CWE-926

Improper Export of Android Application Components

AI Translation Available

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

Status

incomplete

Abstraction

variant

Affected Platforms

Mobile

Extended Description

AI Translation

The attacks and consequences of improperly exporting a component may depend on the exported component:

- If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application.

- If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.

- If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.

Technical Details

AI Translation

Common Consequences

availability integrity confidentiality

Impacts

unexpected state dos: crash, exit, or restart dos: instability varies by context gain privileges or assume identity read application data modify application data

Detection Methods

automated static analysis

Potential Mitigations

Phases:

build and compilation architecture and design

Descriptions:

• If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

• Limit Content Provider permissions (read/write) as appropriate.

• If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.

AI Generated Translation

Common Consequences

disponibilità integrità riservatezza

Impacts

stato inaspettato dos: crash, uscita o riavvio dos: instabilità varia dal contesto ottenere privilegi o assumere identità leggere dati applicazione modificare dati applicazione

Detection Methods

analisi statica automatizzata

Potential Mitigations

Phases:

compilazione e build architettura e design

Descriptions:

• Se non devono essere condivisi da altre applicazioni, contrassegna esplicitamente i componenti con android:exported="false" nel manifest dell'applicazione.

• Limitare i permessi del Content Provider (lettura/scrittura) come appropriato.

• Se hai intenzione di utilizzare solo componenti esportati tra app correlate sotto il tuo controllo, utilizza android:protectionLevel="signature" nel manifest XML per limitare l'accesso alle applicazioni firmate da te.

CWE-926

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Iscriviti alla newsletter