Android Security: Scanning your app for known vulnerabilities

Known vulnerabilities exist for libraries common to Android development such as OkHttp and Apache Commons I/O. The importance of such an issue is highlighted by its position in the OWASP 2017 Top 10 as A9 - Using Components with Known Vulnerabilities.

Our Android apps are using more and more third-party libraries like these and in turn our direct dependencies often depend on their own set so how do you ensure you know about these vulnerabilities and keep your app secure?

The National Vulnerability Database can be queried to determine what security issues your use of open source software may bring you. What is it and how do we use it?

What is the National Vulnerability Database?

What is the Common Vulnerability and Exposures dictionary?

Scanning your app

The OWASP Dependency Check utility, maintained by Jeremy Long, identifies your projects dependencies and reports on any known, publicly disclosed, vulnerabilities. It keeps itself up-to-date using the NVD data feeds. Due to the size of the data feeds an initial download can take over 10 minutes, however as long as the tool is run at least once every 7 days it can be kept current with small incremental downloads.

For Android developers, the tool is available as a Gradle plugin, dependency-check-gradle as well as command line and Maven. This makes it incredibly simple to implement into your project.

Step 1 — Add dependency to your root build.gradle

buildscript {
repositories {
mavenCentral()
}
dependencies {
classpath 'org.owasp:dependency-check-gradle:4.0.0'
}
}

Step 2 — Apply plugin to your app/build.gradle

apply plugin: 'org.owasp.dependencycheckAnalyze'

Step 3 — Run the plugin

./gradlew dependencyCheckAnalyze

The disadvantage of the above is that you need to specifically execute the dependencyCheckAnalyze command. Security tests like this check should be part of your standard build and as such you may prefer to add a dependency to it so it runs automatically for all developers in your team by adding the following to your app/build.gradle file.

tasks.check.dependsOn(tasks.dependencyCheckAnalyze)

Step 4 — Analyse the results

An example HTML report from dependency-check-gradle showing no vulnerabilities

With any luck, as the screenshot above shows, you will have no vulnerabilities.

Step 5 — Configure the configurations

dependencyCheck {
scanConfigurations = configurations.findAll {
!it.name.startsWithAny('androidTest', 'test', 'debug') &&
it.name.contains("DependenciesMetadata") && (
it.name.startsWithAny("api", "implementation", "runtimeOnly") ||
it.name.contains("Api") ||
it.name.contains("Implementation") ||
it.name.contains("RuntimeOnly")
)
}.collect {
it.name
}
}

Configuring the plugin to fail the build

Ensuring the build fails is as simple as configuring the failBuildOnCVSS field to a value between 0 and 10. The Common Vulnerability Scoring System (or CVSS) is an open framework for communicating the characteristics and impacts of vulnerabilities. The higher the value the greater the risk. By using a value of zero we can ensure any severity of vulnerability will fail the build.

The following would be added to the app/build.gradle file.

dependencyCheck {
failBuildOnCVSS 0
}

Accepting risks by suppressing vulnerabilities

dependencyCheck {
suppressionFile file("dependency-suppression.xml").toString()
}

An example dependency-suppression.xml file may look like the following:

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes>
<![CDATA[
file name: apps-flyer-android-2.3.1.18.jar
old incident that is already fixed
]]>
</notes>
<sha1>43b08c12ae622987b165ede9b3ba099913d2552f</sha1>
<cpe>ape:/a:appsflyer:appsflyer<cpe>
</suppress>
</suppressions>

Alternative tools

Conclusions

The dependency-check-gradle plugin is a good first step in ensuring the third-party components you use don’t have any publicly known vulnerabilities. But herein lies the problem, there may be countless unpublished vulnerabilities so this tool does not negate the need to do the analysis yourself to determine the severity of any threats a library could contain.

#buildsecureapps

Matt Dolan has been eating doughnuts and developing with Android since the dark days of v1.6.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store