Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-926 — Vulnerability Class 73

73 vulnerabilities classified as CWE-926. AI Chinese analysis included.

CWE-926 represents a critical configuration weakness where Android application components, such as activities, services, or broadcast receivers, are exported without adequate access restrictions. This flaw allows any other application on the device to interact with the component, potentially launching it or accessing sensitive data it contains. Attackers typically exploit this by crafting malicious intents to trigger exported components, thereby bypassing intended security boundaries to execute unauthorized actions or steal private information. To prevent this vulnerability, developers must explicitly define the `android:exported` attribute in the AndroidManifest.xml file, setting it to false for components that do not need to be accessible externally. Furthermore, implementing proper permission checks and intent filters ensures that only trusted applications can interact with these components, maintaining the integrity and confidentiality of the application’s data and functionality.

MITRE CWE Description
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. The attacks and consequences of improperly exporting a component may depend on the exported component: If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application. If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application. If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported.
Common Consequences (3)
Availability, IntegrityUnexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Other applications, possibly untrusted, can launch the Activity.
Availability, IntegrityUnexpected State, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context
Other applications, possibly untrusted, can bind to the Service.
Confidentiality, IntegrityRead Application Data, Modify Application Data
Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider.
Mitigations (4)
Build and CompilationIf they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.
Build and CompilationIf you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.
Build and Compilation, Architecture and DesignLimit Content Provider permissions (read/write) as appropriate.
Build and Compilation, Architecture and DesignLimit Content Provider permissions (read/write) as appropriate.
Examples (2)
This application is exporting an activity and a service in its manifest.xml:
<activity android:name="com.example.vulnerableApp.mainScreen"> ... <intent-filter> <action android:name="com.example.vulnerableApp.OPEN_UI" /> <category android:name="android.intent.category.DEFAULT" /> </intent-filter> ... </activity> <service android:name="com.example.vulnerableApp.backgroundService"> ... <intent-filter> <action android:name="com.example.vulnerableApp.START_BACKGROUND" /> </intent-filter> ... </service>
Bad · XML
This application has created a content provider to enable custom search suggestions within the application:
<provider> android:name="com.example.vulnerableApp.searchDB" android:authorities="com.example.vulnerableApp.searchDB"> </provider>
Bad · XML
CVE IDTitleCVSSSeverityPublished
CVE-2023-44129 Messaging - Gaining access to arbitrary content providers via QClipIntentReceiverActivity — LG V60 Thin Q 5G(LMV600VM) 3.6 Low2023-09-27
CVE-2023-44121 LG ThinQ Service - Intent redirection with system privilege/LaunchAnyWhere — LG V60 Thin Q 5G(LMV600VM) 5.0 Medium2023-09-27
CVE-2023-21485 Samsung Mobile 安全漏洞 — Samsung Mobile Devices 5.3 Medium2023-05-04
CVE-2023-21486 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 5.3 Medium2023-05-04
CVE-2022-24929 Samsung AppLock 安全漏洞 — Samsung Mobile Devices 4.1 Medium2022-03-08
CVE-2021-25527 Samsung Pay 安全漏洞 — Samsung Pay 3.8 Low2021-12-08
CVE-2021-25526 Samsung Blockchain Wallet 安全漏洞 — Samsung Blockchain Wallet 4.0 Medium2021-12-08
CVE-2021-25400 Samsung Internet 安全漏洞 — Samsug Internet 7.8 -2021-06-11
CVE-2021-25397 SAMSUNG Mobile devices 安全漏洞 — Samsung Mobile Devices 6.8 Medium2021-06-11
CVE-2021-25391 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.0 Medium2021-06-11
CVE-2021-25390 Samsung SMR 安全漏洞 — Samsung Mobile Devices 4.0 Medium2021-06-11
CVE-2021-25388 Samsung SMR 授权问题漏洞 — Samsung Mobile Devices 7.1 High2021-06-11
CVE-2021-25379 Samsung Gallery 安全漏洞 — Gallery 4.0 Medium2021-04-09

Vulnerabilities classified as CWE-926 represent 73 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.