang.reflect.Method;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.security.cert.Certificate;
okhttp3/internal/platform/Platform.java
import java.lang.reflect.Field;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.util.ArrayList;
okhttp3/internal/ws/RealWebSocket.java
import java.io.IOException;
import java.net.ProtocolException;
import java.net.Socket;
import java.util.ArrayDeque;
com/facebook/react/modules/network/TLSSocketFactory.java
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
Please suggest how we can resolve these issues.
Thanks
Issue Analytics
- State:
- Created 5 years ago
- Comments:8 (2 by maintainers)
Top GitHub Comments
Darn, totally forgot to reply! After updating React-native (to
0.58.x
) the issue went away (as there were specific updates tookhttp
around TLS, one of the main culprits of the warnings).Hello there 👋 this issue has been reported for an old version of React Native. Ideally we’d like everyone to be using 0.59 (see the awesome changes it brought) but we know updating can be a pain. We are going to close this issue because it’s from a version before 0.57, which is really old.
But please, if it’s actually still an issue with 0.59 please comment below and we can reopen it 😊