DerScanner
Home / Vulnerability Database / Android : Unsafe IPC permission check
Android

Android : Unsafe IPC permission check

Classification

OWASP Mobile Top 10 2014
M8-Security Decisions Via Untrusted Inputs
OWASP Mobile Top 10 2016
M1-Improper Platform Usage
OWASP MASVS
V2: 2.6.(L1/L2/L1+R/L2+R)
HIPAA
§164.312 (a)(1)

Overview

An insecure method of runtime permission check when accessing resources or URI in the context of inter-process communication (IPC).

The checkCallingOrSelfPermission() and checkCallingOrSelfUriPermission() methods return PERMISSION_GRANTED if either the caller or the called application has the required permission. Improper use of these methods can lead to privilege escalation (confused deputy attack).

Malicious applications can use the features of these methods and, in case of their misuse, access certain resources or the URI without the required permission, if the vulnerable application that provides an interface to its resources through IPC has the required permission.

References

  1. CheckCallingPermission - developer.android.com
  2. How to PROPERLY check android permission dynamically - stackoverflow.com
  3. On checking for permissions dynamically in android apps - stackoverflow.com
MEDIUM

DerScanner Severity Score

Do you want to fix Android : Unsafe IPC permission check in your application?

See also

Android

Android : Debug mode on

Android

Android : Error handling: generic exception

Android

Android : HTTP usage