This rule was developed in part by Robin Yuan at the October 20-22, 2017 OurCS Workshop (http://www.cs.cmu.edu/ourcs/register.html). |
---|
To guard against such eventualities, an exported service should always be protected with strong permissions.
This noncompliant code example shows an exported service that is unprotected by permissions and which sends sensitive information when started by an arbitrary application:
//base app manifest <activity android:exported="false" ... > <intent-filter > ... </intent-filter> ... </activity> |
Above code snippet causes an error because <intent-filter> means that this activity can be launched by other component, so it cannot be false. Depending on the purpose of this service, we can do one of the following:
This compliant solution shows the permissions set in the manifest that prevent the service shown in the noncompliant code example from being started by an inappropriate application:
Disclaimer: the code below is preliminary. and modifed from an answer from stackoverflow.
//base app manifest <?xml version="1.0" encoding="utf-8"?> <manifest ...> <permission android:name="customPermission" android:protectionLevel="dangerous" ...></permission> <application ...> <activity android:permission="customPermission" ... > <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> <intent-filter > <action android:name="package_name.MyAction" /> <category android:name="android.intent.category.DEFAULT" /> </intent-filter> </activity> </application> </manifest> //apps who wish to use base app manifest <manifest ...> <uses-permission android:name="customPermission" android:maxSdkVersion=.. /> ... </manifest> //in the activities of these apps where we want to use the base-app's activity under protection Intent in = new Intent(); in.setAction("package_name.MyAction"); in.addCategory("android.intent.category.DEFAULT"); startActivity(in); |
The above is a general example on how to use custom permission. There are also other types of permissions aside from "dangerous" . Please note that the of how the apps are started also affect how permission works [Murphy 2011].
Failing to protect an exported service with strong permissions may lead to sensitive data being revealed or to denial of service.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD07-J | High | Probable | Medium | P12 | L1 |
Automatic detection of an exported service is straightforward. It is not feasible to automatically determine whether appropriate permissions have been set in the manifest.
CWE-926 | Improper Export of Android Application Components |
[Chin 2011] | Analyzing Inter-Application Communication in Android |
M. Murphy 2011 | Vulnerabilities with Custom Permissions |