Mitigation Strategy: Strict Inclusion Rules (Whitelisting)
-
Mitigation Strategy: Strict Inclusion Rules (Whitelisting)
-
Description:
- Identify Essential AARs: Create a definitive list of only the AARs that are absolutely necessary for the application's functionality. Avoid any "include all" or wildcard approaches.
- Configure
fat-aar-android: Use the configuration options provided byfat-aar-androidto explicitly specify the AARs to be included. The library's documentation (likely on its GitHub page or in accompanying documentation) should detail how to do this. This usually involves a configuration file, Gradle properties, or specific DSL (Domain Specific Language) commands within your Gradle build script. Look for options likeinclude,exclude, or similar keywords. The configuration should explicitly list each AAR to be included, by name and potentially version. - Review and Audit: Regularly review the inclusion list within the
fat-aar-androidconfiguration to ensure that it remains minimal and up-to-date. Remove any AARs that are no longer required. This review should be part of your regular development workflow. - Document the Rationale: Within the
fat-aar-androidconfiguration (if comments are supported) or in a separate, linked document, document why each included AAR is necessary. This helps maintain clarity and prevents accidental inclusion of unnecessary components.
-
Threats Mitigated:
- Inclusion of Unwanted/Untrusted Libraries (Severity: Medium): Prevents the accidental or intentional inclusion of libraries that are not needed or that come from untrusted sources via the merging process.
- Increased Attack Surface (Severity: Medium): By minimizing the amount of code included in the merged AAR through direct configuration, the potential attack surface is reduced.
- Bloat and Performance Issues (Severity: Low): While not strictly a security threat, including unnecessary libraries can lead to increased application size and reduced performance.
fat-aar-android's configuration directly controls this.
-
Impact:
- Unwanted/Untrusted Libraries: Eliminates this risk within the scope of the merging process by providing strict control over which AARs are included.
- Increased Attack Surface: Significantly reduces the risk by limiting the amount of code included in the final AAR, directly controlled by the configuration.
- Bloat and Performance Issues: Improves application size and performance by avoiding unnecessary code, again directly controlled by the configuration.
-
Currently Implemented:
- Example: Partially implemented. A basic inclusion list exists within the
fat-aar-androidconfiguration, but it's not formally documented or regularly reviewed. Wildcards are not used, but the rationale for each inclusion is not documented.
- Example: Partially implemented. A basic inclusion list exists within the
-
Missing Implementation:
- Example: Formal documentation of the inclusion list and the rationale for each included AAR, either within the
fat-aar-androidconfiguration (if possible) or in a linked document. Establishment of a regular review process for the inclusion list within the build configuration.
- Example: Formal documentation of the inclusion list and the rationale for each included AAR, either within the
-
Mitigation Strategy: Post-Merge Verification (Limited Scope, fat-aar-android specific checks)
-
Mitigation Strategy: Post-Merge Verification (Limited Scope,
fat-aar-androidspecific checks)-
Description:
- Locate Merged AAR: After running the
fat-aar-androidbuild task, identify the location of the generated, merged AAR file. This location is typically specified in your Gradle build configuration. - Automated Checks (if possible): If
fat-aar-androidprovides any built-in verification mechanisms or logging options, enable them. Check the library's documentation for any such features. This might include options to generate a report of included files or to perform basic integrity checks. - Size Check: Compare size of generated .aar file with previous builds.
- Manual Checks (Targeted): Even without built-in tools, perform these targeted checks, focusing on the output of
fat-aar-android:- File Listing: Use a tool to list the contents of the AAR file (e.g.,
unzip -l your_merged_aar.aaron Linux/macOS, or use a ZIP utility on Windows). Compare this list to your expected inclusion list. Look for any unexpected files or directories. - String Search (within AAR): Use a command-line tool like
strings(available on Linux/macOS and often included in developer toolsets on Windows) to extract strings from the merged AAR file:strings your_merged_aar.aar | grep "your_library_name". Search for strings related to your expected libraries (names, version numbers) and unexpected libraries. - Resource Inspection (Targeted): If you know specific resource files (e.g., images, layouts) that should or should not be present, extract those resources from the AAR and examine them.
- File Listing: Use a tool to list the contents of the AAR file (e.g.,
- Locate Merged AAR: After running the
-
Threats Mitigated:
- Malicious Code Injection (During Merging) (Severity: High): Provides a limited ability to detect if malicious code has been injected into the merged AAR during the fat-aar-android merging process itself, or if the configuration was bypassed.
- Tampering with the
fat-aar-androidTool/Configuration (Severity: High): Helps detect if thefat-aar-androidtool itself has been compromised or if its configuration file has been tampered with, leading to unexpected inclusions. - Accidental Inclusion of Incorrect Versions (Severity: Medium): Can help identify if the wrong versions of libraries were accidentally included, even if they were on the whitelist, due to errors in the merging process.
-
Impact:
- Malicious Code Injection (During Merging): Low to Medium impact. This is not a comprehensive security audit. It's a targeted check that can catch some obvious issues related to the merging process, but it's not a substitute for proper pre-merging verification.
- Tampering: Medium impact. It can help detect some forms of tampering with the tool or its configuration.
- Incorrect Versions: Medium impact. It can help identify version mismatches resulting from the merging process.
-
Currently Implemented:
- Example: Not implemented. No post-merge verification specifically targeting the
fat-aar-androidoutput is currently performed.
- Example: Not implemented. No post-merge verification specifically targeting the
-
Missing Implementation:
- Example: Implementation of a script or procedure (ideally integrated into the build process) to perform the file listing, string search, and targeted resource inspection on the merged AAR. Training developers on how to perform these checks and what to look for. Establishment of a process for documenting and investigating any anomalies found. Exploration of any built-in verification features offered by
fat-aar-android.
- Example: Implementation of a script or procedure (ideally integrated into the build process) to perform the file listing, string search, and targeted resource inspection on the merged AAR. Training developers on how to perform these checks and what to look for. Establishment of a process for documenting and investigating any anomalies found. Exploration of any built-in verification features offered by
-