{"vuid":"VU#787952","idnumber":"787952","name":"Android and iOS apps contain multiple vulnerabilities","keywords":["mobile","crypto"],"overview":"Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).","clean_desc":"Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings,allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally,some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access. Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps,and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge(adb). Kryptowire,in collaboration with DHS S&T and the NCCIC,previously discovered and reported the following vulnerabilities. CWE-295:Improper Certificate Validation The software does not validate,or incorrectly validates,a certificate. When a certificate is invalid or malicious,it might allow an attacker to spoof a trusted entity by using a man-in-the-middle(MITM)attack. The software might connect to a malicious host while believing it is a trusted host,or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. Vulnerable app: (CVE-2017-13105) Virus Cleaner(Hi Security)- Antivirus,Booster,3.7.1.1329 CWE-798:Use of Hard-coded Credentials The software contains hard-coded credentials,such as a password or cryptographic key,which it uses for its own inbound authentication,outbound communication to external components,or encryption of internal data. Vulnerable apps: (CVE-2017-13100) The Moron Test,6.3.1,2017-05-04,iOS(CVE-2017-13101)musical.ly - your video social network,6.1.6,2017-10-03,iOS(CVE-2017-13102)Asphalt Xtreme:Offroad Rally Racing,1.6.0,2017-08-13,iOS(CVE-2017-13104)UberEATS:Uber for Food Delivery,1.108.10001,2017-11-02,iOS(CVE-2017-13105)Virus Cleaner(Hi Security)- Antivirus,Booster,3.7.1.1329,2017-09-13,Android(CVE-2017-13106)CM Launcher 3D - Theme,wallpaper,Secure,Efficient,5.0.3,2017-09-19,Android(CVE-2017-13107)Live.me - live stream video chat,3.7.20,2017-11-06,Android(CVE-2017-13108)DFNDR Security:Antivirus,Anti-hacking&Cleaner,5.0.9,2017-11-01,Android **REJECT**DO NOT USE THIS CANDIDATE NUMBER(CVE-2017-13103)This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. The CVSS score below reflects a worst-case scenario of code execution as a system user,however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.","impact":"The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire.","resolution":"Apply an update If available, update your device's system version of Android and apply any available Google Play / Apple Store updates to installed apps.","workarounds":"Use caution installing third-party apps Apps should be installed only from official sources. Users should consider if any given third-party app is necessary to the usage of the device and take appropriate action.","sysaffected":"","thanks":"Thanks to Brian Schulte at Kryptowire for reporting this vulnerability.","author":"This document was written by Laurie Tyzenhaus and Garret Wassermann.","public":["https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-Updated.pdf","https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Ryan%20Johnson%20and%20Angelos%20Stavrou%20-%20Updated/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf","http://cwe.mitre.org/data/definitions/295.html","http://cwe.mitre.org/data/definitions/798.html","https://www.dhs.gov/sites/default/files/publications/Securing%20Mobile%20Apps%20for%20First%20Responders%20v13_Approved_Final_508.pdf","https://www.dhs.gov/science-and-technology/news/2017/12/18/news-release-st-pilot-project-helps-secure-first-responder"],"cveids":["CVE-2017-13100","CVE-2017-13101","CVE-2017-13102","CVE-2017-13104","CVE-2017-13105","CVE-2017-13106","CVE-2017-13107","CVE-2017-13108","CVE-2017-13103"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2017-05-06T05:35:36Z","publicdate":"2018-08-10T00:00:00Z","datefirstpublished":"2018-08-14T23:48:53Z","dateupdated":"2018-09-14T19:19:57Z","revision":67,"vrda_d1_directreport":"1","vrda_d1_population":"4","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"H","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"H","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.6","cvss_basevector":"AV:N/AC:H/Au:N/C:C/I:C/A:C","cvss_temporalscore":"6","cvss_environmentalscore":"5.9587327296","cvss_environmentalvector":"CDP:ND/TD:H/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}