Android (Un)protected Broadcast Vulnerability
Overview
Mitigation
Google security update for Sept 2020 includes fixes for Android 9 and Android 10. We urge all users to install security updates as soon as they are available and to only use and install apps from trusted sources. Android 11 has already been patched prior to release. Devices that use Android 8 or below are not affected.
Utilizing Kryptowire’s automated firmware scanning tools we are able to provide up to date detection of these vulnerabilities as new firmware and devices are introduced into your organization. To request more information about our firmware scanning service please click the link on the right.
Mobile Vulnerability
What is a protected broadcast?
Android apps and the Android system can send messages to multiple receivers using a Broadcast Intent. An Intent is a message sent within or between processes that can contain embedded data. Broadcast Intent messages are heavily used by the Android system to notify apps of events so they can respond to them accordingly.
To prevent arbitrary processes from sending sensitive broadcast Intents, Android allows the declaration of sensitive broadcast actions as “protected” by using the ‘protected-broadcast’ element in an authorized app’s AndroidManifest.xml file. Listing 1 provides an illustrative example that protects the action string of android.generic.ACTION
using a protected-broadcast element.
<protected-broadcast android:name="android.generic.ACTION"/>
Listing 1
Who can declare protected broadcasts?
Who can send protected broadcasts?
The Vulnerability
/system/framework
directory and the priv-app
directories (e.g., /system/priv-app
) are allowed to register protected-broadcast actions since they are scanned with the SCAN_AS_PRIVILEGED
scan flag, whereas apps that reside elsewhere cannot since they are scanned with the SCAN_AS_SYSTEM
scan flag. Listing 2 illustrates this behavior for the system partition where the /system/priv-app
directory is scanned with the SCAN_AS_PRIVILEGED
scan flag and the /system/app
directory is scanned using the SCAN_AS_SYSTEM
scan flag. The scanning of apps occurs at system startup for the system to gather data about the user-installed and pre-installed apps on the device.
Listing 2
Snippet from com/android/server/pm/PackageManagerService (line 2664) in the AOSP Android 10 release code the showing scan flags for the /system/priv-app
and /system/app
directories.

Listing 3
Snippet from com/android/server/pm/PackageManagerService (line 11623) in the AOSP Android 10 release code showing protected broadcasts being silently ignored for non-privileged apps.
Sample Confirmed-Exploitable Instances
OS Command Injection (system privileges): Nokia, Xiaomi, Meizu, Fairphone
Data Corruption and DoS: Pixel 3, Pixel 4
Exposure of Unique Device Identifiers: Multiple Vendors (pre-installed app from a certain chipset manufacturer)
Exposure of Sensitive System Log Information: Fairphone
Disclosure Timeline
- 05/08/2020: Initial disclosure to Android Security Team and affected vendors.
- 06/08/2020: Submitted vulnerability report to Google’s IssueTracker.
- 06/09/2020: Submission acknowledged.
- 06/18/2020: Google finished their initial assessment and ranked the severity as “High”.
- 08/21/2020: Google assigned CVE-2020-0391 for the vulnerability.
- 09/08/2020: Google changed the vulnerability status to “fixed” and awarded $5,000.
Acknowledgments
The EU General Data Protection Regulation (GDPR) is in effect as of May 25, 2018. Are your mobile apps GDPR complaint?