Login/Register
Android Shared Storage protection issue
Asked Answered
Solved androidadmobnative-ads
S

1

10

I had implemented Google Native Ads as given in Native Ads

It is working perfect in all devices except Android 4.x version. The crash log in console is

Non-fatal Exception: java.lang.IllegalArgumentException: Optimized data directory /storage/emulated/0/Android/data/com.myapp/cache is not owned by the current user. Shared storage cannot protect your application from code injection attacks.
       at dalvik.system.DexFile.(DexFile.java:100)
       at dalvik.system.DexFile.loadDex + 149(DexFile.java:149)
       at dalvik.system.DexPathList.loadDexFile + 251(DexPathList.java:251)
       at dalvik.system.DexPathList.makeDexElements + 219(DexPathList.java:219)
       at dalvik.system.DexPathList.(DexPathList.java:96)
       at dalvik.system.BaseDexClassLoader.(BaseDexClassLoader.java:56)
       at dalvik.system.DexClassLoader.(DexClassLoader.java:57)
       at ir.b + 31(ir.java:31)
       at ir.a + 5(ir.java:5)
       at iu.a + 1(iu.java:1)
       at com.google.android.gms.ads.internal.ag.run + 5(ag.java:5)
       at java.util.concurrent.ThreadPoolExecutor.runWorker + 1080(ThreadPoolExecutor.java:1080)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run + 573(ThreadPoolExecutor.java:573)
       at java.lang.Thread.run + 856(Thread.java:856)

From Above crash it shows as Optimized data directory /storage/emulated/0/Android/data/com.myapp/cache is not owned by the current user. Shared storage cannot protect your application from code injection attacks

I had search related question Android DexClassLoader error, 'optimized data directory .. not owned by current user' but that is too old and not related to Admob. If I remove Native Ad related code then it is running else it crash and simply log above crash.

Please note my app was working good with same nativeAd code before 13th Aug 2019. after that its not working with NativeAd code.

Please help.

Symphonic answered 17/8, 2019 at 7:20 Comment(0)
S
2

It seems some injection attacks happens in your application through the mobile ad contents

Injection attacks happens in the Android apps following cases

1) No or bypassable validation checks

2) File overwrite vulnerabilities, and

3) Code trigger points

The first condition includes the case when

(1) apps do not perform integrity or authenticity checks on downloaded DRU resources or

(2) attackers are able to bypass such validation checks. The second condition indicates the case when the injected payload can overwrite executables.

(3)The third condition is met when there exists a code trigger point where the overwritten files are loaded and executed in the app’s context. Remote code injection attacks are successful when these three conditions are met.

The attackers Injected payloads are stored in a specified location in accordance with the app’s DRU implementations, usually in the app’s data directory (/data/data/PACKAGE_NAME) or in external storage (such as an SD card).

If the DRU that an attacker targets is the application code update, the injected code is replaced with the existing code resource (e.g.,  .dex,  .jar, or  .so) and then loaded and executed when the app triggers the update logic.

This is happens because of server side not in client side. The mobile ad contains some File Overwrite Vulnerabilities so that app crashed.

Solution:

Validate the ad content in server side .whether its satisfied google terms and conditions.

For more details refer Large-Scale Analysis of Remote Code Injection Attacks in Android Apps

Soprano answered 2/9, 2019 at 8:44 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.