(强化)类别:Android不良做法:缺少Google Play服务更新的安全提供程序(1个问题) [英] (Fortify) Category: Android Bad Practices: Missing Google Play Services Updated Security Provider (1 Issues)

问题描述

我们正在使用Fortify扫描我的Android源代码，但我无法摆脱这个问题:

We are using Fortify to scan my Android source code and I can't get rid of this issue:

类别:Android不良做法:缺少Google Play服务更新的安全提供程序(1个问题)

Category: Android Bad Practices: Missing Google Play Services Updated Security Provider (1 Issues)

Fortify指向以下代码行:

Fortify points to this line of code:

tools:replace ="android:allowBackup">

tools:replace="android:allowBackup">

AndroidManifest.xml:37 null()
  <application
    android:name=".test"
    android:allowBackup="false"
    android:hardwareAccelerated="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:networkSecurityConfig="@xml/network_security_config"
    android:supportsRtl="true"
    android:theme="@style/AppTheme"
    tools:replace="android:allowBackup"> <!--FORTIFY POINTS TO THIS LINE-->

加强建议:

修补安全提供程序的最简单方法是调用 同步方法installIfNeeded().如果用户适合 等待时体验不会受到线程阻塞的影响 该操作要完成，否则应在 异步方式.

The simplest way to patch the security provider is to call the synchronous method installIfNeeded(). This is appropriate if user experience won't be affected by the thread blocking while it waits for the operation to finish, otherwise it should be done in an asynchronous way.

有关此问题

我一直关注Android的 更新您的安全提供程序以防止SSL攻击

I have followed Android's Update your security provider to protect against SSL exploits

并尝试了两种方法:

installIfNeed()和 installIfNeededAsync()

但是问题仍然存在.我测试了我的代码，效果很好.

But the issue is still there. I test my code and it works fine.

这是我的清单:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    package="test">

    <uses-permission android:name="android.permission.INTERNET" />

    <application
        android:name=".test"
        android:allowBackup="false"
        android:hardwareAccelerated="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:networkSecurityConfig="@xml/network_security_config"
        android:supportsRtl="true"
        android:theme="@style/AppTheme"
        tools:replace="android:allowBackup">

        <meta-data
            android:name="com.google.android.gms.version"
            android:value="@integer/google_play_services_version" />

        <provider
            android:name=".syncadapter.StubProvider"
            android:authorities="com.neseapl.nyp.provider"
            android:exported="false"
            android:syncable="true"/>

        <service
            android:name=".syncadapter.SyncService"
            android:exported="false">
            <intent-filter>
                <action android:name="android.content.SyncAdapter" />
            </intent-filter>
            <meta-data
                android:name="android.content.SyncAdapter"
                android:resource="@xml/syncadapter" />
        </service>

        <service
            android:name=".syncadapter.AuthenticatorService">
            <intent-filter>
                <action android:name="android.accounts.AccountAuthenticator"/>
            </intent-filter>
            <meta-data
                android:name="android.accounts.AccountAuthenticator"
                android:resource="@xml/account_authenticator" />
        </service>

        <activity
            android:name=".activities.Test"
            android:configChanges="orientation|screenSize">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

我的清单中缺少任何内容吗?谢谢！

Anything missing in my Manifest? Thanks!

推荐答案

我最近在Fortify遇到了类似的问题.正如Silvia Ragui指出的那样，Fortify无法正确分析此运行时过程.虽然installIfNeeded()和installIfNeededAsync()将在APK的实际部署中更新安全提供程序，但是当您重新提交给Fortify时，它似乎并不能清除错误.

I recently had a similar issue with Fortify. As Silvia Ragui pointed out Fortify doesn't analyze this runtime process correctly. While installIfNeeded() and installIfNeededAsync() will update the security provider in real world deployment of your APK, but it does not seem to clear the error when you resubmit to Fortify.

但是，根本的问题是过期的安全提供程序，通常是由于程序包中的过期播放服务库导致的.

However the underlying issue is the out of date Security Provider which is usually due an out of date play services library in your package.

以下是直接来自强化仪表板的建议:

Here is the recommendation directly from fortify dashboard:

Android依靠安全提供程序来提供安全的网络通信.默认设备密码库通常是包含已知缺陷的OpenSSL的较旧版本.为了解决这个问题，Google提供了一种机制，使应用程序可以通过Google Play服务ProviderInstaller客户端修补" OpenSSL的本地副本.已确定该应用程序未使用更新的提供程序，从而使该应用程序暴露于较早的已知OpenSSL漏洞和弱点.>

Android relies on the security Provider to provide secure network communications. The default device cryptographic libraries are typically older versions of OpenSSL that contain known flaws. To overcome this, Google provides a mechanism for an application to "patch" their local copy of OpenSSL via the Google Play Services ProviderInstaller client. It’s been determined that the app is not using the updated provider, leaving the application exposed to older known OpenSSL vulnerabilities and weaknesses.>

实际问题与Silvia日志的最后一行相同:

The actual problem is the same as the last line in Silvia's logs:

W/GooglePlayServicesUtil Google Play服务已过期

W/GooglePlayServicesUtil Google Play services out of date

在我们的案例中，我们将软件包中的Play服务更新为最新版本，并实施了

In our case we updated to the latest version of Play Services in our package as well as implementing the fix above (when we did so we found there was small error that had to be fixed, and was probably preventing the update from patching the Security Provider)

新版本成功解决了该问题.我建议您将您更新到最新的Play服务，因为这也会更新安全提供程序.

The new build successfully cleared the issue. I suggest you update you to the latest Play Services as this will also update the Security Provider.

这篇关于(强化)类别:Android不良做法:缺少Google Play服务更新的安全提供程序(1个问题)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！