Background Details
There are three types of components that can be exported in an Android application.
- An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen.
- A Service is an application component that is started by another component to execute an operation in the background, even after the invoking component is terminated. Services do not have a UI component visible to the user.
- The Content Provider mechanism can be used to share data with other applications or internally within the same application.
Modes Of Introduction
Architecture and Design
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)
Technologies
Class: Mobile (Undetermined)
Common Consequences
Scope |
Impact |
Likelihood |
Availability Integrity | Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Note: Other applications, possibly untrusted, can launch the Activity. | |
Availability Integrity | Unexpected State, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Note: Other applications, possibly untrusted, can bind to the Service. | |
Confidentiality Integrity | Read Application Data, Modify Application Data
Note: Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider. | |
Potential Mitigations
Phases : Build and Compilation
If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
Phases : Build and Compilation
If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Phases : Build and Compilation // Architecture and Design
Limit Content Provider permissions (read/write) as appropriate.
Phases : Build and Compilation // Architecture and Design
Limit Content Provider permissions (read/write) as appropriate.
Detection Methods
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness : High
Vulnerability Mapping Notes
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Comment : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
References
REF-923
Security Tips
Android Open Source Project.
https://developer.android.com/training/articles/security-tips#ContentProviders
Submission
Name |
Organization |
Date |
Date release |
Version |
CWE Content Team |
MITRE |
2013-07-02 +00:00 |
2013-07-17 +00:00 |
2.5 |
Modifications
Name |
Organization |
Date |
Comment |
CWE Content Team |
MITRE |
2014-01-22 +00:00 |
Expanded entry to be more general and include all types of Android components that may be improperly exported. |
CWE Content Team |
MITRE |
2014-02-18 +00:00 |
updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated References |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated Applicable_Platforms, Relationships |
CWE Content Team |
MITRE |
2022-10-13 +00:00 |
updated Background_Details |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated Detection_Factors, References, Relationships |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |