[guardian-dev] Fwd: [Android eng] FYI Android Studio 3.0 may inject profiler files into APK

Hans-Christoph Steiner hans at guardianproject.info
Fri Dec 1 04:38:00 EST 2017 

Oy, Google, what are you doing?  It seems that their lesson from
XCodeGhost is to use that technique to insert their own code, hidden
from view.

Yay for reproducible builds!

.hc

Nathan of Guardian:
> 
> 
> ----- Original message -----
> From: Michael Comella <michael.l.comella at gmail.com>
> To: "mobile-firefox-dev" <mobile-firefox-dev at mozilla.org>,
> firefox-focus-public at mozilla.org
> Subject: [Android eng] FYI Android Studio 3.0 may inject profiler files
> into APK
> Date: Thu, 30 Nov 2017 12:00:21 -0800
> 
> Hey Android devs.
> 
> I discovered that Android Studio 3.0 will inject some files for the new
> profiler
> <https://developer.android.com/studio/preview/features/android-profiler.html>
> (libperfa_x86.so, perfa.jar, perfd) into the APK under certain
> conditions:
> - Build the APK with Android Studio 3.0+ (i.e. not Gradle)
> - Running on an API 26+ device (or perhaps explicitly enabled advanced
> debugging on prior API levels)
> - Have opened the “Android Profiler” tab at least once since the AS
> process
> started
> 
> These will go in the data directory, e.g.
> `/data/data/org.mozilla.focus.debug`. You might care if you're making
> some
> assertions about what is in the app's data directory, like we were for
> Focus after deleting the user's browsing session.
> 
> You can find the investigation of this in the corresponding
> focus-android
> github issue
> <https://github.com/mozilla-mobile/focus-android/issues/1842>
> and a (honestly, very) few additional details in my blog post
> <http://mcomella.xyz/blog/2017/as-3-profiler-injects-files.html>.
> 
> Let me know if you have questions!
> - Mike (:mcomella)
> _______________________________________________
> mobile-firefox-dev mailing list
> mobile-firefox-dev at mozilla.org
> https://mail.mozilla.org/listinfo/mobile-firefox-dev
> 
> 

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556

More information about the guardian-dev mailing list