Android (Un)protected Broadcast Vulnerability
Google security update for Sept 2020 includes fixes for Android 9 and Android 10. We urge all users to install security updates as soon as they are available and to only use and install apps from trusted sources. Android 11 has already been patched prior to release. Devices that use Android 8 or below are not affected.
Utilizing Kryptowire’s automated firmware scanning tools we are able to provide up to date detection of these vulnerabilities as new firmware and devices are introduced into your organization. To request more information about our firmware scanning service please click the link on the right.
What is a protected broadcast?
Android apps and the Android system can send messages to multiple receivers using a Broadcast Intent. An Intent is a message sent within or between processes that can contain embedded data. Broadcast Intent messages are heavily used by the Android system to notify apps of events so they can respond to them accordingly.
To prevent arbitrary processes from sending sensitive broadcast Intents, Android allows the declaration of sensitive broadcast actions as “protected” by using the ‘protected-broadcast’ element in an authorized app’s AndroidManifest.xml file. Listing 1 provides an illustrative example that protects the action string of
android.generic.ACTION using a protected-broadcast element.
Who can declare protected broadcasts?
Who can send protected broadcasts?
/system/frameworkdirectory and the
/system/priv-app) are allowed to register protected-broadcast actions since they are scanned with the
SCAN_AS_PRIVILEGEDscan flag, whereas apps that reside elsewhere cannot since they are scanned with the
SCAN_AS_SYSTEMscan flag. Listing 2 illustrates this behavior for the system partition where the
/system/priv-appdirectory is scanned with the
SCAN_AS_PRIVILEGEDscan flag and the
/system/appdirectory is scanned using the
SCAN_AS_SYSTEMscan flag. The scanning of apps occurs at system startup for the system to gather data about the user-installed and pre-installed apps on the device.
Snippet from com/android/server/pm/PackageManagerService (line 2664) in the AOSP Android 10 release code the showing scan flags for the
Snippet from com/android/server/pm/PackageManagerService (line 11623) in the AOSP Android 10 release code showing protected broadcasts being silently ignored for non-privileged apps.
Sample Confirmed-Exploitable Instances
OS Command Injection (system privileges): Nokia, Xiaomi, Meizu, Fairphone
Data Corruption and DoS: Pixel 3, Pixel 4
Exposure of Unique Device Identifiers: Multiple Vendors (pre-installed app from a certain chipset manufacturer)
Exposure of Sensitive System Log Information: Fairphone
- 05/08/2020: Initial disclosure to Android Security Team and affected vendors.
- 06/08/2020: Submitted vulnerability report to Google’s IssueTracker.
- 06/09/2020: Submission acknowledged.
- 06/18/2020: Google finished their initial assessment and ranked the severity as “High”.
- 08/21/2020: Google assigned CVE-2020-0391 for the vulnerability.
- 09/08/2020: Google changed the vulnerability status to “fixed” and awarded $5,000.
The EU General Data Protection Regulation (GDPR) is in effect as of May 25, 2018. Are your mobile apps GDPR complaint?