A story in three parts 馃樁 #log4j
60
1,199
238
4,266
If Apple is affected by that, imagine what the Android team must be going through right now... :-O
4
4
1
161
What makes you think Android would be worse affected? In fact, it isn鈥檛 affected at all. Android has been far more secure than iOS for a long while now.

Dec 10, 2021 路 6:10 PM UTC 路 Twitter for Android

16
1
2
95
This has nothing to do with Android vs iOS, it's affecting the *server*.
1
1
94
Explain that to the couple of iOS users in this thread saying 鈥渋magine what Android must be going through!鈥 Also, this only affects iOS because RCE on iCloud practically means full access to device activity on iOS. Google servers are not vulnerable to this, so Android is safe.
4
25
Java and Kotlin are the primary languages used to develop on Android. Those apps can and do use Log4J for local logging. So unless the OS blocks outgoing JNDI requests, Android IS affected.
1
22
Luckily, Android has its own logging framework, so hopefully the number of apps opting to use Log4J instead is small. But gauging from the "how do I configure Log4J for Android?" threads on StackOverflow it is non-zero.
1
1
23
... That is not only not right; it is not even wrong.
You still don鈥檛 get the impact of this RCE. It鈥檚 not about android or iOS. It鈥檚 about what in your whole platform stack runs on the JVM. From the mobile till the last fricken service in your whole pipeline. People atm just playing around, trying to find unsanitized inputs.
1
5
Next step will be: Inject a whole Exploit chain. There is much out there available. They just need the opportunity to be loaded and executed. And here you have the key to open the door to unlimited possibilities
2
This tweet is unavailable