Code Quality and Build Settings for Android Apps
Android requires all APKs to be digitally signed with a certificate before they are installed or run. The digital signature is used to verify the owner's identity for application updates. This process can prevent an app from being tampered with or modified to include malicious code.
When an APK is signed, a public-key certificate is attached to it. This certificate uniquely associates the APK with the developer and the developer's private key. When an app is being built in debug mode, the Android SDK signs the app with a debug key created specifically for debugging purposes. An app signed with a debug key is not meant to be distributed and won't be accepted in most app stores, including the Google Play Store.
The final release build of an app must be signed with a valid release key. In Android Studio, the app can be signed manually or via creation of a signing configuration that's assigned to the release build type.
Prior Android 9 (API level 28) all app updates on Android need to be signed with the same certificate, so a validity period of 25 years or more is recommended. Apps published on Google Play must be signed with a key that that has a validity period ending after October 22th, 2033.
Three APK signing schemes are available:
JAR signing (v1 scheme),
APK Signature Scheme v2 (v2 scheme),
APK Signature Scheme v3 (v3 scheme).
The v2 signature, which is supported by Android 7.0 (API level 24) and above, offers improved security and performance compared to v1 scheme. The V3 signature, which is supported by Android 9 (API level 28) and above, gives apps the ability to change their signing keys as part of an APK update. This functionality assures compatibility and apps continuous availability by allowing both the new and the old keys to be used. Note that it is only available via apksigner at the time of writing.
For each signing scheme the release builds should always be signed via all its previous schemes as well.
Make sure that the release build has been signed via both the v1 and v2 schemes for Android 7.0 (API level 24) and above and via all the three schemes for Android 9 (API level 28) and above, and that the code-signing certificate in the APK belongs to the developer.
APK signatures can be verified with the apksigner tool. It is located at [SDK-Path]/build-tools/[version].
$ apksigner verify --verbose Desktop/example.apkVerifiesVerified using v1 scheme (JAR signing): trueVerified using v2 scheme (APK Signature Scheme v2): trueVerified using v3 scheme (APK Signature Scheme v3): trueNumber of signers: 1
The contents of the signing certificate can be examined with jarsigner. Note that the Common Name (CN) attribute is set to "Android Debug" in the debug certificate.
The output for an APK signed with a debug certificate is shown below:
$ jarsigner -verify -verbose -certs example.apk​sm 11116 Fri Nov 11 12:07:48 ICT 2016 AndroidManifest.xml​X.509, CN=Android Debug, O=Android, C=US[certificate is valid from 3/24/16 9:18 AM to 8/10/43 9:18 AM][CertPath not validated: Path doesn\'t chain with any of the trust anchors](...)
Ignore the "CertPath not validated" error. This error occurs with Java SDK 7 and above. Instead of jarsigner, you can rely on the apksigner to verify the certificate chain.
The signing configuration can be managed through Android Studio or the signingConfig block in build.gradle. To activate both the v1 and v2 schemes, the following values must be set:
v1SigningEnabled truev2SigningEnabled true
Several best practices for configuring the app for release are available in the official Android developer documentation.
Last but not least: make sure that the application is never deployed with your internal testing certificates.
Static analysis should be used to verify the APK signature.
The android:debuggable attribute in the Application element that is defined in the Android manifest determines whether the app can be debugged or not.
Check AndroidManifest.xml to determine whether the android:debuggable attribute has been set and to find the attribute's value:
...<application android:allowBackup="true" android:debuggable="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:theme="@style/AppTheme">...
For a release build, this attribute should always be set to "false" (the default value).
Drozer can be used to determine whether an application is debuggable. The Drozer module app.package.attacksurface also displays information about IPC components exported by the application.
dz> run app.package.attacksurface com.mwr.dzAttack Surface:1 activities exported1 broadcast receivers exported0 content providers exported0 services exportedis debuggable
To scan for all debuggable applications on a device, use the app.package.debuggable module:
dz> run app.package.debuggablePackage: com.mwr.dzUID: 10083Permissions:- android.permission.INTERNETPackage: com.vulnerable.appUID: 10084Permissions:- android.permission.INTERNET
If an application is debuggable, executing application commands is trivial. In the adb shell, execute run-as by appending the package name and application command to the binary name:
$ run-as com.vulnerable.app iduid=10084(u0_a84) gid=10084(u0_a84) groups=10083(u0_a83),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:untrusted_app:s0:c512,c768
​Android Studio can also be used to debug an application and verify debugging activation for an app.
Another method for determining whether an application is debuggable is attaching jdb to the running process. If this is successful, debugging will be activated.
The following procedure can be used to start a debug session with jdb:
Using
adbandjdwp, identify the PID of the active application that you want to debug:$ adb jdwp235516346 <== last launched, corresponds to our applicationCreate a communication channel by using
adbbetween the application process (with the PID) and your host computer by using a specific local port:# adb forward tcp:[LOCAL_PORT] jdwp:[APPLICATION_PID]$ adb forward tcp:55555 jdwp:16346Using
jdb, attach the debugger to the local communication channel port and start a debug session:$ jdb -connect com.sun.jdi.SocketAttach:hostname=localhost,port=55555Set uncaught java.lang.ThrowableSet deferred uncaught java.lang.ThrowableInitializing jdb ...> help
A few notes about debugging:
The tool
JADXcan be used to identify interesting locations for breakpoint insertion.Usage of basic commands for jdb can be found at Tutorialspoint.
If you get an error telling that "the connection to the debugger has been closed" while
jdbis being bound to the local communication channel port, kill all adb sessions and start a single new session.
Generally, you should provide compiled code with as little explanation as possible. Some metadata, such as debugging information, line numbers, and descriptive function or method names, make the binary or bytecode easier for the reverse engineer to understand, but these aren't needed in a release build and can therefore be safely omitted without impacting the app's functionality.
To inspect native binaries, use a standard tool like nm or objdump to examine the symbol table. A release build should generally not contain any debugging symbols. If the goal is to obfuscate the library, removing unnecessary dynamic symbols is also recommended.
Symbols are usually stripped during the build process, so you need the compiled bytecode and libraries to make sure that unnecessary metadata has been discarded.
First, find the nm binary in your Android NDK and export it (or create an alias).
export $NM = $ANDROID_NDK_DIR/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-nm
To display debug symbols:
$ $NM -a libfoo.so/tmp/toolchains/arm-linux-androideabi-4.9/prebuilt/darwin-x86_64/bin/arm-linux-androideabi-nm: libfoo.so: no symbols
To display dynamic symbols:
$ $NM -D libfoo.so
Alternatively, open the file in your favorite disassembler and check the symbol tables manually.
Dynamic symbols can be stripped via the visibility compiler flag. Adding this flag causes gcc to discard the function names while preserving the names of functions declared as JNIEXPORT.
Make sure that the following has been added to build.gradle:
externalNativeBuild {cmake {cppFlags "-fvisibility=hidden"}}
Static analysis should be used to verify debugging symbols.
StrictMode is a developer tool for detecting violations, e.g. accidental disk or network access on the application's main thread. It can also be used to check for good coding practices, such as implementing performant code.
Here is an example of StrictMode with policies enabled for disk and network access to the main thread:
public void onCreate() {if (DEVELOPER_MODE) {StrictMode.setThreadPolicy(new StrictMode.ThreadPolicy.Builder().detectDiskReads().detectDiskWrites().detectNetwork() // or .detectAll() for all detectable problems.penaltyLog().build());StrictMode.setVmPolicy(new StrictMode.VmPolicy.Builder().detectLeakedSqlLiteObjects().detectLeakedClosableObjects().penaltyLog().penaltyDeath().build());}super.onCreate();}
Inserting the policy in the if statement with the DEVELOPER_MODE condition is recommended. To disable StrictMode, DEVELOPER_MODE must be disabled for the release build.
To determine whether StrictMode is enabled, you can look for the StrictMode.setThreadPolicy or StrictMode.setVmPolicy methods. Most likely, they will be in the onCreate method.
The detection methods for the thread policy are
detectDiskWrites()detectDiskReads()detectNetwork()
The penalties for thread policy violation are
penaltyLog() // Logs a message to LogCatpenaltyDeath() // Crashes application, runs at the end of all enabled penaltiespenaltyDialog() // Shows a dialog
Have a look at the best practices for using StrictMode.
There are several ways of detecting StrictMode; the best choice depends on how the policies' roles are implemented. They include
Logcat,
a warning dialog,
application crash.
Android apps often make use of third party libraries. These third party libraries accelerate development as the developer has to write less code in order to solve a problem. There are two categories of libraries:
Libraries that are not (or should not) be packed within the actual production application, such as
Mockitoused for testing and libraries likeJavaAssistused to compile certain other libraries.Libraries that are packed within the actual production application, such as
Okhttp3.
These libraries can lead to unwanted side-effects:
A library can contain a vulnerability, which will make the application vulnerable. A good example are the versions of
OKHTTPprior to 2.7.5 in which TLS chain pollution was possible to bypass SSL pinning.A library can no longer be maintained or hardly be used, which is why no vulnerabilities are reported and/or fixed. This can lead to having bad and/or vulnerable code in your application through the library.
A library can use a license, such as LGPL2.1, which requires the application author to provide access to the source code for those who use the application and request insight in its sources. In fact the application should then be allowed to be redistributed with modifications to its sourcecode. This can endanger the intellectual property (IP) of the application.
Please note that this issue can hold on multiple levels: When you use webviews with JavaScript running in the webview, the JavaScript libraries can have these issues as well. The same holds for plugins/libraries for Cordova, React-native and Xamarin apps.
Detecting vulnerabilities in third party dependencies can be done by means of the OWASP Dependency checker. This is best done by using a gradle plugin, such as dependency-check-gradle. In order to use the plugin, the following steps need to be applied: Install the plugin from the Maven central repository by adding the following script to your build.gradle:
buildscript {repositories {mavenCentral()}dependencies {classpath 'org.owasp:dependency-check-gradle:3.2.0'}}​apply plugin: 'org.owasp.dependencycheck'
Once gradle has invoked the plugin, you can create a report by running:
$ gradle assemble$ gradle dependencyCheckAnalyze --info
The report will be in build/reports unless otherwise configured. Use the report in order to analyze the vulnerabilities found. See remediation on what to do given the vulnerabilities found with the libraries.
Please be advised that the plugin requires to download a vulnerability feed. Consult the documentation in case issues arise with the plugin.
Alternatively there are commercial tools which might have a better coverage of the dependencies found for the libraries being used, such as Sonatype Nexus IQ, Sourceclear, Snyk or Blackduck. The actual result of using either the OWASP Dependency Checker or another tool varies on the type of (NDK related or SDK related) libraries.
Lastly, please note that for hybrid applications, one will have to check the JavaScript dependencies with RetireJS. Similarly for Xamarin, one will have to check the C# dependencies.
When a library is found to contain vulnerabilities, then the following reasoning applies:
Is the library packaged with the application? Then check whether the library has a version in which the vulnerability is patched. If not, check whether the vulnerability actually affects the application. If that is the case or might be the case in the future, then look for an alternative which provides similar functionality, but without the vulnerabilities.
Is the library not packaged with the application? See if there is a patched version in which the vulnerability is fixed. If this is not the case, check if the implications of the vulnerability for the build-process. Could the vulnerability impede a build or weaken the security of the build-pipeline? Then try looking for an alternative in which the vulnerability is fixed.
When the sources are not available, one can decompile the app and check the JAR files. When Dexguard or ProGuard are applied properly, then version information about the library is often obfuscated and therefore gone. Otherwise you can still find the information very often in the comments of the Java files of given libraries. Tools such as MobSF can help in analyzing the possible libraries packed with the application. If you can retrieve the version of the library, either via comments, or via specific methods used in certain versions, you can look them up for CVEs by hand.
If the application is a high-risk application, you will end up vetting the library manually. In that case, there are specific requirements for native code, which you can find in the chapter "Testing Code Quality". Next to that, it is good to vet whether all best practices for software engineering are applied.
In order to ensure that the copyright laws are not infringed, one can best check the dependencies by using a plugin which can iterate over the different libraries, such as License Gradle Plugin. This plugin can be used by taking the following steps.
In your build.gradle file add:
plugins {id "com.github.hierynomus.license-report" version"{license_plugin_version}"}
Now, after the plugin is picked up, use the following commands:
$ gradle assemble$ gradle downloadLicenses
Now a license-report will be generated, which can be used to consult the licenses used by the third party libraries. Please check the license agreements to see whether a copyright notice needs to be included into the app and whether the license type requires to open-source the code of the application.
Similar to dependency checking, there are commercial tools which are able to check the licenses as well, such as Sonatype Nexus IQ, Sourceclear, Snyk or Blackduck.
Note: If in doubt about the implications of a license model used by a third party library, then consult with a legal specialist.
When a library contains a license in which the application IP needs to be open-sourced, check if there is an alternative for the library which can be used to provide similar functionalities.
Note: In case of a hybrid app, please check the build tools used: most of them do have a license enumeration plugin to find the licenses being used.
When the sources are not available, one can decompile the app and check the JAR files. When Dexguard or ProGuard are applied properly, then version information about the library is often gone. Otherwise you can still find it very often in the comments of the Java files of given libraries. Tools such as MobSF can help in analyzing the possible libraries packed with the application. If you can retrieve the version of the library, either via comments, or via specific methods used in certain versions, you can look them up for their licenses being used by hand.
The dynamic analysis of this section comprises validating whether the copyrights of the licenses have been adhered to. This often means that the application should have an about or EULA section in which the copy-right statements are noted as required by the license of the third party library.
Exceptions occur when an application gets into an abnormal or error state. Both Java and C++ may throw exceptions. Testing exception handling is about ensuring that the app will handle an exception and transition to a safe state without exposing sensitive information via the UI or the app's logging mechanisms.
Review the source code to understand the application and identify how it handles different types of errors (IPC communications, remote services invocation, etc.). Here are some examples of things to check at this stage:
Make sure that the application uses a well-designed and unified scheme to handle exceptions.
Plan for standard
RuntimeExceptions (e.g.NullPointerException,IndexOutOfBoundsException,ActivityNotFoundException,CancellationException,SQLException) by creating proper null checks, bound checks, and the like. An overview of the available subclasses ofRuntimeExceptioncan be found in the Android developer documentation. A child ofRuntimeExceptionshould be thrown intentionally, and the intent should be handled by the calling method.Make sure that for every non-runtime
Throwablethere's a proper catch handler, which ends up handling the actual exception properly.When an exception is thrown, make sure that the application has centralized handlers for exceptions that cause similar behavior. This can be a static class. For exceptions specific to the method, provide specific catch blocks.
Make sure that the application doesn't expose sensitive information while handling exceptions in its UI or log-statements. Ensure that exceptions are still verbose enough to explain the issue to the user.
Make sure that all confidential information handled by high-risk applications is always wiped during execution of the
finallyblocks.
byte[] secret;try{//use secret} catch (SPECIFICEXCEPTIONCLASS | SPECIFICEXCEPTIONCLASS2 e) {// handle any issues} finally {//clean the secret.}
Adding a general exception handler for uncaught exceptions is a best practice for resetting the application's state when a crash is imminent:
public class MemoryCleanerOnCrash implements Thread.UncaughtExceptionHandler {​private static final MemoryCleanerOnCrash S_INSTANCE = new MemoryCleanerOnCrash();private final List<Thread.UncaughtExceptionHandler> mHandlers = new ArrayList<>();​//initialize the handler and set it as the default exception handlerpublic static void init() {S_INSTANCE.mHandlers.add(Thread.getDefaultUncaughtExceptionHandler());Thread.setDefaultUncaughtExceptionHandler(S_INSTANCE);}​//make sure that you can still add exception handlers on top of it (required for ACRA for instance)public void subscribeCrashHandler(Thread.UncaughtExceptionHandler handler) {mHandlers.add(handler);}​@Overridepublic void uncaughtException(Thread thread, Throwable ex) {​//handle the cleanup here//....//and then show a message to the user if possible given the context​for (Thread.UncaughtExceptionHandler handler : mHandlers) {handler.uncaughtException(thread, ex);}}}
Now the handler's initializer must be called in your custom Application class (e.g., the class that extends Application):
@Overrideprotected void attachBaseContext(Context base) {super.attachBaseContext(base);MemoryCleanerOnCrash.init();}
There are several ways to do dynamic analysis:
Use Xposed to hook into methods and either call them with unexpected values or overwrite existing variables with unexpected values (e.g., null values).
Type unexpected values into the Android application's UI fields.
Interact with the application using its intents, its public providers, and unexpected values.
Tamper with the network communication and/or the files stored by the application.
The application should never crash; it should
recover from the error or transition into a state in which it can inform the user of its inability to continue,
if necessary, tell the user to take appropriate action (The message should not leak sensitive information.),
not provide any information in logging mechanisms used by the application.
Android applications often run on a VM where most of the memory corruption issues have been taken care off. This does not mean that there are no memory corruption bugs. Take CVE-2018-9522 for instance, which is related to serialization issues using Parcels. Next, in native code, we still see the same issues as we explained in the general memory corruption section. Last, we see memory bugs in supporting services, such as with the Stagefright attack as shown at BlackHat.
A memory leak is often an issue as well. This can happen for instance when a reference to the Context object is passed around to non-Activity classes, or when you pass references to Activity classes to your helper classes.
There are various items to look for:
Are there native code parts? If so: check for the given issues in the general memory corruption section. Native code can easily be spotted given JNI-wrappers, .CPP/.H/.C files, NDK or other native frameworks.
Is there Java code or Kotlin code? Look for Serialization/deserialization issues, such as described in A brief history of Android deserialization vulnerabilities.
Note that there can be Memory leaks in Java/Kotlin code as well. Look for various items, such as: BroadcastReceivers which are not unregistered, static references to Activity or View classes, Singleton classes that have references to Context, Inner Class references, Anonymous Class references, AsyncTask references, Handler references, Threading done wrong, TimerTask references. For more details, please check:
There are various steps to take:
In case of native code: use Valgrind or Mempatrol to analyze the memory usage and memory calls made by the code.
In case of Java/Kotlin code, try to recompile the app and use it with Squares leak canary.
Check with the Memory Profiler from Android Studio for leakage.
Check with the Android Java Deserialization Vulnerability Tester, for serialization vulnerabilities.
Because decompiling Java classes is trivial, applying some basic obfuscation to the release byte-code is recommended. ProGuard offers an easy way to shrink and obfuscate code and to strip unneeded debugging information from the byte-code of Android Java apps. It replaces identifiers, such as class names, method names, and variable names, with meaningless character strings. This is a type of layout obfuscation, which is "free" in that it doesn't impact the program's performance.
Since most Android applications are Java-based, they are immune to buffer overflow vulnerabilities. Nevertheless, a buffer overflow vulnerability may still be applicable when you're using the Android NDK; therefore, consider secure compiler settings.
If source code is provided, you can check the build.gradle file to see whether obfuscation settings have been applied. In the example below, you can see that minifyEnabled and proguardFiles are set. Creating exceptions to protect some classes from obfuscation (with -keepclassmembers and -keep class) is common. Therefore, auditing the ProGuard configuration file to see what classes are exempted is important. The getDefaultProguardFile('proguard-android.txt') method gets the default ProGuard settings from the <Android SDK>/tools/proguard/ folder.
Further information on how to shrink, obfuscate, and optimize your app can be found in the Android developer documentation.
When you build you project using Android Studio 3.4 or Android Gradle plugin 3.4.0 or higher, the plugin no longer uses ProGuard to perform compile-time code optimization. Instead, the plugin works with the R8 compiler. R8 works with all of your existing ProGuard rules files, so updating the Android Gradle plugin to use R8 should not require you to change your existing rules.
R8 is the new code shrinker from Google and was introduced in Android Studio 3.3 beta. By default, R8 removes attributes that are useful for debugging, including line numbers, source file names, and variable names. R8 is a free Java class file shrinker, optimizer, obfuscator, and pre-verifier and is faster than ProGuard, see also an Android Developer blog post for further details. It is shipped with Android's SDK tools. To activate shrinking for the release build, add the following to build.gradle:
android {buildTypes {release {// Enables code shrinking, obfuscation, and optimization for only// your project's release build type.minifyEnabled true​// Includes the default ProGuard rules files that are packaged with// the Android Gradle plugin. To learn more, go to the section about// R8 configuration files.proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'),'proguard-rules.pro'}}...}
The file proguard-rules.pro is where you define custom ProGuard rules. With the flag -keep you can keep certain code that is not being removed by R8, which might otherwise produce errors. For example to keep common Android classes, as in our sample configuration proguard-rules.pro file:
...-keep public class * extends android.app.Activity-keep public class * extends android.app.Application-keep public class * extends android.app.Service...
You can define this more granularly on specific classes or libraries in your project with the following syntax:
-keep public class MyClass
If source code has not been provided, an APK can be decompiled to determine whether the codebase has been obfuscated. Several tools are available for converting DEX code to a JAR file (e.g. dex2jar). The JAR file can be opened with tools such as JD-GUI that can be used to make sure that class, method, and variable names are not human-readable.
Below you can find a sample for an obfuscated code block:
package com.a.a.a;​import com.a.a.b.a;import java.util.List;​class a$bextends a{public a$b(List paramList){super(paramList);}​public boolean areAllItemsEnabled(){return true;}​public boolean isEnabled(int paramInt){return true;}}
MSTG-CODE-1: "The app is signed and provisioned with a valid certificate, of which the private key is properly protected."
MSTG-CODE-2: "The app has been built in release mode, with settings appropriate for a release build (e.g. non-debuggable)."
MSTG-CODE-3: "Debugging symbols have been removed from native binaries."
MSTG-CODE-4: "Debugging code and developer assistance code (e.g. test code, backdoors, hidden settings) have been removed. The app does not log verbose errors or debugging messages."
MSTG-CODE-5: "All third party components used by the mobile app, such as libraries and frameworks, are identified, and checked for known vulnerabilities."
MSTG-CODE-6: "The app catches and handles possible exceptions."
MSTG-CODE-7: "Error handling logic in security controls denies access by default."
MSTG-CODE-8: "In unmanaged code, memory is allocated, freed and used securely."
MSTG-CODE-9: "Free security features offered by the toolchain, such as byte-code minification, stack protection, PIE support and automatic reference counting, are activated."
A brief history of Android deserialization vulnerabilities - https://securitylab.github.com/research/android-deserialization-vulnerabilities​
9 ways to avoid memory leaks in Android - https://android.jlelse.eu/9-ways-to-avoid-memory-leaks-in-android-b6d81648e35e​
Memory Leak Patterns in Android - https://android.jlelse.eu/memory-leak-patterns-in-android-4741a7fcb570​
APK signature scheme with key rotation - https://developer.android.com/about/versions/pie/android-9.0#apk-key-rotation​
