There has been lots of press about the recent Samsung keyboard vulnerability. The vulnerability comes about because a new language can be downloaded under a privileged context which can be network hijacked to run arbitrary code.
Many articles mentioning this vulnerability are over sensational because it’s very unlikely that the user/app would download a new language pack AND be on a hijacked network taking advantage of the vulnerability. However, I think it’s more useful to pull apart the vulnerability and look for simple learnings to apply to other existing and new apps.
There are three main problems…
- The app is run in a privileged context because it is signed with Samsung’s private signing key. Learning: Minimise permissions This advice applies as much to Android permissions as it does to (in this case) signing.
- The app downloads extra functionality without validating it. Learning: Perform Extra Validation on Code Loaded Externally
- The app takes no steps to ensure the network connection can’t be hijacked. Use Encrypted HTTP for Sensitive Data, Check for Security Exceptions and Consider Using SSL Pinning.