Android-Debug-Database
Android-Debug-Database copied to clipboard
amitshekhariitbhu
Severe security issues when Android-Debug-Database is running
This library uses a plain TCP server socket to accept incoming debug requests and provide arbitrary access to database files in the hosting application. This leaves those applications extremely vulnerable to malicious apps being installed which connect to that port and "scrape" the database contents looking for security sensitive information like authentication tokens or privacy sensitive data.
To work around this, use UNIX domain sockets, as Stetho does: https://github.com/facebook/stetho/blob/master/stetho/src/main/java/com/facebook/stetho/server/LocalSocketServer.java https://github.com/facebook/stetho/blob/master/stetho/src/main/java/com/facebook/stetho/server/SecureSocketHandler.java
If you're interested, I'm love to talk about expanding Stetho's generalization to actually host your project on top of Stetho so you can remove a bunch of server boilerplate and get a lot of security and features from stetho for free. Stetho currently for example already hosts 2 different kinds of services from the same socket (chrome://inspect and also the dumpapp command-line tools). We could easily generalize this to support any arbitrary number of other projects like yours.
Great we should handle these things. But this library is not mean to ship in production.
These security issues expose developers too. An attacker could easily use a malicious app intending specifically to attack developers and extract critical things like oauth token on potentially major services from these developers.
This was a major concern at Facebook since it would be such a valuable target to get a Facebook employee to install something malicious even if temporarily that could steal data from our apps that use stetho. Anyway, stetho has a solid solution you can either copy or we can refactor as a standalone piece .
Hello, I want to add some information here. I am using a very complex SDK which is not available on the market, just for internal business and it is very secure. When using this library in my application, the SDK blocks every feature because it detects this security issue generated by this library so I can't use the library and the SDK in the same time. This is another reason for fixing this issue :).
