1. Are you ready for the Galaxy S20? Here is everything we know so far!

Improper export of android application components

Discussion in 'Android Lounge' started by vellangelus, Oct 18, 2019.

  1. vellangelus

    vellangelus Lurker
    Thread Starter

    Hi I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability? as an attacker can use a malicious apk to exploit this exported activity an access to the sdcard, even if the malicious apk doesn't have the permission to.

     


  2. Best Answer:
    Post #11 by GameTheory, Oct 18, 2019 (1 points)
  3. Dannydet

    Dannydet Extreme Android User

    Just don't install anything that's not in the play store
     
    GameTheory likes this.
  4. vellangelus

    vellangelus Lurker
    Thread Starter

    Yeah I understand that, but what I would like to ask is if in that case, that would be considered as an app vul
    Yeah I understand that, but what I would like to ask is if in that case, where this kind of activity is exported and unprotected, could be considered as an app vulnerability that can be exploited by an attacker
     
  5. GameTheory

    GameTheory Android Expert

    This is kind of a grey area. I don't think google considers it a big deal. I haven't seen any reported attacks this way, but I'm not actually out investigating.

    You can always restrict access by other apps to an activity, broadcast, or service by placing the following in your manifest.

    Code (XML):
    1. android:exported="false"
    Google's developer website has more information on this.
     
    vellangelus likes this.
  6. MoodyBlues

    MoodyBlues Compassion is cool!
    VIP Member

    If you're concerned about this app, report it to Google. They'll investigate and pull it from Play if warranted.
     
  7. GameTheory

    GameTheory Android Expert

    There's nothing to report. Making your app activities accessible(unprotected) to other apps is not malicious. In fact, chances are you have apps installed with activities, broadcasts, or services that are accessible to other apps.

    The app in question has an internal activity that can be accessed by other apps. It's at a developer's discretion whether they want to add the code I previously posted to make their app activities inaccessible(protected) to other apps.

    https://developer.android.com/guide/topics/manifest/activity-element#exported

    Some apps that may do this are those that have addon apks. For example, a launcher app that has a notification dot addon or lockscreen addon.
     
  8. MoodyBlues

    MoodyBlues Compassion is cool!
    VIP Member

    Based on the OP: "I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability?", I got the impression they were concerned about this app they found, not created.
     
  9. vellangelus

    vellangelus Lurker
    Thread Starter

    Yeah I understand that export activities is not something malicious itself, but there are some activities that if are exported can be exploited by an attacker an use it to perform bad actions. This is a vulnerability called: "Improper export of android component applications" . The info of that vulnerability is here https://cwe.mitre.org/data/definitions/926.html in the page you can read:
    "The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains"
    also,
    "If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application."
    In this specific case the exported activity is giving access to device sdcard that contains sensitive information, that is why I have this dude about the security of this app.
     
  10. GameTheory

    GameTheory Android Expert

    Yes, it's an app "they found" and not their own. So what? It's still not malicious.
     
  11. vellangelus

    vellangelus Lurker
    Thread Starter

  12. GameTheory

    GameTheory Android Expert

    Well there's 3 choices, restrict activities or not or don't set intent filters. Or if you're concerned about installing such apps, then don't. There are many apps that make their activities accessible and it's impossible to find them all.
    Best thing to do is read google's documentation on this.
     
    vellangelus likes this.
  13. MoodyBlues

    MoodyBlues Compassion is cool!
    VIP Member

    As I mentioned before, if you're concerned about this app, report it to Google. You may have found something they missed.
     
    MrJavi and vellangelus like this.
  14. GameTheory

    GameTheory Android Expert

    Another thing I should mention. This is an old vulnerability and google has since beefed up code obfuscation. Keep in mind that to exploit this vulnerability you need to know the exact class name which would be obfuscated.

    Reporting an app with exported activities will undoubtedly do nothing since this is allowed by google. Google may just link you to the documentation at best.
     
Loading...
Similar Threads - Improper export android
  1. Naz R
    Replies:
    0
    Views:
    193
  2. Nofer Trunnions
    Replies:
    0
    Views:
    383
  3. Biffos
    Replies:
    4
    Views:
    755
  4. vellangelus
    Replies:
    1
    Views:
    403
  5. R3van
    Replies:
    5
    Views:
    1,798
  6. ǝıuusןısn
    Replies:
    0
    Views:
    257
  7. Greum
    Replies:
    34
    Views:
    1,907
  8. mm201545mm
    Replies:
    0
    Views:
    605
  9. namrmechshironime
    Replies:
    1
    Views:
    345
  10. Ben Lucas
    Replies:
    3
    Views:
    4,451

Share This Page

Loading...