CWE-926 Android应用程序组件导出不当

Improper Export of Android Application Components

结构: Simple

Abstraction: Variant

状态: Incomplete

被利用可能性: unkown

基本描述

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

扩展描述

The attacks and consequences of improperly exporting a component may depend on the exported component:

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 285 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 285 cwe_View_ID: 699 cwe_Ordinal: Primary

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

Paradigm: {'cwe_Name': 'Mobile', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
['Availability', 'Integrity'] ['Unexpected State', 'DoS: Crash, Exit, or Restart', 'DoS: Instability', 'Varies by Context'] Other applications, possibly untrusted, can launch the Activity.
['Availability', 'Integrity'] ['Unexpected State', 'Gain Privileges or Assume Identity', 'DoS: Crash, Exit, or Restart', 'DoS: Instability', 'Varies by Context'] Other applications, possibly untrusted, can bind to the Service.
['Confidentiality', 'Integrity'] ['Read Application Data', 'Modify Application Data'] Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.

可能的缓解方案

Build and Compilation

策略: Attack Surface Reduction

If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

Build and Compilation

策略: Attack Surface Reduction

If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.

['Build and Compilation', 'Architecture and Design']

策略: Attack Surface Reduction

Limit Content Provider permissions (read/write) as appropriate.

['Build and Compilation', 'Architecture and Design']

策略: Separation of Privilege

Limit Content Provider permissions (read/write) as appropriate.

示例代码

This application is exporting an activity and a service in its manifest.xml:

bad XML

<activity android:name="com.example.vulnerableApp.mainScreen">

...
<intent-filter>
<action android:name="com.example.vulnerableApp.OPEN_UI" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
...
</activity>
<service android:name="com.example.vulnerableApp.backgroundService">

...
<intent-filter>
<action android:name="com.example.vulnerableApp.START_BACKGROUND" />
</intent-filter>
...
</service>

Because these components have intent filters but have not explicitly set 'android:exported=false' elsewhere in the manifest, they are automatically exported so that any other application can launch them. This may lead to unintended behavior or exploits.

This application has created a content provider to enable custom search suggestions within the application:

bad XML

<provider>
android:name="com.example.vulnerableApp.searchDB"
android:authorities="com.example.vulnerableApp.searchDB">
</provider>

Because this content provider is only intended to be used within the application, it does not need to be exported. However, in Android before 4.2, it is automatically exported thus potentially allowing malicious applications to access sensitive information.

引用