MASTG-DEMO-0050: Identifying Insecure Dependencies in Android Studio

Download MASTG-DEMO-0050 APK Open MASTG-DEMO-0050 Folder Build MASTG-DEMO-0050 APK

Sample

plugins {
    id("com.android.application")
    id("org.jetbrains.kotlin.android")
    id("org.owasp.dependencycheck") version "10.0.4" // dependencyCheck Plugin
}

// dependencyCheck Configuration
dependencyCheck {

    formats = listOf("HTML", "XML", "JSON") // Generate reports in HTML, JSON and XML format
    nvd {
        apiKey = "<YOUR-API-KEY>" // Set the NVD API key
        delay = 16000
    }

}

android {
    namespace = "org.owasp.mastestapp"
    compileSdk = 34

    defaultConfig {
        applicationId = "org.owasp.mastestapp"
        minSdk = 29
        targetSdk = 34
        versionCode = 1
        versionName = "1.0"

        testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
        vectorDrawables {
            useSupportLibrary = true
        }
    }

    buildTypes {
        release {
            isMinifyEnabled = false
            proguardFiles(
                getDefaultProguardFile("proguard-android-optimize.txt"),
                "proguard-rules.pro"
            )
        }
    }
    compileOptions {
        sourceCompatibility = JavaVersion.VERSION_1_8
        targetCompatibility = JavaVersion.VERSION_1_8
    }
    kotlinOptions {
        jvmTarget = "1.8"
    }
    buildFeatures {
        compose = true
    }
    composeOptions {
        kotlinCompilerExtensionVersion = "1.5.1"
    }
    packaging {
        resources {
            excludes += "/META-INF/{AL2.0,LGPL2.1}"
        }
    }
}

dependencies {

    implementation("androidx.core:core-ktx:1.12.0")
    implementation("androidx.lifecycle:lifecycle-runtime-ktx:2.7.0")
    implementation("androidx.activity:activity-compose:1.8.2")
    implementation(platform("androidx.compose:compose-bom:2024.04.00"))
    implementation("androidx.compose.ui:ui")
    implementation("androidx.compose.ui:ui-graphics")
    implementation("androidx.compose.ui:ui-tooling-preview")
    implementation("androidx.compose.material3:material3")
    testImplementation("junit:junit:4.13.2")
    androidTestImplementation("androidx.test.ext:junit:1.1.5")
    androidTestImplementation("androidx.test.espresso:espresso-core:3.5.1")
    androidTestImplementation(platform("androidx.compose:compose-bom:2024.04.00"))
    androidTestImplementation("androidx.compose.ui:ui-test-junit4")
    debugImplementation("androidx.compose.ui:ui-tooling")
    debugImplementation("androidx.compose.ui:ui-test-manifest")
    implementation("org.jetbrains.kotlin:kotlin-reflect:1.9.10")
    implementation ("com.squareup.okhttp3:okhttp:4.8.0") // vulnerable library

}

Steps

Execute gradle in Android Studio to trigger dependency-check.

./gradlew dependencyCheckAnalyze

Observation

The scan has identified 262 unique dependencies with 35 vulnerable dependencies and 83 vulnerabilities (as more vulnerabilities might be found over time this number might increase).

...
[redacted for readability]
...
        {
            "isVirtual": false,
            "fileName": "okhttp-4.8.0.jar",
            "filePath": "\/Users\/sushi2k\/.gradle\/caches\/modules-2\/files-2.1\/com.squareup.okhttp3\/okhttp\/4.8.0\/5c34a8c35bb3fd5ec39d3a67ceae691d0f3eb455\/okhttp-4.8.0.jar",
            "md5": "5132d18a9ed0b5eb9a6137885959bcb5",
            "sha1": "5c34a8c35bb3fd5ec39d3a67ceae691d0f3eb455",
            "sha256": "04d68254c5216d059504d97e2cf2f8ba7922453059701a5adc65652809dd1599",
...
[redacted for readability]
...
            "packages": [
                {
                    "id": "pkg:maven\/com.squareup.okhttp3\/[email protected]",
                    "confidence": "HIGHEST",
                    "url": "https:\/\/ossindex.sonatype.org\/component\/pkg:maven\/com.squareup.okhttp3\/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=10.0.4"
                }
            ],
            "vulnerabilityIds": [
                {
                    "id": "cpe:2.3:a:squareup:okhttp:4.8.0:*:*:*:*:*:*:*",
                    "confidence": "LOW"
                },
                {
                    "id": "cpe:2.3:a:squareup:okhttp3:4.8.0:*:*:*:*:*:*:*",
                    "confidence": "LOW"
                }
            ],
            "vulnerabilities": [
                {
                    "source": "OSSINDEX",
                    "name": "CVE-2021-0341",
                    "severity": "HIGH",
                    "cvssv3": {
                        "baseScore": 7.5,
                        "attackVector": "NETWORK",
                        "attackComplexity": "LOW",
                        "privilegesRequired": "NONE",
                        "userInteraction": "NONE",
                        "scope": "UNCHANGED",
                        "confidentialityImpact": "HIGH",
                        "integrityImpact": "NONE",
                        "availabilityImpact": "NONE",
                        "baseSeverity": "HIGH",
                        "version": "3.1"
                    },
                    "cwes": [
                        "CWE-295"
                    ],
                    "description": "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069",
                    "notes": "",
                    "references": [
                        {
                            "source": "OSSINDEX",
                            "url": "https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2021-0341?component-type=maven&component-name=com.squareup.okhttp3%2Fokhttp&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.4",
                            "name": "[CVE-2021-0341] CWE-295: Improper Certificate Validation"
                        },
                        {
                            "source": "OSSIndex",
                            "url": "https:\/\/source.android.com\/security\/bulletin\/2021-02-01#android-runtime",
                            "name": "https:\/\/source.android.com\/security\/bulletin\/2021-02-01#android-runtime"
                        },
                        {
                            "source": "OSSIndex",
                            "url": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2021-0341",
                            "name": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2021-0341"
                        },
                        {
                            "source": "OSSIndex",
                            "url": "https:\/\/github.com\/square\/okhttp\/pull\/6353",
                            "name": "https:\/\/github.com\/square\/okhttp\/pull\/6353"
                        }
                    ],
                    "vulnerableSoftware": [
                        {
                            "software": {
                                "id": "cpe:2.3:a:com.squareup.okhttp3:okhttp:4.8.0:*:*:*:*:*:*:*",
                                "vulnerabilityIdMatched": "true"
                            }
                        }
                    ]
                },
...
[redacted for readability]
...

Evaluation

Due to the number of vulnerabilities, the dependency-check report can be lengthy and can contain false positives. Review each of the reported instances. The dependency okhttp-4.8.0.jar added in the build.gradle.kts has known vulnerabilities and should be updated to the latest version.