Beware the IDEs of Android: three biggies have vulnerabilities

Android Studio, Eclipse, and IntelliJ IDEA stabbed in the back by an XML parser

By Richard Chirgwin

Posted in Security, 6th December 2017 04:54 GMT

Developers using the Android Studio, Eclipse, and IntelliJ IDEA have been advised to update their IDEs against serious and easily-exploitable vulnerabilities.

Check Point Software Technologies went public with the bugs on December 4, but said it made its discoveries in May 2017.

Initially, Check point's four researchers (Eran Vaknin, Gal Elbaz, Alon Boxiner, and Oded Vanunu) went looking for possible bugs in the APKTool reverse-engineering app, finding an XML External Entity (XXE) bug.

“The configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program”, they wrote, noting the bug affected both its “Build” and “Decompile” functions, attackable using a malicious AndroidManifest.xml file.

Realising the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called “DocumentBuilderFactory”, which is being used in APKTool project.

What makes this capital-B “Bad” is that the parser was also present in the Eclipse, IntelliJ and Android Studio integrated development environments (IDEs).

All the attacker need to is trick the IDE into loading a malicious XML manifest file, the researchers said.

Furthermore, an attacker doesn't need to hit their victim directly, by “injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories … Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system.”

But wait, there's more: another vulnerability in APKTool allowed the researchers to executive malicious code on a victim's PC, by manipulating a the APKTOOL.YML configuration file.

Check Point noted that the IDEs and tools have since been patched. ®

Sign up to our NewsletterGet IT in your inbox daily

3 Comments

More from The Register

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

New Monty Python movie to turn old jokes into new royalties

You silly English k-niggits will probably flock to see Spamalot the musical movie

Eclipse Foundation pushes faster, cloudier Jakarta EE

Platform fka Java EE gets new governance model, hopes for bigger community

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

SAP okays Java EE being Eclipsed, six months after Oracle's announcement

But warns it will bail if something better comes along

Data scientist wanted: Must have Python, spontaneity not required

Review of job ads pins average salary at £47k

Frenchman comes eye to eye with horror toilet python

'I could very well have been bitten in a sensitive place, if you know what I mean'

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Python explosion blamed on pandas

Data science fad just won't die