How to Fix Vulnerabilities Issue in Android App with Ionic and Cordova
Question
I analyze an apk with MobSF and got a lot of vulnerabilities issues, but I don't know how to fix it.
ie
android.permission.REQUEST_INSTALL_PACKAGES dangerous
android.permission.WRITE_EXTERNAL_STORAGE dangerous
android.permission.CALL_PHONE dangerous
android.permission.WAKE_LOCK dangerous
2 answers
solution1
0 2019-08-12 15:38:57
These aren't vulnerabilities. They're called "dangerous" permissions because they allow you to do things that could compromise user privacy. Dangerous permissions require you to ask for permission at runtime, not just in the Manifest.
I'd remove any of those that you don't actually use. REQUEST_INSTALL_PACKAGES is particularly concerning, its very rare to need that. But if you actually need these to function, then there's no problem.
solution2
0 ACCPTED 2019-09-04 14:21:29
I resolved my issue using a hook in the build. This script remove the specific permissions:
var permissionsToRemove = [ "WRITE_EXTERNAL_STORAGE", "READ_EXTERNAL_STORAGE", "WAKE_LOCK", "REQUEST_INSTALL_PACKAGES" ];
module.exports = function(context) {
const platformRoot = path.join(context.opts.projectRoot, 'platforms/android/app/src/main');
const manifestFile = path.join(platformRoot, 'AndroidManifest.xml');
if (fs.existsSync(manifestFile)) {
fs.readFile(manifestFile, 'utf8', function (err, data) {
if (err) {
throw new Error('Unable to find AndroidManifest.xml: ' + err);
}
let result = data;
for (var i=0; i<permissionsToRemove.length; i++) {
result = result.replace( "<uses-permission android:name=\"android.permission." + permissionsToRemove[i] + "\" />", "" );
}
});
}
};
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.