Undeclared Permissions

Undeclared Permissions

Risk: medium

Description

Applications can expose their functionality to other apps by defining permissions which those other apps can request.

To enforce your own permission, you must first declare it in your AndroidManifest.xml using <permission> element before applying it to your components using android:permission=

If the application applies a permission without declaring it, a malicious app can declare that permission with a normal protection level, request it and invoke the protected component of your application

Recommendation

Before applying a permission on any component, make sure it is declared using <permission> element.

For example, an app that wants to control who can start one of its activities could declare a permission for this operation as follows:

• Step 1 : I declare a permission with the name com.example.myapp.permission.DEADLY_ACTIVITY and fill the necessary attributes
• Step 2: I apply the permission com.example.myapp.permission.DEADLY_ACTIVITY on my activity

<manifest
        xmlns:android="http://schemas.android.com/apk/res/android"
        package="com.example.myapp">

    <permission
            android:name="com.example.myapp.permission.DEADLY_ACTIVITY"
            android:label="@string/permlab_deadlyActivity"
            android:description="@string/permdesc_deadlyActivity"
            android:permissionGroup="android.permission-group.COST_MONEY"
            android:protectionLevel="dangerous"/>
    ...
    <activity android:exported="true" android:name="com.important.PushActivity"
              android:permission="com.example.myapp.permission.DEADLY_ACTIVITY"/>

</manifest>

Links

• Typo in permission name allows to write contacts without user knowledge

Standards

• OWASP_MASVS_L1:
  • MSTG_PLATFORM_4
• OWASP_MASVS_L2:
  • MSTG_PLATFORM_4