Login/Register
android trust manager vulnerability
Asked Answered
androidencryptiongoogle-playandroid-security
T

0

8

I received a very disturbing email from google:

We reviewed app name, with package name, and found that your app uses software that contains security vulnerabilities for users. Apps with these vulnerabilities can expose user information or damage a user's device, and may be considered to be in violation of our Malicious Behavior policy.

Below is the list of issues and the corresponding APK versions that were detected in your recent submission. Please migrate your apps to use the updated software as soon as possible and increment the version number of the upgraded APK.

Vulnerability APK Version(s) Deadline to fix TrustManager You can find more information about TrustManager in this Google Help Center article.

486 September 14, 2020 Vulnerability APK Version(s) Deadline to fix To confirm you've upgraded correctly, submit the updated version of your app to the Play Console and check back after five hours. We'll show a warning message if the app hasn't been updated correctly.

While these vulnerabilities may not affect every app, it's best to stay up to date on all security patches.

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag "android-security." For clarification on steps you need to take to resolve this issue, you can contact our developer support team.

Best,

The Google Play Team

The only new thing added on app version 486 is an RSA encryption I added to some data.

This encryption is made in the following way: I manually generated an RSA key pair, stored the private key in my server and deployed the public key together with the apk.

For some requests in the app, I use the public key to encrypt the data before sending it through post request using URLConnection on the server side I decrypt it and process, then I send the response back to the user UNENCRYPTED.

so take in consideration the following:
0- there are only two requests in the app that use this technic
1- this update was made to ensure all the requests which arrive at the server came from my official app since last week I got 3 DoS attacks
2- those request existed for ages and always used standard android HTTPSUrlConnection without any extra encryption... what I made now was add an extra layer of encryption (how could it make the app less secure?) 3- the data transmitted is completely inoffensive

I know what a MITM attack is and I have done it for ages to reverse engineer some apps, I can't make this type of attack against my app without modifying the compiled code

That being said, how can I solve this problem without downgrade the work i took one week to implement?

this is the code:

post.put("p", "test");
            post.put("s", Encrypter.encrypt(userid + "|" + did));
            final String data = SimpleJsonDeserializer.getDefaultJson().toJson(post);
            FirebaseCrashlytics.getInstance().log(data);
            conn = (HttpsURLConnection) new URL(App.CLOUD_FUNCTIONS_HOST + "warsaw?v=2").openConnection();
            conn.setDoInput(true);
            conn.setDoOutput(true);

            conn.setRequestMethod("POST");
            conn.addRequestProperty("accept", "application/json");
            conn.addRequestProperty("content-type", "application/json; charset=utf-8");

            conn.addRequestProperty("content-length", data.length() + "");
            conn.getOutputStream().write(data.getBytes());
            conn.getOutputStream().flush();
            conn.getOutputStream().close();

this is the Encrypter class (which is the new added on 486)

public final class Encrypter {

    private static Cipher cipher;


    public static void initialize(@NonNull final Context c) {
        if (cipher == null) {
            try {
                cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
                X509EncodedKeySpec spec = new X509EncodedKeySpec(Base64.decode("my public key base64 coded".getBytes(), Base64.DEFAULT));
                KeyFactory kf = KeyFactory.getInstance("RSA");
                cipher.init(Cipher.ENCRYPT_MODE, kf.generatePublic(spec));
            } catch (NoSuchAlgorithmException | NoSuchPaddingException | InvalidKeySpecException | InvalidKeyException e) {
                App.shouldNeverHappen(e);
            }
        }
    }

    public static String encrypt(@NonNull final String s) throws IllegalBlockSizeException {

        if (s.isEmpty() || s.length() > 240)
            throw new IllegalBlockSizeException("Data must not be longer than 245 bytes");


        try {
            return new String(Base64.encode(cipher.doFinal(s.getBytes()), Base64.DEFAULT));
        } catch (BadPaddingException e) {
            App.shouldNeverHappen(e);
            return "";
        }

    }

}

The only way to use "inject" a malicious key would modify the compiled code (which is IMPOSSIBLE to prevent) but even doing this the attacker would only be able to modify the post data signature in the requests SENT
what would be useless for any sort of phishing attack

I'm 100% sure this kind of warning is flagged by some automatical code inspection (which google spend ZERO work on re-evaluating manually), so since I got this problem, i've deployed several versions of my app just "masking around" the code to try not to be flagged on this automatic code inspection... not successful so far.

Tracery answered 16/6, 2020 at 20:54 Comment(9)
I suggest that you talk this out with the Google Support themselves.Mirabella
google doesnt provide support for normal users. only if you spend some millions a year with them you get supportTracery
That code does not seem like what they are complaining about. Are you sure that you are not configuring an SSLContext anywhere with a custom TrustManager, or perhaps are using a library that is doing that?Heartwood
@Heartwood 100% sure, 'SSLContext' nor 'TrustManager' are no even imported by any classes of my app. all network requests are made either by Firebase, or URLConnection without any customizationsTracery
"no even imported by any classes of my app" -- you might want to use APK Analyzer and check to see if any libraries that you are using are referencing those classes.Heartwood
I only import few apis and i could write them here from my mind. they are: firebase (database, analytics, storage, messaging) picasso google billing, retrofit2 and okhttp3Tracery
You know you don't need this if you're communicating over HTTPS right? Your quick homemade transport layer security implementation won't even begin to stack up to the 20 years of experience SSL and TLS have had. You might as well remove it - app reviews are generally easier without explicit use of crypto primitives.Repast
@LukeJoshuaPark, if you took 5 minutes to read the whole text instead of just the tittle you will notce that i made this because i got some ddos attacks not for "protect" users dataTracery
Well, like it or not, what you've written is transport security. Transport security does nothing to alleviate DDoS attacks. I can't see any good reason to keep it. Just my advice, don't take it so personally.Repast

© 2022 - 2024 — McMap. All rights reserved.