Vulnerabilities in Android developer tools—collectively dubbed ParseDroid—are putting every organization that does any type of Java/Android development at great risk, new analysis has concluded.
According to the Check Point research team, both downloadable and cloud-based developer tools used by the Android application ecosystem (the largest application community in the world), including the tools that all Java/Android programmers use to build their companies’ business applications and that security analysts and reverse engineers use to do their work, are affected.
“Through our own research we have found several vulnerabilities that affect the most common Android IDEs – Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, as well as the major reverse engineering tools for Android applications such as APKTool, the Cuckoo-Droid service and more,” the firm said, in a technical analysis.
In one example, by looking at the source code of APKTool (for supporting custom platforms, analyzing applications and much more, including the decoding and rebuilding of resources), Check Point identified an XML External Entity (XXE) vulnerability, “due to the fact that the configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program.” The vulnerable function is called loadDocument and it is being used in both core functionalities of APKTool.
The vulnerability exposes the whole OS file system of APKTool users, and as a result, attackers could then potentially retrieve any file on the victim’s PC, which could then be sent to a remote attacker server.
“This attack scenario is just one of many possible XXE attack techniques that could lead to harmful outcomes,” Check Point said. It went on to note that further vulnerabilities would allow full remote code execution: “Indeed, the Path Traversal method lets us copy any file to any location on the file system, making the attack surface wide and various.”
Google and JetBrains have verified and acknowledged the security issues and have since effectively deployed a fix—so it’s critical that developers update their code in any past and current applications to head off espionage and more.