Services declared without permissions

Services declared without permissions

Risk: potentially

Description

service is an application component that can take care of actions to be done in the background, without user interaction. service can also be used to expose functionalities to other applications. This corresponds to calls to Context.bindService() to establish a connection to the service and interact with it.

Unprotected services can be invoked by other applications and potentially access sensitive information or perform privileged actions

Recommendation

service can expose several methods to external components. It is possible to define arbitrary permissions for each method using the method checkPermission.

It is also possible to separate services and restrict access by enforcing permissions in the manifest's <service> tag.

XML

<permission android:name="co.ostorlab.custom_permission" android:label="custom_permission"
            android:protectionLevel="dangerous"></permission>

<service android:name="co.ostorlab.custom_service" android:permission="co.ostorlab.custom_permission">
<intent-filter>
    <action android:name="co.ostorlab.ACTION"/>
</intent-filter>
</service>

The service can enforce permissions on individual IPC calls by calling the method checkCallingPermissionbefore executing the implementation of that call.

Links

• Security Decisions Via Untrusted Inputs (OWASP Mobile Top 10)
• Service (Android Developer Documentation)
• CWE-280: Improper Handling of Insufficient Permissions or Privileges

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_2
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_2
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_7_3
  • REQ_11_3