• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Improper export of android application components

V

vellangelus

Lurker
Hi I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability? as an attacker can use a malicious apk to exploit this exported activity an access to the sdcard, even if the malicious apk doesn't have the permission to.
 
Dannydet said:
Just don't install anything that's not in the play store
Click to expand...
Yeah I understand that, but what I would like to ask is if in that case, that would be considered as an app vul
Dannydet said:
Just don't install anything that's not in the play store
Click to expand...
Yeah I understand that, but what I would like to ask is if in that case, where this kind of activity is exported and unprotected, could be considered as an app vulnerability that can be exploited by an attacker
 
vellangelus said:
Hi I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability? as an attacker can use a malicious apk to exploit this exported activity an access to the sdcard, even if the malicious apk doesn't have the permission to.
Click to expand...

This is kind of a grey area. I don't think google considers it a big deal. I haven't seen any reported attacks this way, but I'm not actually out investigating.

You can always restrict access by other apps to an activity, broadcast, or service by placing the following in your manifest.

XML: 
android:exported="false"

Google's developer website has more information on this.
 
MoodyBlues said:
If you're concerned about this app, report it to Google. They'll investigate and pull it from Play if warranted.
Click to expand...

There's nothing to report. Making your app activities accessible(unprotected) to other apps is not malicious. In fact, chances are you have apps installed with activities, broadcasts, or services that are accessible to other apps.

The app in question has an internal activity that can be accessed by other apps. It's at a developer's discretion whether they want to add the code I previously posted to make their app activities inaccessible(protected) to other apps.

https://developer.android.com/guide/topics/manifest/activity-element#exported

Some apps that may do this are those that have addon apks. For example, a launcher app that has a notification dot addon or lockscreen addon.
 
GameTheory said:
There's nothing to report.
Click to expand...
Based on the OP: "I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability?", I got the impression they were concerned about this app they found, not created.
 
Yeah I understand that export activities is not something malicious itself, but there are some activities that if are exported can be exploited by an attacker an use it to perform bad actions. This is a vulnerability called: "Improper export of android component applications" . The info of that vulnerability is here https://cwe.mitre.org/data/definitions/926.html in the page you can read:
"The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains"
also,
"If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application."
In this specific case the exported activity is giving access to device sdcard that contains sensitive information, that is why I have this dude about the security of this app.
 
MoodyBlues said:
Based on the OP: "I found an app that have exported an unprotected activity(that means that any other app can have access to it) that when it launches have access to the local storage files. Is this considered as an important vulnerability?", I got the impression they were concerned about this app they found, not created.
Click to expand...
Yes, it's an app "they found" and not their own. So what? It's still not malicious.
 
vellangelus said:
Yeah I understand that export activities is not something malicious itself, but there are some activities that if are exported can be exploited by an attacker an use it to perform bad actions. This is a vulnerability called: "Improper export of android component applications" . The info of that vulnerability is here https://cwe.mitre.org/data/definitions/926.html in the page you can read:
"The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains"
also,
"If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application."
In this specific case the exported activity is giving access to device sdcard that contains sensitive information, that is why I have this dude about the security of this app.
Click to expand...

Well there's 3 choices, restrict activities or not or don't set intent filters. Or if you're concerned about installing such apps, then don't. There are many apps that make their activities accessible and it's impossible to find them all.
Best thing to do is read google's documentation on this.
 
vellangelus said:
*doubt
Click to expand...

Another thing I should mention. This is an old vulnerability and google has since beefed up code obfuscation. Keep in mind that to exploit this vulnerability you need to know the exact class name which would be obfuscated.

Reporting an app with exported activities will undoubtedly do nothing since this is allowed by google. Google may just link you to the documentation at best.
 
You must log in or register to reply here.
Back
Top Bottom