Android Security: Scanning your app for known vulnerabilities

Known vulnerabilities exist for libraries common to Android development such as OkHttp and Apache Commons I/O. The importance of such an issue is highlighted by its position in the OWASP 2017 Top 10 as A9 - Using Components with Known Vulnerabilities.

Our Android apps are using more and more third-party libraries like these and in turn our direct dependencies often depend on their own set so how do you ensure you know about these vulnerabilities and keep your app secure?

The National Vulnerability Database can be queried to determine what security issues your use of open source software may bring you. What is it and how do we use it?

What is the National Vulnerability Database?

The NVD is a U.S. government repository containing details of publicly published security related software flaws. These flaws are linked to the Common Vulnerabilities and Exposures dictionary along with a score for the severity of the risk involved. The NVD provides downloads of its database making it possible to cache the data locally along with querying it for any matches.

What is the Common Vulnerability and Exposures dictionary?

CVE (Common Vulnerabilities and Exposures) is a free for public use list of publicly known cybersecurity vulnerabilities. It was set up to ensure there was a common name (the CVE identifier) that can be used when discussing and sharing information about a particular vulnerability. There is exactly one identifier per vulnerability along with a standardized description.

Scanning your app

Although it is possible to download the NVD data directly yourself, fortunately, OWASP provide a tool to do just this.

The OWASP Dependency Check utility, maintained by Jeremy Long, identifies your projects dependencies and reports on any known, publicly disclosed, vulnerabilities. It keeps itself up-to-date using the NVD data feeds. Due to the size of the data feeds an initial download can take over 10 minutes, however as long as the tool is run at least once every 7 days it can be kept current with small incremental downloads.

For Android developers, the tool is available as a Gradle plugin, dependency-check-gradle as well as command line and Maven. This makes it incredibly simple to implement…