Mobile Threat Catalogue

Data or Functionality Exposed to Untrusted Apps

Contribute

Threat Category: Vulnerable Applications

ID: APP-7

Threat Description: Android apps can be designed to share data with other apps through a variety of mechanisms such as broadcast receivers, services, intents, and content providers. Some of these mechanisms permit the app developer to grant broader permissions to untrusted apps than intended. As a result, a malicious app may gain unauthorized access to sensitive functionality or data. The malicious app may further take advantage of the weak permission to exploit other vulnerabilities in the receiving app by sending it crafted input.

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

{“50 Ways to Leak Your Data”=>”An Exploration of Apps’ Circumvention of the Android Permissions System 1”}

Smishing Vulnerability in Multiple Android Platforms 2

Android SMS Spoofer 3

Content provider permission bypass allows malicious application to access data 4

CVE Examples

Possible Countermeasures

Enterprise

Use app-vetting tools or services to identify apps that expose functionality to untrusted apps.

Use personal/enterprise app separation features (e.g. Android for Work or Samsung KNOX Workspace) so that vulnerabilities in an enterprise app cannot be exploited by a personal app or vice versa.

References

  1. J. Rearon et al., “50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System”, Federal Trade Commission, https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf [accessed 8/1/2022] 

  2. X. Jiang, “Smishing Vulnerability in Multiple Android Platforms (including Gingerbread, Ice Cream Sandwich, and Jelly Bean)”, 28 Nov. 2012; www.csc.ncsu.edu/faculty/jiang/smishing.html [accessed 8/25/2016] 

  3. T. Cannon, “Android SMS Spoofer”, GitHub repository, 14 Dec. 2012; https://github.com/thomascannon/android-sms-spoof [accessed 8/25/2016] 

  4. K. Okuyama, “Content provider permission bypass allows malicious application to access data”, Mozilla Foundation Security Advisory 2016-41, Mozilla Foundation, 26 Apr. 2016; www.mozilla.org/en-US/security/advisories/mfsa2016-41/ [accessed 8/25/2016]