(Fortify) 类别:Android 不良做法:缺少 Google Play 服务更新安全提供程序(1 期)

(Fortify) Category: Android Bad Practices: Missing Google Play Services Updated Security Provider (1 Issues)

我们正在使用 Fortify 扫描我的 Android 源代码,但我无法解决这个问题:

Category: Android Bad Practices: Missing Google Play Services Updated Security Provider (1 Issues)

Fortify 指向这行代码:

tools:replace="android:allowBackup">

AndroidManifest.xml:37 null()
  <application
    android:name=".test"
    android:allowBackup="false"
    android:hardwareAccelerated="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:networkSecurityConfig="@xml/network_security_config"
    android:supportsRtl="true"
    android:theme="@style/AppTheme"
    tools:replace="android:allowBackup"> <!--FORTIFY POINTS TO THIS LINE-->

强化推荐:

The simplest way to patch the security provider is to call the synchronous method installIfNeeded(). This is appropriate if user experience won't be affected by the thread blocking while it waits for the operation to finish, otherwise it should be done in an asynchronous way.

有关此内容的更多信息 issue

我关注了Android的 更新您的安全提供商以防止 SSL 攻击

并尝试了两种方法:

installIfNeed() and installIfNeededAsync()

但问题依然存在。我测试了我的代码,它工作正常。

这是我的清单:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    package="test">

    <uses-permission android:name="android.permission.INTERNET" />

    <application
        android:name=".test"
        android:allowBackup="false"
        android:hardwareAccelerated="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:networkSecurityConfig="@xml/network_security_config"
        android:supportsRtl="true"
        android:theme="@style/AppTheme"
        tools:replace="android:allowBackup">

        <meta-data
            android:name="com.google.android.gms.version"
            android:value="@integer/google_play_services_version" />

        <provider
            android:name=".syncadapter.StubProvider"
            android:authorities="com.neseapl.nyp.provider"
            android:exported="false"
            android:syncable="true"/>

        <service
            android:name=".syncadapter.SyncService"
            android:exported="false">
            <intent-filter>
                <action android:name="android.content.SyncAdapter" />
            </intent-filter>
            <meta-data
                android:name="android.content.SyncAdapter"
                android:resource="@xml/syncadapter" />
        </service>

        <service
            android:name=".syncadapter.AuthenticatorService">
            <intent-filter>
                <action android:name="android.accounts.AccountAuthenticator"/>
            </intent-filter>
            <meta-data
                android:name="android.accounts.AccountAuthenticator"
                android:resource="@xml/account_authenticator" />
        </service>

        <activity
            android:name=".activities.Test"
            android:configChanges="orientation|screenSize">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

我的清单中是否缺少任何内容?谢谢!

我最近遇到了与 Fortify 类似的问题。正如 Silvia Ragui 指出的那样,Fortify 没有正确分析这个运行时过程。虽然 installIfNeeded() 和 installIfNeededAsync() 将在您的 APK 的实际部署中更新安全提供程序,但当您重新提交到 Fortify 时,它似乎并没有清除错误。

然而,潜在的问题是安全提供程序过时,这通常是由于您的包中的播放服务库过时。

以下是直接来自强化仪表板的推荐:

Android relies on the security Provider to provide secure network communications. The default device cryptographic libraries are typically older versions of OpenSSL that contain known flaws. To overcome this, Google provides a mechanism for an application to “patch” their local copy of OpenSSL via the Google Play Services ProviderInstaller client. It’s been determined that the app is not using the updated provider, leaving the application exposed to older known OpenSSL vulnerabilities and weaknesses.>

实际问题与Silvia日志中的最后一行一样:

W/GooglePlayServicesUtil Google Play services out of date

在我们的例子中,我们更新到我们包中的最新版本的 Play 服务,并实施了上面的 the fix(当我们这样做时,我们发现有一个必须修复的小错误,并且可能是阻止更新修补安全提供程序)

新版本成功解决问题。我建议您更新到最新的 Play 服务,因为这也会更新安全提供程序。