(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)
This rule was developed in part by Robin Yuan at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html). |
|---|
Chin, et al., [Chin 2011] says: "If a Service is exported and not protected with strong permissions, then any application can start and bind to the Service. Depending on the duties of a particular Service, it may leak information or perform unauthorized tasks. Services sometimes maintain singleton application state, which could be corrupted."
...
The above is a general example on how to use custom permission. There are also other types of permissions aside from "dangerous" . Please note that the of how the apps are started also affect how permission works [Murphy 2011].
...
Failing to protect an exported service with strong permissions may lead to sensitive data being revealed or to denial of service.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DRD07-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Automatic detection of an exported service is straightforward. It is not feasible to automatically determine whether appropriate permissions have been set in the manifest.
Tool | Version | Checker | Description |
|---|
Related Vulnerabilities
- CVE-2017-12816 In Kaspersky Internet Security for Android 11.12.4.1622, some of application exports activities have weak permissions
- CVE-2016-10135 Multiple LG Android Mobile Devices Multiple Security Bypass Vulnerabilities
Related Guidelines
| CWE-926 | Improper Export of Android Application Components |
Bibliography
| [Chin 2011] | Analyzing Inter-Application Communication in Android |
M. Murphy 2011 | Vulnerabilities with Custom Permissions |
...