Link Search Menu Expand Document

Exported Components Vulnerability in Android

Play SecureFlag Play Android Labs on this vulnerability with SecureFlag!

  1. Exported Components Vulnerability in Android
    1. Description
    2. Impact
    3. Vulnerable example #1
    4. Vulnerable example #2
    5. Vulnerable example #3
    6. Prevention
    7. References

Description

Exported Component issues occur when an Android application exports a component for use by other applications but does not properly restrict which applications can launch the component or access its data.

Android offers many components for inter-process communication (IPC):

An “exported” Activity, Service, or Content Provider can be accessed by other apps installed on the device (and, under some conditions, by Instant Apps as well).

There are two common ways to designate a component as exported:

  1. Setting the export label to true android:exported="true".

  2. Defining an <intent-filter> element within the component element (<activity>, <service>, <receiver>).

Note that Broadcast receivers can be declared in the manifest or created dynamically.

Impact

The impact of improperly exporting a component (or inadequately protecting it) heavily depends on the nature of the exported component:

  • If access to a sensitive Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application, which is actually the malicious application unbeknownst to the user.
  • If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorised actions, gain access to sensitive information, or corrupt the internal state of the application.
  • If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access sensitive data. Note that in Android versions prior to 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.

Vulnerable example #1

The vulnerable example below shows an activity exported using the label android:exported="true":

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.sf.vulnerableapp">
    ...
    <application>
        ...
        <activity
            android:name="com.sf.vulnerableapp.activities.UserProfileActivity"
            android:label="@string/app_name"
            android:screenOrientation="portrait"
            android:exported="true"/>
        ...
    </application>
</manifest>

Vulnerable example #2

The vulnerable example below shows an activity exported by defining an Intent filter for the scheme vapp://:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.sf.vulnerableapp">
    ...
    <application>
        ...
        <activity
            android:name="com.sf.vulnerableapp.UserManualWebViewActivity"
            android:theme="@android:style/Theme.NoTitleBar">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.DEFAULT" />
                <data android:scheme="vapp" />
            </intent-filter>
        </activity>
        ...
    </application>
</manifest>

Vulnerable example #3

The vulnerable example below shows an exported Service protected by the custom permission MY_PLAYER_PERMISSION with android:protectionLevel="normal". The android:protectionLevel set to normal or dangerous allows any application to request the custom permission.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.sf.vulnerableapp">
    <permission
    	android:name="com.sf.vulnerableapp.MyPlayerService"
      	android:description="@string/permdesc_MyPlayerService"
      	android:protectionLevel="normal" />
    ...
    <application>
        ...
		<service
		    android:name="com.sf.vulnerableapp.MyPlayerService"
		    android:permission="com.sf.permission.MY_PLAYER_PERMISSION"
		    android:exported="true" />
        ...
    </application>
</manifest>

Prevention

To prevent all other Android apps from interacting with an IPC component, set the android:exported="false" label and remove all <intent-filter> that are not necessary.

Component access can be restricted with the use of custom permission (android:permission). If the IPC component is intended to be accessible to other applications, you can apply a security policy with the <permission> element and set android:protectionLevel to signature or signatureOrSystem.

References

MITRE - CWE-926: Improper Export of Android Application Components Android Developers - IPC Security Tips OWASP - Mobile Security Testing Guide JSSEC - Android Application Secure Coding Guidebook