Skip to main content

Insecure Use of Dangerous Function

This vulnerability category covers the following issues:

Why is this important?

Android, like any other programming language, has dangerous functions. If these functions are not used properly, it can have a catastrophic impact on your app.

Check out this video for a high-level explanation:

OS Command Injection

Read below to find out how to fix this issue in your code.

Command Injection

The highlighted APIs below are used to execute system commands. If unfiltered input is passed to these APIs, it can lead to arbitrary command execution.

References:

Option A: Use dangerous functions securely

  1. Go through the issues that GuardRails identified in the PR.

  2. Locate the dangerous function. For example:

    import java.lang.Runtime;
    Runtime r = Runtime.getRuntime();
    r.exec("/bin/sh -c some_tool" + input);
  3. If the functionality is not required, then remove it.

  4. Otherwise, replace the dangerous function with the following:

    // Ensure that only safe characters are supplied
    // Otherwise don't perform the operation
    if (!Pattern.matches("[[email protected]]+", input)) {
    // Handle error
    }
  5. Test it and ensure the functionality works as expected

  6. Ship it 🚢 and relax 🌴

More information: