According to the mobile security team in September released the second quarter of 2015 mobile security report [1], 16 top10 industry applications a total of 8515 security vulnerabilities, an increase of 77% over the previous quarter. Among them, Denial of Service, Webview Remote Code Execution, AES / DES Weak Encryption, and Webview Clear Text Storage are all more than 15% of the total vulnerabilities. But it is worth all the developers pondered that this phenomenon has not improved over time, and APP was attacked, APP owners or ordinary users of the loss suffered cases are not uncommon, the mobile application security situation should cause more attention. APP in the existence of these loopholes, the loopholes in the principle of what? What harm? APP developers how to solve? And let small series enumeration one or two loopholes for your popularity.

1Denial of Service Vulnerability

1.1 loopholes principle

Android system provides the Activity, Service and Broadcast Receiver and other components, and provides an Intent mechanism to assist the interaction and communication between applications, Intent is responsible for the operation of an application action, action related to data, additional data to describe, Android system is based on The description of this Intent is responsible for finding the corresponding component, passing the Intent to the calling component, and invoking the component [2].

Android application local Denial of Service vulnerability from the program did not Intent.getXXXExtra () to obtain the exception to capture, or in the abnormal data processing without abnormal capture, resulting in an attacker can be sent to the application by attacking the null data, abnormal or abnormal Data to achieve the purpose of the application crash, in short, is the intent of the attacker to send empty data, abnormal or abnormal data to the victim application, leading to its collapse.

1.2 Vulnerability hazards

Local denial of service vulnerabilities affect all versions of Android, not only can lead to security applications bypass or failure (such as antivirus software, security guards, anti-theft lock screen, etc.), but also can be used to attack competitors, making their own applications Collapse, resulting in varying degrees of economic loss.

In the second quarter of 16 industries top10 applications, the number of denial of service vulnerabilities than the first quarter rose 107%, its growth and the existence of security risks require developers to be vigilant as soon as possible to take security solutions self-test APP loopholes Situation and timely repair. For a detailed analysis of the denial of service vulnerability, please refer to the Alibaba security blog article

2Webview Remote Code Execution Vulnerability

2.1 loopholes in principle

A remote code execution security vulnerability exists in the Android API level 16 and earlier versions of the program that does not properly restrict the use of the WebView.addJavascriptInterface method by which the Android system registers Java objects for JavaScript invocation for enhanced JavaScript functionality . But the system does not register Java class method call restrictions. Leading to an attacker can use the reflection mechanism to call any other Java class is not registered, eventually leading to an infinite enhancement of JavaScript capabilities. The attacker can exploit this vulnerability according to the client ability to do whatever they want, such as remote control of user mobile phone, steal user privacy information.

2.2 Vulnerability hazards

Webview remote code execution vulnerability affects pre-Android 4.2 system versions. A variety of popular Android applications have been exposed high-risk hanging horse vulnerability: click on a message or a circle in the circle of friends, the user will automatically execute the phone code is linked to horse instructions, resulting in malicious software installed deductions to friends Fraud SMS, address book and text messages were stolen, mobile phones and other serious consequences of remote control. In the black cloud platform, including the Android version of the WeChat, QQ, Tencent microblogging, QQ browser, fast broadcast, Baidu browser, Jinshan browser and other large TOP applications are exposed the same type of vulnerability. Such as millet mobile phone hardware, Google glasses, etc. have been exploded with the loopholes.

For a detailed explanation of the vulnerability of WebView remote code execution, please refer to the Ali security blog article

From our 2015 mobile security report can be seen in the second quarter, mobile applications vulnerabilities can not be optimistic, popular APP also exist a variety of vulnerability risks, APP developers or users of the APP security risks, developers need to quickly Take a security solution that addresses these security risks and create a credible mobile application. Ali mobile security team produced Ali poly security solutions for mobile APP security risks, so that one-stop problem-solving, problem solving, and long-term monitoring.

3Poly-security solutions

Alien Security (http://www.renewandroid.com/), released on October 22, 2014, is a secure open platform for developers and enterprise customers with malicious code detection, vulnerability scanning, counterfeit monitoring, security components , Application reinforcement and other mobile applications to solve security issues, while with garbage registration, cheating activities, account theft, channel cheating and other business risk prevention and control services, from application security to business security, all customers to solve security problems, Escort business healthy growth.