Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Mobile App Reputation Services (MARS) vulnerability information for Mobile Security (TMMS) for Enterprise

    • Updated:
    • 18 Jan 2016
    • Product/Version:
    • Mobile Security for Enterprise 9.0
    • Mobile Security for Enterprise 9.1
    • Mobile Security for Enterprise 9.2
    • Platform:
    • Android 2.3 Gingerbread
    • Android 3.x Honeycomb
    • Android 4.0 Ice Cream Sandwich
    • Android 4.1 Jellybean
    • Android 4.2 Jellybean
    • Android 4.3 Jellybean
    • iOS 5.0+
    • iOS 6.0+
    • iOS 7.0+
    • iOS 9.2
    • Windows Phone 8.0
Summary

This article is a compilation of MARS vulnerability detection names and corresponding details.

Details
Public
Detection NameDescriptionDetails
AndroidAppVul_ActTaskAffinity.MARSActivities: taskAffinity Is Specified.

The intents that relative Activity specified taskAffinity may be read by other applications, which may have led to the leak of sensitive information. On the other hand, the settings may lead the switch among Activities to confusion.

In Android OS, Activities are managed by tasks. Task names are determined by the affinity that the root Activity has. For Activities other than root Activities, the task to which the Activity belongs is not only determined by the Affinity, but it also depends on the Activity’s launch mode.

In the default setting, each Activity uses its package name as its affinity. As a result, tasks are allocated according to application, so all Activities in a single application will belong to the same task. To change the task allocation, you can make an explicit declaration for the affinity in the AndroidManifest.xml file, or you can set a flag in an Intent sent to an Activity. However, if you change task allocations, there is a risk that another application could read the Intents sent to Activities that belongs to another task.

AndroidAppVul_ActLaunchMode.MARSActivities: launchMode Is Specified.

The root Activity is the Activity, the starting point of a task. In other words, this is the Activity that was launched when task was created. According to Android specifications, the contents of Intents sent to the root Activity can be read from arbitrary applications. It is necessary to be careful that sensitive information is not sent to the root Activity.

The Activity launch mode is used to control the settings for creating new tasks and Activity instances when starting an Activity. By default it is set to standard. In the standard setting, new instances are always created when starting an Activity, tasks follow the ones that belong to the calling Activity; it is not possible to create a new task. When a new task is created, it is possible for other applications to read the contents of the calling Intent so it is required to use the “standard” Activity launch mode when sensitive information is included in an Intent.

The Activity launch mode can be explicitly set in the android:launchMode attribute in the AndroidManifest.xml file. This should not be set in the Activity declaration and the value should be kept as the default standard.

If the launchMode of an Activity is not standard, then other applications may read the sensitive information therein.

AndroidAppVul_ActExported.MARSActivities: Exported Attribute Not Explicitly Set as False.Activities intended for a particular application should not be able to receive any Intent from other applications. Developers often assume that Activities intended as private will not be attacked, but it is necessary to explicitly make these Activities private in order to stop malicious intent.
AndroidAppVul_ActIntentFilter.MARSActivities:Contains Intent-filter While Setting the Exported Attribute as False.An Activity used only within the same application should not be designed with the setting Intent-filter. Because of the characteristics of Intent-filter, a public Activity of other applications may be called unexpectedly by calling through Intent-filter even though a private Receiver within the same application is called.
AndroidAppVul_ActNewTask.MARSActivities: Set FLAG_ACTIVITY_NEW_TASK Flag for Intent Start an Activity.

The root Activity is the Activity, the starting point of a task. In other words, this is the Activity that was launched when task was created. According to Android specifications, the contents of Intents sent to the root Activity can be read from arbitrary applications. It is necessary to be careful that sensitive information is not sent to the root Activity.

Using FLAG_ACTIVITY_NEW_TASK, the launch mode of an Activity, can be changed when executing startActivity() or startActivityForResult(). In some cases, a new task may be generated. The launched Activity may be the root Activity in the new Task stack. Therefore, it is necessary to not change the launch mode of an Activity during execution.

AndroidAppVul_ActResultReturn.MARSActivities: Result Return in Activity.When you return data from Activity, the reliability of the destination application will depend on the Activity type. When Public Activities are used to return data, the destination may turn out to be malware wherein information could be used maliciously.
AndroidAppVul_ActLaunchNotBySpecClass.MARSActivities: Launch Activity Not By Specified Class.When using an Activity by implicit Intents, the Activity in which the Intent gets sent to is determined by the Android OS. If the Intent is mistakenly sent to malware, information can leak. On the other hand, when using an Activity by explicit Intents, only the intended Activity will receive the Intent, which is much safer.
AndroidAppVul_BrdcstNotFalse.MARSBroadcasts: Exported Attribute Not Explicitly Set as False.The Broadcast Receiver, which is used only in the application, should be set as private to avoid receiving broadcasts from other applications unexpectedly. It will prevent application function abuse or unusual behaviors.
AndroidAppVul_BrdcstIntentFilter.MARSBroadcasts:Contains Intent-filter While Setting the Exported Attribute as False.Receiver used only within the same application should not be designed with the setting Intent-filter. Because of the Intent-filter characteristics, a public Receiver of other applications may be called unexpectedly by calling through Intent-filter even though a private Receiver within the same application is called.
AndroidAppVul_BrdcstResultReturn.MARSBroadcasts: Result Return in Receiver.The reliability of the application that returns result information varies, depending on the types of the Broadcast Receiver. In case of public Broadcast Receiver, the destination application may be malware. The result information run the risk of being used maliciously should this happen.
AndroidAppVul_BrdcstSendNotByClass.MARSBroadcasts: Send Broadcasts to Receivers Not By Specified Class.When sending broadcasts, the receiver in which the Intent gets sent to is determined by the Android OS. If the Intent is mistakenly sent to malware, information can leak. On the other hand, when using a receiver by explicit Intents, only the intended receiver will receive the Intent, which is much safer.
AndroidAppVul_CpExportedAsFalse.MARSContent Providers: Exported Attribute as False Setting in Android < 2.3, minSDkVersion < 9 Is Invalid.Private setting for a Content Provider does not work in Android 2.2 (API Level 8) or earlier. To share a data in the same application, access a data storage location such as a data base instead of using a Content Provider.
AndroidAppVul_CpExported.MARSContent Providers: Exported Attribute Not Explicitly Set as False.Content Provider, used only in a single application, should be set as private explicitly. It should be a private Content Provider. In Android 2.3.1 (API Level 9) or later, Content Provider can be set as private by specifying android:exported=“false” in provider element.
AndroidAppVul_CpFlagReadUri.MARSContent Providers: Use FLAG_GRANT_READ_URI_PERMISSION.Temporary permit Content Provider is basically a private Content Provider, but this permits particular applications to access a particular URI. By sending an Intent with special flag FLAG_GRANT_READ_URI_PERMISSION specified to the target applications, temporary access permission is provided to those applications.
AndroidAppVul_CpSqlInj.MARSContent Providers: Risk of SQL Injection.

Directly appending input string to SQL command may lead to serious SQL injection problem.

To prevent SQL injection, when incorporating the arbitrary input value to SQL statement, placeholder should be used.

Other applications can call current Service, which may lead to unusual behavior.

AndroidAppVul_SvcExported.MARSServices: Exported Attribute Not Explicitly Set as False.Service that is used only in an application (or in same UID) must be set as Private. It avoids the application from receiving Intents from other applications unexpectedly. This eventually prevents damages, such as application functions are abused or application behavior becomes unusual.
AndroidAppVul_SvcIntentFilter.MARSServices: Contains Intent-filter While Setting the Exported Attribute as False.Do not set Intent-filter when Service is used only within the application. The reason is that, due to the characteristics of Intent-filter, public Service in other applications may be called unexpectedly though the Intent to call private Service within the application.
AndroidAppVul_SvcStartNotByClass.MARSServices: Start/Bind Services Not By Specified Class.When using a Service by implicit Intents, the Service in which the Intent gets sent to is determined by the Android OS. If the Intent is mistakenly sent to malware, information can leak. On the other hand, when using a Service by explicit Intents, only the intended Service will receive the Intent, which is much safer.
AndroidAppVul_SqlDateInPublic.MARSSQLite: DB File Stored in Public Folders or SD Card.Considering the protection of DB file data, it is very important to consider the DB file location setting. Anybody can read/modify the content of the database file stored in an SD card or other public folders.
AndroidAppVul_SqlPublicAccess.MARSSQLite: Access Right Not Set to MODE_PRIVATE.It is very important to specify the right access settings of the database file. Other applications can read/modify the content of the database file that are not set to MODE_PRIVATE.
AndroidAppVul_FileWritable.MARSFiles: File Created with MODE_WORLD_WRITABLE.When permitting other applications to write files by setting the mode to MODE_WORLD_WRITABLE when the file is created, the information stored in files cannot be controlled. Therefore, from a security point of view, sharing information by using write public files should is not considered.
AndroidAppVul_FileInPublic.MARSFiles: File Stored in Public Folders or SD Cards.From a security and functional points of view, storing files in external memory devices, like SD cards, may lead to potential problems.
AndroidAppVul_SpPublicAccess.MARSShared Preference: Access Right Not Set to MODE_PRIVATE.Settings in “Shared Preference” are stored in files. Regarding access permission setting, shared preference should be created as private files. Sharing contents should be achieved in the inter-application linkage system of Android.
AndroidAppVul_BrosableIntent.MARSBrowsable Intent: The Activity Receives Browsable Intent.

An Activity of Android application can be launched from browser that corresponds with a Web page link. This feature is called the “Browsable Intent”. By specifying URI scheme in AndroidManifest.xml, an application responds to the transition in the link (user tap, etc.) that has its URI scheme. The application is launched with the link as a parameter.

It is a very convenient function. This function may be abused by a malicious third party. They can abuse the application functions through a malicious website in which the URL has an incorrect parameter. They can also get the information, which is included in URL, by luring a smartphone owner into installing the malware that responds to the same URI scheme.

AndroidAppVul_LogPrint.MARSLog: Print Log With System.out/err.When outputting log, generally, use the most appropriate output method based on the urgency of the information, and control the output. For example, categories like serious error, caution, and simple application’s information notice are to be used. However, by using System.out/err, information that need to be outputted at the time of release (operation log information) and those that may be classified as information (development log information) are outputted the same method. Developers should remove the code that output sensitive information. But because all log are made through the same method, the developer may forget to remove the sensitive log, exposing sensitive information to possible leaks through the logs. To decrease its possibility, it’s recommended to use only methods of android.util.Log class.
AndroidAppVul_LogD.MARSLog: Includes Log.d()/v().Logs outputted in Logcat can be read out from other applications in some of the earlier versions of Android OS. Sensitive information should not be outputted by release version application. During development, debug and detailed information may be printed for convenience by using Log.d()/v(). It’s necessary to delete all of such codes before release.
AndroidAppVul_WebvJavaScriptInPublic.MARSWebView: Enable JavaScript with Untrusted Servers or Files Stored in Pubic Folders.

JavaScript can be enabled only if the application accesses services managed in-house. Do not enable JavaScript if there is a possibility of accessing services not managed in-house.

In addition, JavaScript has to be disabled if the contents are stored in external storage devices, such as external storage devices, because other applications can modify the contents.

AndroidAppVul_WebvIgnoreError.MARSWebView: Ignore Errors in onReceivedSslError.

SSL error shows invalid server certification risk or man-in-the-middle (MitM) attack risk. Please note that WebView has NO error notice mechanism regarding SSL error. Therefore, your application has to show the error notice to inform the risk to the user.

In addition, your application MUST terminate the communication with the error notice. In other words, you MUST NOT do following:

  • Ignore the error to keep the transaction with the service.
  • Retry HTTP communication instead of HTTPS.
AndroidAppVul_WebvLocalJavaObj.MARSWebView: Inserts Local Java Objects.Android allows programs to insert a local Java object into WebView. The inserted object may be leveraged by remote JavaScript to execute dangerous code on the phone.
AndroidAppVul_WebvLocalCache.MARSWebView: WebView Cache Not Cleaned.Some information browsed by WebView may be stored in its cache file. It is possible that other applications can analyze the cache file and get the sensitive information.
AndroidAppVul_WebvJavaBridge.MARSWebView: Not Delete Function Export of searchBoxJavaBridge_.Prior to Android 4.2, an embedded Java object called searchBoxJavaBridge_ is inserted by Android to WebView. This object may be leveraged by remote JavaScript to execute dangerous code on the phone.
AndroidAppVul_PwdRemember.MARSPassword and Security Token: UI with Remember Password.If an application has function of remembering a password, the password must be stored in file on local storage. If the Android device is not trusted, for rooted device, other applications with root privilege granted can steal the credential information from your saved file. When the device is lost, the person who gets hold of the device can login with the remembered password.
AndroidAppVul_PwdNotBlind.MARSPassword and Security Token: Password Not Blind.A smartphone is often used in crowded places like in public transportation facilities. In such an instance, the user runs the risk of exposing his password. The function to mask the display password is necessary as an application specification.
AndroidAppVul_PwdScreenshot.MARSPassword and Security Token: Not Use FLAG_SECURE Against Screenshot.Malware may take screenshots to get user’s input information, including username and password. The function of flag is against screenshot.
AndroidAppVul_PermNotUsed.MARSPermissions: Declared but Unused Permissions.Any Android system application can invoke a component that belongs to other applications. If an application has unused permissions and, unfortunately, vulnerabilities, malware may leverage the vulnerability of your program to do other things that the malware does not have permission to do.
AndroidAppVul_PermProtLevel.MARSPermissions: Defined Permission with Protection Level of Dangerous and Normal.

A user-defined Normal permission is a low-risk permission that gives requesting applications access to isolated application-level features, with minimal risk to other applications, the system, or the user. The system automatically grants this type of permission to a requesting application at installation, without asking for the user’s explicit approval (though the user always has the option to review these permissions before installation).

A user-defined Dangerous permission is a high-risk permission that would give a requesting application access to private user data or control over the device that can have a negative impact on the user. Because this type of permission introduces potential risks, the system may not automatically grant it to the requesting application. Any dangerous permissions requested by an application will be displayed to the user and require confirmation before proceeding.

For user-defined normal permission, other applications can directly declare to use it, as defined by the user, and the system will grant it to that application upon installation. For dangerous permission, user will be prompted with a dialog box to provide approval. However, this is mostly overlooked and ignored, with user just clicking “OK” or “accept”. Hence, the assets your application wants to protect cannot be protected.

AndroidAppVul_AcntAsPublicSvc.MARSAccounts: Declared android.accounts.AccountAuthenticator as Public Service.Account Manager is the Android OS’s system that centrally manages account information (account name, password) necessary for applications to access online services and authentication tokens. In order to do this, a user needs to register the account information to Account Manager. When an application tries to access an online service, Account Manager will automatically provide application authentication token after getting the user’s permission. The advantage of Account Manager is that an application doesn’t need to handle the extremely sensitive information. In this case, the password. The service that gives Account Manager IBinder of Authenticator is defined in AndroidManifest.xml. Specify resource XML file where Authenticator is written, by metadata. The service that provides an authenticator must be private. If AccountAuthenticator service is public, then other applications may be able to access sensitive information.
AndroidAppVul_HttpWithoutSSL.MARSHTTPS: Uses Insecure HTTP.In HTTP transaction, sent and received information might be sniffed or tampered with; the connected server might be masked. Sensitive information must be sent and received by HTTPS communications.
AndroidAppVul_HttpX509TrustManager.MARSHTTPS:Uses Insecure Inherit X509TrustManager.It is insecure to customize X509TrustManager and trust any certificate from server. When this insecure trust manager is applied to the code, the program will not verify the certificate validity of server. An attacker may use the vulnerability to hijack the connection and get sensitive information being sent between client application and server.
AndroidAppVul_HttpsHostInsecureVerify.MARSHTTPS: Uses Insecure Inherited Class from HostnameVerifier.It is insecure to customize HostnameVerifier and skip certificate verification by returning true at any time. When insecure verifier is applied to the code, the program will not verify the certificate validity of server. An attacker may use the vulnerability to hijack the connection and get sensitive information being sent between client application and server.
AndroidAppVul_HttpsHostAllowAll.MARSHTTPS:Set SSLSocketFactory’s Host Verifier to ALLOW_ALL_HOSTNAME_VERIFIER.If developer sets SSLSocketFactory instance’s host verifier to ALLOW_ALL_HOSTNAME_VERIFIER, program will not verify the certificate validity of server. An attacker may use the vulnerability to hijack the connection and get sensitive information being sent between client application and server.
AndroidAppVul_HttpsHostInsecureApacheVerify.MARSHTTPS:Uses Insecure org.apache.http.conn.ssl.AllowAllHostnameVerifier.If developer creates an instance of class org.apache.http.conn.ssl.AllowAllHostnameVerifier, and set it as https connection’s host verifier, program will not verify the certificate validity of server. An attacker may use the vulnerability to hijack the connection and get sensitive information being sent between client application and server.
AndroidAppVul_HttpsUseInsecureSslFactory.MARSHTTPS:Uses Insecure SSLCertificateSocketFactory Instance.SSLCertificateSocketFactory provides static function called getInsecure to create an insecure socket factory skipping of SSL certificate chain validation and when connecting to the server and negotiating a SSL session.
AndroidAppVul_HttpWithoutSSL.MARSHTTPS: Uses Insecure HTTP to Send Information.In HTTP transaction, sent and received information might be sniffed or tampered with; Sensitive information must be sent and received by HTTPS communications. Uses Insecure HTTP to Send Information may cause digital info leak
AndroidAppVul_ClpbdEditTestLongClickable.MARSClipboard: EditText Enabled longClickable Attribute.If there’s a View that displays sensitive information in an application (the information is allowed to be copied/cut like EditText in the View), the information may be leaked via Clipboard. Therefore, copy/cut must be disabled in View where sensitive information is displayed. Copy/cut shall not be allowed on the program’s important activities with EditText for user to input sensitive information.
AndroidAppVul_MarkAsDebuggale.MARSOthers: Marked as Debuggable.Developer can explicitly open the application to be debuggable by adding android:debuggable=“true” in AndroidManifest.xml. When this option is turned on, other applications can connect to your application at run time, read, modify data, and change your program’s working flow.
AndroidAppVul_AppIssuerNotVerified.MARSOthers: Not Verify the Signature of App Issuer.Android applications are very easy to repack. Hackers can get the original APK, add malicious code, and release it. Hence, it is necessary for the program itself to verify the signature of the app issuer.
AndroidAppVul_CodeNotObfuscated.MARSOthers: Codes Not Obfuscated.There are a lot of mature tool chains to decompile APK. If codes are not obfuscated, it would be easy for crackers to disassemble the code and analyze the application’s underlying work flow. By obfuscating the code, which will remove the essential information on your function and variable names, the analyzing effort for cracker will be greatly increased.
AndroidAppVul_ClickFraud.MARSOthers: No Protection Against Click Fraud.Some malware fake a transparent toast at top on important activities. Since the toast is transparent, user can still see the real activity and will have the impression that he is operating it. Any information in use on the activity can be hijacked by the faked toast, which is very dangerous. To protect against this, application must use the function setFilterTouchesWhenObscured(true) or set android:filterTouchesWhenObscured on very important activities to avoid sensitive information leak.
AndroidAppVul_BugExtraIntentCheck.MARSBugs: Extra of Intent Is Null Not Checked.If the code uses getExtra(), getBundleExtra(), getCharExtra(), etc., to get an incoming intent’s parameter, one must check whether the return value is null or not. Because directly using null result will lead program to throw a null point exception, and crash. Malware can leverage this vulnerability to attack your application.
AndroidAppVul_AllowBackup.MARSOthers: allowBackup Attribute Not Explicitly Set as False.allowBackup attribute of AndroidManifest.xml decide whether application can save and restore data. Its default value is “true”. If developer does not explicitly set the allowBackup attribute as false, an attacker can easily use adb to copy application’s backup data, which may contain confidential information.
Premium
Internal
Rating:
Category:
SPEC
Solution Id:
1113205
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.