Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

(THIS CODING RULE OR GUIDELINE IS UNDER CONSTRUCTION)

...

 

This rule was developed in part by Robin Yuan at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html).
For more information about this statement, see the About the OurCS Workshop page.

 Chin, et al., [Chin 2011] says: "If a Service is exported and not protected with strong permissions, then any application can start and bind to the Service. Depending on the duties of a particular Service, it may leak information or perform unauthorized tasks. Services sometimes maintain singleton application state, which could be corrupted."

To guard against such eventualities, an exported service should always be protected with strong permissions.

...

This noncompliant code example shows an exported service that is unprotected by permissions and which sends sensitive information when started by an arbitrary application:

TBD
Code Block
bgColor#FFCCCC
//base app manifest
<activity android:exported="false" ... >
	<intent-filter > ... </intent-filter>
	...
</activity>

Above code snippet causes an error because <intent-filter> means that this activity can be launched by other component, so it cannot be false. Depending on the purpose of this service, we can do one of the following:  

  • We can take out the <intent-filter>, which makes constrict access to only the components of the same application or applications with the same user ID.
  • Assuming we want to let other apps access this app, <intent-filter> is required. Therefore, custom permission should be used instead of leaving it to default "normal". The latter allows other apps to access data from this app, which could be confidential.

Compliant Solution

This compliant solution shows the permissions set in the manifest that prevent the service shown in the noncompliant code example from being started by an inappropriate application:

Disclaimer: the code below is preliminary. and modifed from an answer from stackoverflow.

...

bgColor#CCCCFF
Code Block
bgColor#CCCCFF
//base app manifest

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <permission android:name="customPermission" android:protectionLevel="dangerous" ...></permission>
    <application ...>
        <activity
            android:permission="customPermission"
            ... >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
            <intent-filter >
                <action android:name="package_name.MyAction" />
                <category android:name="android.intent.category.DEFAULT" />                
            </intent-filter>
        </activity>
    </application>
</manifest>
 
//apps who wish to use base app manifest
<manifest ...>
<uses-permission
     android:name="customPermission"
     android:maxSdkVersion=.. />
...
</manifest>
 
//in the activities of these apps where we want to use the base-app's activity under protection
Intent in = new Intent();
in.setAction("package_name.MyAction");
in.addCategory("android.intent.category.DEFAULT");
startActivity(in);

The above is a general example on how to use custom permission. There are also other types of permissions aside from "dangerous" .  Please note that the  of how the apps are started also affect how permission works [Murphy 2011].

...

Risk Assessment

Failing to protect an exported service with strong permissions may lead to sensitive data being revealed or to denial of service.

...

Automatic detection of an exported service is straightforward. It is not feasible to automatically determine whether appropriate permissions have been set in the manifest.

Related

...

Fill in the table below with at least one entry row, per these instructions, then remove this purple-font section.

Vulnerabilities

  • CVE-2017-12816 In Kaspersky Internet Security for Android 11.12.4.1622, some of application exports activities have weak permissions
  • CVE-2016-10135 Multiple LG Android Mobile Devices Multiple Security Bypass Vulnerabilities

Related Guidelines

 CWE-926

Improper Export of Android Application Components

 TBD (e.g., MITRE CWE) 

Bibliography

...



...