This page is translated by Google Cloud Translation API

Switch to Chinese

Recently, we received feedback from developers that the uni-app/5+ App project was packaged as an Android platform App and submitted to security platforms such as Tencent Cloud, Baidu Cloud, and Ai Encryption. The vulnerability risk was detected. We have been continuously following up on the feedback vulnerability risk. And actively looking for solutions to fix.

首先我们需要理解漏洞风险并不代表真实存在安全漏洞，比如WebView远程代码执行漏洞，仅在Android4.2及以下版本系统存在，目前HBuilderX发现App最低要求版本Android4.4；比如Activity、Service、Receiver等组件导出风险，有些功能依赖的组件必须设置为导出，实际上并不存在安全问题。而安全平台会把所有可能存在的漏洞或风险都列出来，很多安全问题都可能是误报或夸大了安全漏洞的隐患。

因此对于存在漏洞风险问题的基本解决方案是使用APK加固，推荐uni安全加固其背后支持对接多个加固服务商，包括腾讯云和蚂蚁小程序云

If the hardening still cannot solve the problem, or the security platform requires testing before hardening, please post feedback on the official forum ask, and add the topics as "Security Vulnerability", "Security Test", upload the complete security test report and the tested apk file.

安全漏洞风险问题的处理原则

对于反馈的安全漏洞问题我们会根据风险等级，优先解决高风险和中风险问题 For low-risk issues, in theory, the security quality of the application will not be affected, so low-risk security vulnerabilities are usually not addressed.

• DCloud代码的问题 这类问题我们会尽快处理解决，或提供相关配置
• 三方SDK代码的问题 由于没有三方SDK源码，我们无法修改三方SDK的风险漏洞，建议根据实际情况选择是否使用对应功能模块来规避。同时也需要开发者积极反馈到相关平台提供修复漏洞风险问题的SDK，我们会关注三方SDK的更新，并及时更新对应功能模块。
• uni原生插件代码的问题 The source code of the uni native plug-in is maintained by the plug-in author, and you need to contact the plug-in author to solve it

HBuilderX 3.1.14 version fixes security related issues

• Fixed known WebView File Domain Same Origin Policy Bypass Vulnerability issue
• Fixed the known Android platform WebView control cross-domain access high-risk vulnerability problem
• Fixed the known Webview bypass certificate verification vulnerability problem, it needs to be configured to take effect
• Fixed the known Android hostname\certificate weak verification risk problem, which needs to be configured to take effect

Solutions to common security breach risks

The following are some common risk vulnerability solutions

Webview绕过证书校验漏洞 及 Android主机名\证书弱校验风险

修复方案 HBuilderX 3.1.14+ version adds untrustedca node configuration whether to allow the use of untrusted certificates. In the project manifest.json, configure "untrustedca" as "refuse" under the "app-plus"->"ssl" node. The example is as follows:

 "app-plus": {  //5+ App项目对应节点名称为"plus"
        "ssl": {
            "untrustedca": "refuse"
        },
        // ...
    }

untrustedca属性值域说明：

• "accept" 接受此非受信证书，继续访问；
• "refuse" 拒绝此非受信证书，停止访问；
• "warning" A warning prompt box pops up to remind the user that it is up to the user to determine whether to continue the access, only for internal webview requests.

Activity、Service、Receiver等组件导出风险

风险描述 APP's Activity, Service, Receiver and other components can be set in AndroidManifest.xml through the configuration attribute android:exported It is private (false) or public (true). When it is set to public, the component is considered to be exported and can be accessed by any component of any other program. The exported components may be maliciously called by third-party apps, may return private information to malicious apps, and cause data leakage; may cause app crashes, resulting in denial of service and other vulnerabilities.

修复方案 HBuilderX 3.1.14+ has set all the components in the code managed by DCloud that do not need to be accessed externally as private (that is, the android:exported attribute value is set to false), and only the components that need to be accessed externally, such as the App entry Activity ( io.dcloud.PandoraEntry) is set to public.

另外需要注意，一些三方SDK因为功能需要会将其组件设置为对外导出，如下：

• 微信SDK 使用微信分享、登录、支付模块时，因SDK功能需要会设置WXEntryActivity、WXPayEntryActivity等组件对外导出
• 个推SDK The UniPush module uses a push SDK, and the internal functions involve components such as CustomGTService, PushReceiver, GActivity, and NotificationServic, which all require external export.

应用签名未校验风险

风险描述 The signature certificate is the only identifier for the identity of the app developer. If the program does not verify the signature certificate, it may be decompiled and repackaged and re-signed with another signature certificate. If the re-signed app can be started normally, it may cause the app to be counterfeited and pirated, affecting its legitimate income, and may even be added with phishing code, virus code, and malicious code, resulting in the leakage of user sensitive information or malicious attacks.

修复方案 对APK进行加固，推荐uni安全加固其背后支持对接多个加固服务商，包括腾讯云和蚂蚁小程序云。

APK可被反编译后取得源代码风险

风险描述 The native APK packaged as an App can be decompiled to obtain the Java source code.

修复方案 对APK进行加固，推荐uni安全加固其背后支持对接多个加固服务商，包括腾讯云和蚂蚁小程序云。

WebView远程代码执行漏洞

风险描述 This vulnerability can be used to achieve remote arbitrary code execution attacks based on client capabilities. WebView remote code execution vulnerability triggering prerequisites:

1. Use the addJavascriptInterface method to register a Java object that can be called by JavaScript
2. Use WebView to load external web pages or local web pages
3. The Android system version is lower than 4.2.

修复方案 The Android platform that HBuilderX publishes to the App supports at least Android 4.4, that is, minSdkVersion is greater than or equal to 19. That is to say, this vulnerability does not exist in Android4.4 and above. If your project is configured with minSdkVersion lower than 19, please refer to [https://ask.dcloud.net.cn/article/193](https:/ /ask.dcloud.net.cn/article/193) modified.

密钥硬编码漏洞

风险描述 When the application encrypts and decrypts, it uses the key hard-coded in the program. The attacker can easily decrypt the APP communication data by obtaining the key through decompilation.

修复方案 This problem has been fixed in HBuilderX 3.1.14+ version, and all the keys used in the internal logic have been obfuscated and encrypted.

SO文件破解风险漏洞

风险描述 The SO file is the dynamic link library file contained in the APK. Android uses the NDK technology to compile the core code implemented by the C/C++ language into the SO library file for the Java layer to call. The cracked SO file may lead to the disclosure of the core functional codes and algorithms of the application. Using core functions and algorithms, attackers can easily capture sensitive client data and decrypt it, resulting in user privacy leakage or direct property loss

修复方案 对APK中的SO文件进行加固保护,推荐uni安全加固其背后支持对接多个加固服务商，包括腾讯云和蚂蚁小程序云。

Strandhogg漏洞

风险描述 What makes StrandHogg unique is that it doesn't require rooting to enable sophisticated attacks, it exploits a weakness in Android's multitasking system to carry out a powerful attack that allows malicious apps to masquerade as any other app on the device program. The exploit is based on an Android control called "taskAffinity" that allows any application, including malicious applications, to freely adopt any identity it desires in the multitasking system.

修复方案 该漏洞已于2020.4.1的安全补丁中修复(涵盖Android 8.0 / 8.1 / 9.0+)。由于已经通过系统补丁封堵。理论上该漏洞不会对高版本系统的手机设备构成威胁。 而app客户端开发并没有彻底规避该漏洞的方案。各检测平台推荐配置android:taskAffinity=“”，但仅是临时方案。但该方案会导致应用运行到android11+系统设备时任务堆栈窗口变成两个的问题。 Due to a bug in the android:taskAffinity="" configuration! So we don't configure it this way by default. But there are cloud packaging configuration options for developers. It is up to the developer to decide whether to temporarily block the vulnerability. details as follows:

• Please use HX3.3.10+ version. Configure hasTaskAffinity in the project's manifest.json according to the app type. true means to configure android:taskAffinity="", false not to configure. Default is false
• uni-app Please fill in the manifest.json of the project as follows.

 "app-plus" : {
	 "distribute" : {
		 "android" : {
			 ...
			 ...
			 "hasTaskAffinity": true
		 }
	 }
 }

• 5+/web2app Please fill in the manifest.json of the project as follows.

"plus" : {
	"distribute" : {
		"google" : {
			...
			...
			"hasTaskAffinity": true
		}
	}
}

未配置网络安全属性漏洞

风险描述 从Nougat(Android 7) 一个名为“Network Security Configuration'的新安全功能也随之而来。如果应用程序的 SDK高于或等于24，则只有系统证书才会被信任。Android Network Security Configuration 功能提供了一个简单的层，用来保护应用程序在未加密的明文中意外传输的敏感数据。可以针对特定域和特定应用配置这些设置。如缺少networkSecurityConfig 特性，应用程序将使用系统默认安全配置，致使应用程序在不安全的定制 ROM 上运行时可能遭受恶意网络攻击。

修复方案

• 根据Android平台网络安全配置文档生成network_security_config.xml配置文件
• 通过HBuilderX实现networkSecurityConfig配置！参考Android原生应用清单文件和资源文档
  • 将network_security_config.xml文件拷贝到应用资源nativeResources\android\res\xml目录下
  • 配置AndroidManifest.xml中application节点！添加networkSecurityConfig属性配置。配置参考如下：

    <application android:networkSecurityConfig="@xml/network_security_config"
                            ... >
                ...
    </application>