Institute of Management, Nirma University - Logo

Input Validation Failure in Native Library Files causing App Crash via Bufferoverflow – #13 DIVA Solution

By now you might be knowing that Android apk can be made using Java, Kotlin, HTML-Js(cross platform apps) as well as in Native languages using C, C++ etc (reason being they can inherit already available popular libraries in those language plus better performance). When we talk about apps using Native languages compilation using C/C++, such languages could be used via JNI (Java Native Interface) to generate Apk.

 

The video demonstrates DIVA app to understand app crash via basic buffer-overflow with library files using Native language support.

diva.apk

Looking at DivaJni.java you would notice that there is a native function call initiatelaunchsequence() , so lets check divaJni.c file present inside Jni folder. Here in  divajni.c a character array char code[CODESIZEMAX] is declared, where CODESIZEMAX is defined to 20 at top, which means on entering any value above 20 characters the array would overflow causing app to crash. Entering any random string of length more than 20 into this challenge, app would crash immediately.

Remediation

  • Proper user input sanitation, always consider any outside data as untrusted source of input. It can be user input or input coming from API calls or files.
Author Kartik Lalan