Android Class Load Hijacking

Android Class Load Hijacking

Risk: medium

Description

The applications loads jar/apk stored in an insecure location.

This load process can be hijacked, allowing access to private data and unexpected arbitrary code execution by malicious applications

Recommendation

If you use DexClassLoader to load and execute additional DEX code:

• Do NOT use a world-writable directory (such as the SD card) for the dexPath
• Do NOT use a world-writable directory (such as the SD card) for the ODEX (optimized DEX which is the second paramter of the DexClassLoader constructor)

If you use PathClassLoader to load and execute additional jar/resources:

• Do NOT use a world-writable directory (such as the SD card) for the path
• Do NOT use a world-writable directory (such as the SD card) for the libpath. By default, the external storage is mounted with the noexec flag to prevent the execution of any native binaries on the mounted file system.

Links

• Dynamically Loading Code Securely with Android

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_2
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_2
• CWE_TOP_25:
  • CWE_22
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_5
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3
• OWASP_MASVS_v2_1:
  • MASVS_CODE_4
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5