Custom Permission Typos

OWASP category: MASVS-CODE: Code Quality

Overview

Custom permissions are designed to enable sharing resources and capabilities with other apps. They are most often used in these three situations:

• Controlling inter-process communication (IPC) between two or more apps
• Accessing third-party services
• Restricting access to the shared data of an app

The Custom Permission Typos / Orphaned Permissions vulnerability is related to the custom permissions functionality. The vulnerability occurs when a custom permission is declared in the manifest, but a different custom permission is used to protect exported Android components.

A malicious application can capitalize on applications that have misspelled a permission by:

1. Registering that permission first
2. Anticipating the spelling in subsequent applications

This can allow an application unauthorized access to resources or control over the victim application.

Custom permission typos in the Android Manifest constitute a vulnerability because they allow malicious apps to gain access to resources that they shouldn't be able to access.

For example, a vulnerable app wants to protect a component by using a permission READ_CONTACTS but accidentally misspells the permission as READ_CONACTS. A malicious app can claim READ_CONACTS since it's not owned by any application (or the system) and gain access to the protected component.

Another common expression of this vulnerability is android:permission=True. Values such as true and false, regardless of capitalization, are invalid inputs to the permission declaration and are treated similarly to other custom permission declaration typos. To fix this, the value of the android:permission attribute should be changed to a valid permission string. For example, if the app needs to access the user's contacts, the value of the android:permission attribute should be android.permission.READ_CONTACTS.

Impact

The impact of exploiting this vulnerability is that a malicious app could gain access to resources originally intended to be protected. The implications of the vulnerability depend on the resource being protected and the original application service's associated permissions.

Mitigations

When declaring custom permissions:

• Use Android lint checks to help you find typos and other potential errors in your code
• Use a consistent naming convention to make typos more noticeable
• Carefully check the custom permission declarations in your app's manifest for typos
• Use "signature" protection levels wherever possible.
  • Employing this capability ensures only other apps signed with the same certificate as the app that created the permission can access those protected features.

Resources

• Minimize your permission requests
• Permissions Overview
• Signature based permissions
• CustomPermissionTypo Android Lint
• Research paper with in-depth explanation of Android Permissions and interesting fuzz test findings