Android

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Fred Long

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • permissions
    • android.permission.ACCESS_FINE_LOCATION
    • android.permission.ACCESS_COARSE_LOCATION
    • android.permission.INTERNET
  • webkit class package
    • WebSettings#setGeolocationEnabled(true)
    • WebChromeClient#onGeolocationPermissionsShowPrompt() implementation

...

Sending a user's geolocation information without asking the user's permission violates the security and privacy considerations of the Geolocation API and leaks the user's sensitive information.

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

DRD15-J

Low

 low

Probable

 probable

No

 medium

No

 P6

P2

 L2

L3

Related Vulnerabilities

  • JVN#81637882 Information disclosure vulnerability in Sleipnir Mobile for Android

Related Guidelines

Geolocation API by W3C

http://www.w3.org/TR/geolocation-API/

Automated Detection

It is trivial to automatically detect if an app requires the permissions needed for the vulnerability, if the app also uses the WebView class, and if the app also implements the WebChromeClient#onGeolocationPermissionsShowPrompt() method.  Tracing taint flow of sensitive geolocation data between components of one or more Android apps, and eventual transit to a sink, is a complex dataflow analysis.

Tool

Version

Checker

Description

Bibliography

[Android API 2013]class WebChromeClient, class WebSettings
[W3C 2013]Geolocation API Specification

...


...

Image Modified Image Modified