CWE-926

Variant Abstraction Level
Pillar — Highest-level weakness category
Class — Abstract, language-independent
Base — Specific enough to detect
Variant — Tied to specific technology
Compound — Requires multiple weaknesses
Incomplete MITRE CWE Status
Stable — Fully reviewed and complete
Draft — Under development, may change
Incomplete — Partially defined by MITRE
Deprecated — No longer recommended
Obsolete — Replaced by another CWE
Improper Export of Android Application Components

Description

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

The attacks and consequences of improperly exporting a component may depend on the exported component: If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.

Consequences

Availability, Integrity — Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context

Other applications, possibly untrusted, can launch the Activity.

Availability, Integrity — Unexpected State, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context

Other applications, possibly untrusted, can bind to the Service.

Confidentiality, Integrity — Read Application Data, Modify Application Data

Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.

Mitigations

Phase: Build and Compilation

If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

Phase: Build and Compilation

If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.

Phase: Build and Compilation, Architecture and Design

Limit Content Provider permissions (read/write) as appropriate.

Phase: Build and Compilation, Architecture and Design

Limit Content Provider permissions (read/write) as appropriate.

Detection

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)