lcimeni / Kraken-Pro

0 stars 0 forks source link

NowSecure static analysis: Exported Components #55

Open lcimeni opened 3 years ago

lcimeni commented 3 years ago

Finding Description

Exported Android components can be interacted with by other apps on the device. In order to safely instantiate these components, android:exported must be explicitly set. An Android component can be marked as exported by explicitly setting android:exported="true" in the manifest. Exported application components that are not restricted using permissions can be launched/started by other applications and can leak sensitive data. Attacker applications can also leverage the exported component to modify the internal state of the victim application or phish the user. Android Apps which do not explicitly set this will NOT be able to install to Android 12 devices.

Steps to Reproduce

The AndroidManifest.xml is checked for activities, services, or broadcast receivers which do not explicitly declare android:exported.

Business Impact

This flaw exposes the app to other applications stealing data from users, and apps which do not explicitly set this value called out will NOT be able to install to Android 12 devices meaning that your users may not be able to install the app on newer devices.

Remediation Resources

For any activities, services, or broadcast receivers in the app, ensure that android:exported is explicitly declared.

Risk and Regulatory Information

Severity: high CVSS: 7.6

Application

See more detail in the NowSecure Report