Vulnerability analysis

This article introduces the actual vulnerability mining of mobile APP third-party SDK conducted by security researchers Li Bo and Zhang Xin of 360 Vulpecker Team. 360 Vulpecker Team focuses on the field of Android system and application security attack and defense, and has a self-developed automated system for Android application security auditing. This article starts from the security status of third-party SDKs, discusses the security risks brought by SDK integration, and introduces in detail the vulnerability risks and attack methods of different SDKs. The vulnerability exploitation methods of push SDK and sharing SDK are analyzed through examples, and the scope of impact of relevant vulnerabilities on applications is pointed out. Finally, some thoughts are put forward to arouse readers' attention and in-depth thinking on the security of mobile APPs.

Google Android 14 input method information disclosure vulnerability, due to side channel information leakage, there is a possible way to determine whether an application is installed without querying permissions. This may lead to local information disclosure without requiring additional execution permissions. Exploitation of this vulnerability requires no user interaction.

On November 24, 2021, the Alibaba Cloud security team reported the Apache Log4j2 remote code execution vulnerability to Apache officials. 01 Vulnerability Description Apache Log4j2 is an excellent Java logging framework. …