- java
- security
- framework specific
- mobile
- Android
Dynamically loading code from unknown sources is not recommended. This can lead to remote code injection. Also note that dynamically loading code from a known location but over an unsafe connection can result in attacks (i.e., the downloaded code can be tampered with). Similarly, dynamic installation of APK files should be prevented.
Prevent writing code which can dynamically execute code from other sources. Dynamically loading APK files is also discouraged. This functionality will usually fail since this is a settings option that is disabled by default for security reasons.
Either remove the offending code or use a third-party library such as Grab-n-Run which offers secure dynamic loading of code. A secure code example which uses Grab-n-Run is given below.
Correct code exampleString jarContainerPath = "some.apk";
try {
Map<String, URL> packageNamesToCertMap = new HashMap<String, URL>();
packageNamesToCertMap.put("com.example", new URL("certificate.pem"));
SecureLoaderFactory mSecureLoaderFactory = new SecureLoaderFactory(this);
SecureDexClassLoader mSecureDexClassLoader = mSecureLoaderFactory.createDexClassLoader(
jarContainerPath,null,getClass().getClassLoader(), packageNamesToCertMap);
Class<?> loadedClass = mSecureDexClassLoader.loadClass("com.example.MyClass");
} catch (...) {
...
}
Resources
id: scw:android:createPackageContext
version: 10
metadata:
name: 'Code Injection: Prevent use of CreatePackageContext'
shortDescription: Do not use the createPackageContext to dynamically load code
level: warning
language: java
enabled: true
comment: ""
descriptionFile: descriptions/java_android_avoid_dynamically_loading_code.html
tags: security;framework specific;mobile;Android
search:
methodcall:
name: createPackageContext
type: android.content.Context
availableFixes:
- name: Remove this methodcall
actions:
- remove:
target: self