Authorization / Call to Dynamic Code Loading API

Description

Call to dynamic code loading API is a type of authorization vulnerability that affects Android, iOS and Mobile Apps. This vulnerability allows attackers to bypass authentication measures, such as user accounts, by loading code into the application dynamically. This type of attack is classified as CWE-285 (Improper Authorization) according to the Common Weakness Enumeration directory. The OWASP Testing Guide recommends testing for this vulnerability to ensure that applications are not vulnerable.

Risk

The risk associated with call to dynamic code loading API is high as it allows attackers to bypass authentication measures and gain unauthorized access to the application. The risk assessment for this vulnerability is High-Critical as it could lead to data breach, financial losses and reputational damage.

Solution

The best solution to this vulnerability is to ensure that any code loaded into the application is properly authorized or validated. Additionally, developers should also ensure that any user input is properly validated before being used as input to the application.

Example

The following code example is taken from CVE-2015-7049, which is a vulnerability in the Android libstagefright library. The vulnerability allows attackers to bypass authentication checks and execute code in the context of the application.

if (findCodecByType(mime)) {
    // Found supported codec
    // ... 
    // Code omitted for brevity
    // ...
    if (callToDynamicCodeLoadingApi()) {
        // Load code dynamically
        // ...
        // Code omitted for brevity
        // ...
    }
}