(Fortify) Category: Android Bad Practices: Missing Google Play Services Updated Security Provider (1 Issues)

Question

We are using Fortify to scan my Android source code and I can't get rid of this issue:

Category: Android Bad Practices: Missing Google Play Services Updated Security Provider (1 Issues)

Fortify points to this line of code:

tools:replace="android:allowBackup">

AndroidManifest.xml:37 null()
  <application
    android:name=".test"
    android:allowBackup="false"
    android:hardwareAccelerated="true"
    android:icon="@mipmap/ic_launcher"
    android:label="@string/app_name"
    android:networkSecurityConfig="@xml/network_security_config"
    android:supportsRtl="true"
    android:theme="@style/AppTheme"
    tools:replace="android:allowBackup"> <!--FORTIFY POINTS TO THIS LINE-->

Fortify recommendation:

The simplest way to patch the security provider is to call the synchronous method installIfNeeded(). This is appropriate if user experience won't be affected by the thread blocking while it waits for the operation to finish, otherwise it should be done in an asynchronous way.

More about this issue

I have followed Android's Update your security provider to protect against SSL exploits

And tried both approach:

installIfNeed() and installIfNeededAsync()

But the issue is still there. I test my code and it works fine.

Here's my Manifest:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    package="test">

    <uses-permission android:name="android.permission.INTERNET" />

    <application
        android:name=".test"
        android:allowBackup="false"
        android:hardwareAccelerated="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:networkSecurityConfig="@xml/network_security_config"
        android:supportsRtl="true"
        android:theme="@style/AppTheme"
        tools:replace="android:allowBackup">

        <meta-data
            android:name="com.google.android.gms.version"
            android:value="@integer/google_play_services_version" />

        <provider
            android:name=".syncadapter.StubProvider"
            android:authorities="com.neseapl.nyp.provider"
            android:exported="false"
            android:syncable="true"/>

        <service
            android:name=".syncadapter.SyncService"
            android:exported="false">
            <intent-filter>
                <action android:name="android.content.SyncAdapter" />
            </intent-filter>
            <meta-data
                android:name="android.content.SyncAdapter"
                android:resource="@xml/syncadapter" />
        </service>

        <service
            android:name=".syncadapter.AuthenticatorService">
            <intent-filter>
                <action android:name="android.accounts.AccountAuthenticator"/>
            </intent-filter>
            <meta-data
                android:name="android.accounts.AccountAuthenticator"
                android:resource="@xml/account_authenticator" />
        </service>

        <activity
            android:name=".activities.Test"
            android:configChanges="orientation|screenSize">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

Anything missing in my Manifest? Thanks!

Answer 1

I recently had a similar issue with Fortify. As Silvia Ragui pointed out Fortify doesn't analyze this runtime process correctly. While installIfNeeded() and installIfNeededAsync() will update the security provider in real world deployment of your APK, but it does not seem to clear the error when you resubmit to Fortify.

However the underlying issue is the out of date Security Provider which is usually due an out of date play services library in your package.

Here is the recommendation directly from fortify dashboard:

Android relies on the security Provider to provide secure network communications. The default device cryptographic libraries are typically older versions of OpenSSL that contain known flaws. To overcome this, Google provides a mechanism for an application to “patch” their local copy of OpenSSL via the Google Play Services ProviderInstaller client. It’s been determined that the app is not using the updated provider, leaving the application exposed to older known OpenSSL vulnerabilities and weaknesses.>

The actual problem is the same as the last line in Silvia's logs:

W/GooglePlayServicesUtil Google Play services out of date

In our case we updated to the latest version of Play Services in our package as well as implementing the fix above (when we did so we found there was small error that had to be fixed, and was probably preventing the update from patching the Security Provider)

The new build successfully cleared the issue. I suggest you update you to the latest Play Services as this will also update the Security Provider.