The point of catching exceptions

Using Try-Catch block is a very good way to detect run-time exceptions. But one of my code reviewers recently pointed out that over using them can be dangerous. I was pointed out that I should only catch those exceptions which I understand and should correctly handle them once its caught. Catch-all try-blocks may generate less user facing errors, but could hide the more serious issues.

Nothing else describes the danger of this way of ignoring exceptions than this post on android-ssl.org [ More details in this paper ].

To evaluate the real threat of such potential vulnerabilities, we have manually mounted MITM attacks against 100 selected apps from that set. This manual audit has revealed widespread and serious vulnerabilities. We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts. We have succesfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app to neutralize the protection or even to remove arbitrary apps, including the anti-virus program itself.
To be honest I haven't see how these apps have implemented this... but based on my java/python background I'd say there is a good chance that either a flag was passed to ignore certificate errors, or a try catch block was implemented to catch+ignore all exceptions (which included valid security exceptions).


Comments

Popular posts from this blog

Chrome Frame - How to add command line parameters

Creating your first chrome app on a Chromebook

Brewers CAP Theorem on distributed systems