Improper Export of Android Application Components
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
The attacks and consequences of improperly exporting a component may depend on the exported component: - If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. - If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. - If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.
Impact: Unexpected StateDoS: Crash, Exit, or RestartDoS: InstabilityVaries by Context
Other applications, possibly untrusted, can launch the Activity.
Impact: Unexpected StateGain Privileges or Assume IdentityDoS: Crash, Exit, or RestartDoS: InstabilityVaries by Context
Other applications, possibly untrusted, can bind to the Service.
Impact: Read Application DataModify Application Data
Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.
Strategy: Attack Surface Reduction
Strategy: Attack Surface Reduction
Strategy: Attack Surface Reduction
Strategy: Separation of Privilege
Code Example:
xml...*
xml...*
xmlCode Example:
xml