OWASP category: MASVS-CODE: Code Quality
Overview
Custom permissions are designed to enable sharing resources and capabilities with other apps. They are most often used in these three situations:
- Controlling inter-process communication (IPC) between two or more apps
- Accessing third-party services
- Restricting access to the shared data of an app
The Custom Permission Typos / Orphaned Permissions vulnerability is related to the custom permissions functionality. The vulnerability occurs when a custom permission is declared in the manifest, but a different custom permission is used to protect exported Android components.
A malicious application can capitalize on applications that have misspelled a permission by:
- Registering that permission first
- Anticipating the spelling in subsequent applications
This can allow an application unauthorized access to resources or control over the victim application.
Custom permission typos in the Android Manifest constitute a vulnerability because they allow malicious apps to gain access to resources that they shouldn't be able to access.
For example, a vulnerable app wants to protect a component by using a permission
READ_CONTACTS
but accidentally misspells the permission as READ_CONACTS
. A
malicious app can claim READ_CONACTS
since it's not owned by any application
(or the system) and gain access to the protected component.
Another common expression of this vulnerability is android:permission=True
.
Values such as true
and false
, regardless of capitalization, are invalid
inputs to the permission declaration and are treated similarly to other custom
permission declaration typos. To fix this, the value of the android:permission
attribute should be changed to a valid permission string. For example, if the
app needs to access the user's contacts, the value of the android:permission
attribute should be android.permission.READ_CONTACTS
.
Impact
The impact of exploiting this vulnerability is that a malicious app could gain access to resources originally intended to be protected. The implications of the vulnerability depend on the resource being protected and the original application service's associated permissions.
Mitigations
When declaring custom permissions:
- Use Android lint checks to help you find typos and other potential errors in your code
- Use a consistent naming convention to make typos more noticeable
- Carefully check the custom permission declarations in your app's manifest for typos
- Use "signature" protection levels wherever possible.
- Employing this capability ensures only other apps signed with the same certificate as the app that created the permission can access those protected features.
Resources
- Minimize your permission requests
- Permissions Overview
- Signature based permissions
- CustomPermissionTypo Android Lint
- Research paper with in-depth explanation of Android Permissions and interesting fuzz test findings