Does the Log4j vulnerability affect Android users?



  • The new vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 (also known as Log4Shell) is wreaking havoc, but very little of the discussion is voiced about the average android user.

    Is the average Android OS user at risk? I heard that Java's JNDI is not implemented in Android, but is that referring to the Java editors available for Android or the Android OS itself? Is Android's native logging mechanism that logs all activity in general susceptible to the Log4j vulnerability?



  • Google Security Blog statement on Log4j vulnerability as of https://security.googleblog.com/2021/12/apache-log4j-vulnerability.html :

    Android is not aware of any impact to the Android Platform or Enterprise. At this time, no update is required for this specific vulnerability, but we encourage our customers to ensure that the latest security updates are applied to their devices.

    Original Answer/Background info for context:

    Q: What is the Log4j vulnerability (also known as Log4Shell)

    JNDI is the Java Naming and Directory Interface. It is not an app, but a library/service allowing for runtime configuration. Log4j is a common library used in server applications. Certain strings when used with the v2.x version of the Log4j library can invoke the JNDI API which can result in leaking of sensitive information and thereby facilitate other attacks. Basically this a variation of input sanitization, except in a logging utility which for reasons had a useful but dangerous feature enabled.

    Q: Input Sanitization?

    You probably heard of so called https://en.wikipedia.org/wiki/SQL_injection where some specially crafted string can modify the commands given to the database engine. Example:

    XKCD comic № 327

    Here, Robert '); DROP TABLE Students; -- can be inserted into this query insert into Students (id, name) values (42, $name). When the software directly substitutes $name with the name, it becomes this query/command: insert into Students (id, name) values (42, Robert '); DROP TABLE Students; --) (insert, and then drop the table, everything else is commented out).

    Developers need to sanitize the input, that is, check for every possible dangerous value. Developers can for example escape the ' in the name before substituting. Alternatively developers using SQL can use prepared statements, where no substitution is even done.

    In the case of the Log4j vulnerability, developers were expecting the Log4j library to record application/server values, including input strings, with the expectation that those strings were plaintext and not able to invoke APIs.

    Q: Is Android OS vulnerable?

    A: Not by this particular vulnerability - Android OS while parts are written in Java uses its own logging library. Android OS also doesn't use JNDI protocol/service and isolates each app in its own sandbox. While this means that this particular JNDI exploit can't be used on Android, https://en.wikipedia.org/wiki/Stagefright_(bug) has shown that Android is not without bugs and exploits, resulting in more security with each version.

    Q: Are Android Apps vulnerable?

    A: Depends - Android apps can either only exist on device OR serve as the front end of a cloud service. Android apps undoubtedly have their own bugs. On older devices apps could access the global logcat where poorly written apps may output username/passwords/other keys which while useful for debugging isn't good in a production app. https://android.stackexchange.com/a/7260/3573 .

    The servers which the mobile apps depend upon is a different story as noted in the media.

    Q: But what about Android Apps which use Log4j

    A: On device a developer would really need to put in effort to add in Log4j separately. As seen https://stackoverflow.com/a/60407849/295004 Log4j out of the box needs Java classes which Android doesn't support. And while there is a https://stackoverflow.com/q/21307968/295004 it is based on Log4j version 1.x which is EOL, https://stackoverflow.com/a/41622168/295004 which would dissuade Android developers. Alternatively an Android developer may use http://www.slf4j.org/android/ or other https://github.com/JakeWharton/timber on top of Android framework's native logging facility.

    References:

    https://stackoverflow.com/a/4365766/295004

    https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

    Comic strips by xkcd: https://xkcd.com/327/




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2