Android Developers Susceptible to Data Exposure from XXE Attack (ISE Blog)


Android app developers and reverse engineers are the target of a newly documented vulnerability called ParseDroid, which affects development tools including Android Studio, IntelliJ, Eclipse, APKTool, and others. These tools are available on all the major platforms — Windows, macOS, and Linux — and all are equally vulnerable. The vulnerability was initially disclosed to Google and the other tool vendors in May of 2017 by Check Point, and it was recently disclosed to the public.

The security vulnerability lies in an XML parsing library common to Android development tools and is an example of an XML External Entity (XXE) attack. These attacks rely on a feature of eXtensible Markup Language (XML) called “entities”. Entities are similar to macros in other languages, as they can store a value that will be substituted in when the document is parsed. XML entities can also be “external”, meaning that the value substituted in comes from outside of the document that is being parsed.

External entities were created so that one XML document could reference a value from another document, or so that an XML document could be dynamically created based upon the value of some entity foreign to the document itself. Commonly, external entities use files on a local filesystem.