Improper export of android application components

[vellangelus]

Hi I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability? as an attacker can use a malicious apk to exploit this exported activity an access to the sdcard, even if the malicious apk doesn't have the permission to.

 

[Dannydet]

Just don't install anything that's not in the play store

 

[vellangelus]

Just don't install anything that's not in the play store

Yeah I understand that, but what I would like to ask is if in that case, that would be considered as an app vul

Just don't install anything that's not in the play store

Yeah I understand that, but what I would like to ask is if in that case, where this kind of activity is exported and unprotected, could be considered as an app vulnerability that can be exploited by an attacker

 

[GameTheory]

Hi I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability? as an attacker can use a malicious apk to exploit this exported activity an access to the sdcard, even if the malicious apk doesn't have the permission to.

This is kind of a grey area. I don't think google considers it a big deal. I haven't seen any reported attacks this way, but I'm not actually out investigating.

You can always restrict access by other apps to an activity, broadcast, or service by placing the following in your manifest.

android:exported="false"

Google's developer website has more information on this.

 

[MoodyBlues]

I found an app that have exported an unprotected activity(that means that any other app can have access to it)

If you're concerned about this app, report it to Google. They'll investigate and pull it from Play if warranted.

 

[GameTheory]

If you're concerned about this app, report it to Google. They'll investigate and pull it from Play if warranted.

There's nothing to report. Making your app activities accessible(unprotected) to other apps is not malicious. In fact, chances are you have apps installed with activities, broadcasts, or services that are accessible to other apps.

The app in question has an internal activity that can be accessed by other apps. It's at a developer's discretion whether they want to add the code I previously posted to make their app activities inaccessible(protected) to other apps.

https://developer.android.com/guide/topics/manifest/activity-element#exported

Some apps that may do this are those that have addon apks. For example, a launcher app that has a notification dot addon or lockscreen addon.

 

[MoodyBlues]

There's nothing to report.

Based on the OP: "I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability?", I got the impression they were concerned about this app they found, not created.

 

[vellangelus]

Yeah I understand that export activities is not something malicious itself, but there are some activities that if are exported can be exploited by an attacker an use it to perform bad actions. This is a vulnerability called: "Improper export of android component applications" . The info of that vulnerability is here https://cwe.mitre.org/data/definitions/926.html in the page you can read:
"The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains"
also,
"If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application."
In this specific case the exported activity is giving access to device sdcard that contains sensitive information, that is why I have this dude about the security of this app.

 

[GameTheory]

Based on the OP: "I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability?", I got the impression they were concerned about this app they found, not created.

Yes, it's an app "they found" and not their own. So what? It's still not malicious.

 

[vellangelus]

*doubt

 

[GameTheory]

Yeah I understand that export activities is not something malicious itself, but there are some activities that if are exported can be exploited by an attacker an use it to perform bad actions. This is a vulnerability called: "Improper export of android component applications" . The info of that vulnerability is here https://cwe.mitre.org/data/definitions/926.html in the page you can read:
"The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains"
also,
"If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application."
In this specific case the exported activity is giving access to device sdcard that contains sensitive information, that is why I have this dude about the security of this app.

Well there's 3 choices, restrict activities or not or don't set intent filters. Or if you're concerned about installing such apps, then don't. There are many apps that make their activities accessible and it's impossible to find them all.
Best thing to do is read google's documentation on this.

 

[MoodyBlues]

In this specific case the exported activity is giving access to device sdcard that contains sensitive information, that is why I have this dude about the security of this app.

As I mentioned before, if you're concerned about this app, report it to Google. You may have found something they missed.

 

[GameTheory]

*doubt

Another thing I should mention. This is an old vulnerability and google has since beefed up code obfuscation. Keep in mind that to exploit this vulnerability you need to know the exact class name which would be obfuscated.

Reporting an app with exported activities will undoubtedly do nothing since this is allowed by google. Google may just link you to the documentation at best.