Beware the IDEs of Android: three biggies have vulnerabilities

Android Studio, Eclipse, and IntelliJ IDEA stabbed in the back by an XML parser

By Richard Chirgwin


Developers using the Android Studio, Eclipse, and IntelliJ IDEA have been advised to update their IDEs against serious and easily-exploitable vulnerabilities.

Check Point Software Technologies went public with the bugs on December 4, but said it made its discoveries in May 2017.

Initially, Check point's four researchers (Eran Vaknin, Gal Elbaz, Alon Boxiner, and Oded Vanunu) went looking for possible bugs in the APKTool reverse-engineering app, finding an XML External Entity (XXE) bug.

“The configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program”, they wrote, noting the bug affected both its “Build” and “Decompile” functions, attackable using a malicious AndroidManifest.xml file.

Realising the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called “DocumentBuilderFactory”, which is being used in APKTool project.

What makes this capital-B “Bad” is that the parser was also present in the Eclipse, IntelliJ and Android Studio integrated development environments (IDEs).

All the attacker need to is trick the IDE into loading a malicious XML manifest file, the researchers said.

Furthermore, an attacker doesn't need to hit their victim directly, by “injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories … Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system.”

But wait, there's more: another vulnerability in APKTool allowed the researchers to executive malicious code on a victim's PC, by manipulating a the APKTOOL.YML configuration file.

Check Point noted that the IDEs and tools have since been patched. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

Mega-bites of code: Python snakes into 1st place for cyber-attacks

Hackers share general public's love of popular programming language

A spot of Python in your Azure automation? Step right this way, sir

Python 2 support for runbooks slithers out of preview

Using Python in Visual Studio Code? Microsoft has new toys for you

You will use the new debugger and you will like it, OK?

New Python update slithers into release

Behold, the new, faster version 3.7, with nanosecond timing, data classes and docs in more (human) languages

Microsoft Visual Studio Code replumbed for better Python taming

Python Language Server an option for those that code

Redis does a Python, crushes 'offensive' master, slave code terms

Campaign to rid programming of hurtful words finds a sequel in noSQL database project

Pleasant programming playground paves popular Python path

Shrew'd thinking: Code Shrew helps peeps who want to, or need to, gobble a slice of Py

New Monty Python movie to turn old jokes into new royalties

You silly English k-niggits will probably flock to see Spamalot the musical movie

Hooray: Google App Engine finally ready for Python 3 (and PHP 7.2)

'OG of serverless' gets modern makeover