Undeclared Permissions
Undeclared Permissions
Description
Applications can expose their functionality to other apps by defining permissions which those other apps can request.
To enforce your own permission, you must first declare it in your AndroidManifest.xml
using <permission>
element
before applying it to your components using android:permission=
If the application applies a permission without declaring it, a malicious app can declare that permission with
a normal
protection level, request it and invoke the protected component of your application
Recommendation
Before applying a permission on any component, make sure it is declared using <permission>
element.
For example, an app that wants to control who can start one of its activities could declare a permission for this operation as follows:
- Step 1 : I declare a permission with the name
com.example.myapp.permission.DEADLY_ACTIVITY
and fill the necessary attributes - Step 2: I apply the permission
com.example.myapp.permission.DEADLY_ACTIVITY
on my activity
<manifest
xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.myapp">
<permission
android:name="com.example.myapp.permission.DEADLY_ACTIVITY"
android:label="@string/permlab_deadlyActivity"
android:description="@string/permdesc_deadlyActivity"
android:permissionGroup="android.permission-group.COST_MONEY"
android:protectionLevel="dangerous"/>
...
<activity android:exported="true" android:name="com.important.PushActivity"
android:permission="com.example.myapp.permission.DEADLY_ACTIVITY"/>
</manifest>
Links
Standards
- OWASP_MASVS_L1:
- MSTG_PLATFORM_4
- OWASP_MASVS_L2:
- MSTG_PLATFORM_4