Analysis of Common Android App Vulnerabilities and Mitigation Strategies

Security and efficiency are closely linked, and vulnerabilities often lead to both accidents and losses. Using data from Baidu's APP security scanning platform, this article examines the most frequently occurring Android app vulnerabilities, their causes, detection methods, and remediation techniques, sharing practical experience with developers and testers.

APP Vulnerability Data Interpretation

The following chart shows the distribution of vulnerabilities detected in a monitoring of about 50 Android applications from an app market:

The table below lists the top‑5 vulnerability counts, which are then analyzed in detail.

Log Leakage Privacy Risk

During development, developers often leave log statements that output sensitive information such as usernames and passwords. Attackers can read these logs from Logcat, exposing critical data.

Example code:

String username = "log_leak";
String password = "log_leak_pwd";
Log.d("MY_APP", "username" + username);
Log.d("MY_APP", "password" + password, new Throwable());
Log.v("MY_APP", "sendmessage to server ");

Solution: Disable debug logging in production builds and avoid printing sensitive data.

Weak Encryption Risks

Using outdated algorithms (DES), RSA without padding, hard‑coded IVs, insecure modes such as ECB, and short key lengths (<512 bits) dramatically increase the chance of successful attacks.

DES example:

SecretKeySpec key = new SecretKeySpec(rawKeyData, "DES");
Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key);

RSA without padding example:

Cipher rsa = Cipher.getInstance("RSA/NONE/NoPadding");
rsa.init(Cipher.DECRYPT_MODE, key);

Hard‑coded IV example:

byte[] iv = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
IvParameterSpec ivSpec = new IvParameterSpec(iv);

Solution: Use modern algorithms (AES‑GCM), proper padding, random IVs, avoid ECB mode, and employ key lengths ≥1024 bits for RSA.

WebView Plain‑Text Password Storage

If WebView's setSavePassword(true) is left enabled, passwords are stored in databases/webview.db in clear text, which can be extracted on rooted devices.

Vulnerable code:

//mWebView.getSettings().setSavePassword(true);
mWebView.loadUrl("http://www.example.com");

Solution: Call setSavePassword(false) to disable password saving.

PendingIntent Implicit Intent Risk

When a PendingIntent wraps an implicit Intent, other apps can intercept or hijack the broadcast, leading to information leakage.

Example:

Intent intent = new Intent("com.baidu.android.pushservice.action.METHOD");
intent.addFlags(32);
intent.putExtra("app", ...);
PendingIntent pi = PendingIntent.getBroadcast(this, 0, intent, 0);

Solution: Use explicit Intents when creating PendingIntent objects.

Dynamic Broadcast Receiver Exposure

Registering a receiver without proper export settings or permission checks allows malicious apps to send crafted broadcasts, potentially causing data leaks or unauthorized actions.

Vulnerable registration:

registerReceiver(new BroadcastReceiver() {
    @Override
    public void onReceive(Context context, Intent intent) {
        // ...
    }
}, new IntentFilter("filter_no_permission_arg"));

Mitigations include setting android:exported="false" for private receivers, using LocalBroadcastManager for intra‑process communication, specifying a signature‑level permission, and validating received data.

APP Vulnerability Fix Status

Continuous monitoring and automated scanning have led to a sharp decline in reported security issues across multiple product lines, demonstrating that sustained effort can effectively eliminate vulnerabilities.

For further learning, join the Baidu QA security group (ID: 1514018).