In a follow up post, we’ll take a look at finding and fixing them with Snyk Code. In this post, we’ll explore these Andoid Intent-based vulnerabilities to see why and how they work. By analyzing the top applications in 50 categories, Snyk discovered vulnerabilities in various applications including a popular shopping app, a social network app, a client for Reddit and more. This allows triggering injection and redirection attacks resulting in leaking private data stored by the app. Intents are used by internal components to communicate with each other as well as to access exported components of other applications.
Our focus was on security issues involving intents - objects used for launching an operation that is to be performed by a component of the app. To do so, we leveraged Snyk Code to analyze and search for vulnerabilities in applications uploaded to the Google Play store. After discovering and then publishing our findings on SourMint - the malicious iOS ad SDK - the Snyk Security Team decided to dig deeper in the Android ecosystem. Our phones know a lot about us, so it’s important we can trust them.
0 kommentar(er)
