Parsedroid and threats to Android developers

Researchers discovered that Java/Android development will become vulnerable and outsiders can gain access to the system.Mostly the Android Studio, IntelliJ, Eclipse and APKTool cross-platform users are vulnerable to it and also the Android Integrated Development Environment (IDES).

As there are many open source tools that use Android Application Package Tool (APKTool), there could be attacks mostly to organizations having android developers.

The research revealed that APKTool has XML External Entity (XXE) vulnerability in its source code thus not disabling external entity references configured by XML parser of APKTool when it parses on an XML file within the program.

The function which is vulnerable is “loadDocument” which is being used in both “Build” and “Decompile” functionalities of APKTool. Thus, this exposes the entire OS file of the APKTool allowing attackers to retrieve any file on the victim’s PC by using an “AndroidManifest.XML” file that completely exploits the vulnerability of XXE.

The Research revealed that it is a very common phenomenon to find numerous possibilities to be vulnerable to such kind of attacks as XML External Entity and Path Traversal are very common in the wild. An attacker just has to upload a file which is malicious exposing it to the public repository or to a developer and send him the same file, in the case of IDE.

Uploading AAR (Android Archive Library) makes the victim download the file unknowingly, the Android Studio would allow the malicious files be saved in the system thus leading to giving the attacker access to his server.

The other way for an attacker is using “path traversal” vulnerability which is injecting a backdoor into the APK file.

These vulnerabilities till now have been reported to Google, Jet brains and eclipse and APKTool users and they have now released a secure version of the same.

The further developments are still to be seen.

Blitco IT solutions catch blazing concepts and angle them into high yielding outputs for our clients. Your inputs are inserted over a complete architectural and evolution procedure, glazing it to a professional ready-to-use product. Our in-depth business analysis, award-winning UI/UX design, and uncompromising quality software engineering are here to serve you.

Leave a Reply