Skip to content

Latest commit

 

History

History
65 lines (52 loc) · 7.19 KB

mitigations.md

File metadata and controls

65 lines (52 loc) · 7.19 KB

Mitigation Strategies Analysis for airbnb/lottie-android

Mitigation Strategy: LottieAnimationView and LottieDrawable Configuration

  • Description:

    1. setSafeMode(true) (Deprecated, but illustrative): Older versions of lottie-android had a setSafeMode(true) method. While deprecated, it highlights the importance of understanding and controlling Lottie's behavior. This mode (when available) aimed to disable potentially risky features. The principle remains: disable any Lottie feature you don't explicitly need.
    2. setImageAssetDelegate(...) (Controlled Image Loading): This is crucial. Use setImageAssetDelegate to completely control how Lottie handles images referenced within the animation. Do not allow Lottie to load images directly. The delegate should:
      • Receive the LottieImageAsset object.
      • Validate the filename and url properties strictly (whitelist, HTTPS, etc., as described in the previous "Controlled Image Loading" strategy).
      • If the image is deemed safe, load it using a secure image loading library (Glide, Picasso) with appropriate security configurations (timeouts, size limits, etc.).
      • Return a Bitmap to Lottie only if the image is valid and loaded successfully. Return null otherwise.
    3. setAnimation(String filename) vs. setAnimationFromJson(String jsonString, String cacheKey) vs. setAnimationFromUrl(String url):
      • Prefer setAnimation(String filename) for loading from local assets (most secure).
      • If using setAnimationFromJson, ensure the jsonString has undergone rigorous schema validation and complexity checks before being passed to Lottie.
      • If using setAnimationFromUrl, implement all network security best practices (HTTPS, certificate pinning, etc.) and still perform schema validation and complexity checks on the downloaded JSON before passing it to Lottie. Treat remote URLs with extreme caution.
    4. setRepeatCount(...) and setRepeatMode(...): Be mindful of animations that repeat indefinitely or for a very long time. Consider setting a reasonable repeatCount to prevent potential resource exhaustion.
    5. Hardware Acceleration: Be aware of the setRenderMode method. While hardware acceleration (RenderMode.HARDWARE) can improve performance, it might have different security implications than software rendering (RenderMode.SOFTWARE). Test thoroughly on various devices and Android versions. If you encounter issues or have security concerns, consider using software rendering, especially for untrusted animations. Automatic mode (RenderMode.AUTOMATIC) chooses based on the Android version, so be aware of the implications on older devices.
    6. Font Handling: If your animation uses custom fonts, use setFontAssetDelegate to control how fonts are loaded, similar to how setImageAssetDelegate controls image loading. Validate font file names and ensure they are loaded from a trusted location.

  • Threats Mitigated:

    • Malicious Image Loading (High Severity): setImageAssetDelegate is the primary defense against malicious image loading through Lottie.
    • Resource Exhaustion (Medium Severity): Controlling repeatCount and being mindful of hardware acceleration can help mitigate some resource exhaustion risks.
    • Exploiting Lottie Parser Vulnerabilities (Variable Severity): By carefully choosing which methods to use for loading animations (and pre-validating the JSON), you reduce the risk of triggering vulnerabilities within Lottie's parsing logic.
    • Malicious Font Loading (High Severity): setFontAssetDelegate is the primary defense against malicious font loading.

  • Impact:

    • Malicious Image Loading: setImageAssetDelegate, properly implemented, eliminates the risk of Lottie directly loading malicious images.
    • Resource Exhaustion: Provides moderate risk reduction.
    • Parser Vulnerabilities: Reduces the risk.
    • Malicious Font Loading: setFontAssetDelegate eliminates the risk of Lottie directly loading malicious fonts.

  • Currently Implemented: (Example - Replace with your project's status)

    • Partially Implemented: The application uses LottieAnimationView, but setImageAssetDelegate is not used. Animations are loaded from URLs without proper validation within the Lottie context. setRenderMode is set to AUTOMATIC.

  • Missing Implementation:

    • Implement setImageAssetDelegate with full URL validation and secure image loading.
    • Review and potentially restrict repeatCount for animations.
    • Evaluate the use of setRenderMode and consider explicitly setting it to SOFTWARE for untrusted animations if necessary.
    • Implement setFontAssetDelegate if custom fonts are used.
    • Ensure that JSON passed to setAnimationFromJson is always pre-validated.

Mitigation Strategy: Animation Cache Management

  • Description:

    1. LottieCache: lottie-android uses an internal cache (LottieCache) to store parsed animation data. This improves performance but could potentially be a target for attacks if not managed carefully.
    2. Cache Key Control: When loading animations, be aware of the cache key used. If you are loading animations from different sources, ensure that the cache keys are distinct and do not allow for collisions. For example, if you are loading animations from both local assets and a remote server, use different prefixes for the cache keys.
    3. Cache Size Limits: While LottieCache has a default size limit, consider explicitly setting a maximum cache size using Lottie.setMaxCacheSize(int maxSize) to prevent potential memory exhaustion if a large number of animations are loaded.
    4. Cache Clearing: In scenarios where you are loading animations from potentially untrusted sources, consider periodically clearing the Lottie cache using Lottie.clearCache(). This can help mitigate the risk of a malicious animation remaining in the cache and being reused later. However, be mindful of the performance impact of clearing the cache frequently.

  • Threats Mitigated:

    • Cache Poisoning (Low Severity): While unlikely, a carefully crafted attack could potentially attempt to "poison" the Lottie cache with a malicious animation. Proper cache key management and periodic clearing can mitigate this.
    • Resource Exhaustion (Low Severity): Setting a maximum cache size can help prevent excessive memory consumption.

  • Impact:

    • Cache Poisoning: Reduces the risk.
    • Resource Exhaustion: Provides a small reduction in risk.

  • Currently Implemented:

    • Not Implemented: The application relies on the default Lottie cache behavior without any explicit management.

  • Missing Implementation:

    • Implement explicit cache key management to prevent collisions.
    • Consider setting a maximum cache size using Lottie.setMaxCacheSize().
    • Evaluate the need for periodic cache clearing based on the application's security requirements.