{"@ID": "926", "@Name": "Improper Export of Android Application Components", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.", "Extended_Description": {"xhtml:p": "The attacks and consequences of improperly exporting a component may depend on the exported component:", "xhtml:ul": {"xhtml:li": ["If access to an exported Activity is not restricted, any application will be able to launch the activity. This may allow a malicious application to gain access to sensitive information, modify the internal state of the application, or trick a user into interacting with the victim application while believing they are still interacting with the malicious application.", "If access to an exported Service is not restricted, any application may start and bind to the Service. Depending on the exposed functionality, this may allow a malicious application to perform unauthorized actions, gain access to sensitive information, or corrupt the internal state of the application.", "If access to a Content Provider is not restricted to only the expected applications, then malicious applications might be able to access the sensitive data. Note that in Android before 4.2, the Content Provider is automatically exported unless it has been explicitly declared as NOT exported."]}}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "285", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Mobile", "@Prevalence": "Undetermined"}}, "Background_Details": {"Background_Detail": {"xhtml:p": "There are three types of components that can be exported in an Android application.", "xhtml:ul": {"xhtml:li": ["An Activity is an application component that provides a UI for users to interact with. A typical application will have multiple Activity screens that perform different functions, such as a main Activity screen and a separate settings Activity screen.", "A Service is an application component that is started by another component to execute an operation in the background, even after the invoking component is terminated. Services do not have a UI component visible to the user.", "The Content Provider mechanism can be used to share data with other applications or internally within the same application."]}}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design"}}, "Common_Consequences": {"Consequence": [{"Scope": ["Availability", "Integrity"], "Impact": ["Unexpected State", "DoS: Crash, Exit, or Restart", "DoS: Instability", "Varies by Context"], "Note": "Other applications, possibly untrusted, can launch the Activity."}, {"Scope": ["Availability", "Integrity"], "Impact": ["Unexpected State", "Gain Privileges or Assume Identity", "DoS: Crash, Exit, or Restart", "DoS: Instability", "Varies by Context"], "Note": "Other applications, possibly untrusted, can bind to the Service."}, {"Scope": ["Confidentiality", "Integrity"], "Impact": ["Read Application Data", "Modify Application Data"], "Note": "Other applications, possibly untrusted, can read or modify the data that is offered by the Content Provider."}]}, "Detection_Methods": {"Detection_Method": {"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Build and Compilation", "Strategy": "Attack Surface Reduction", "Description": "If they do not need to be shared by other applications, explicitly mark components with android:exported=\"false\" in the application manifest."}, {"Phase": "Build and Compilation", "Strategy": "Attack Surface Reduction", "Description": "If you only intend to use exported components between related apps under your control, use android:protectionLevel=\"signature\" in the xml manifest to restrict access to applications signed by you."}, {"Phase": ["Build and Compilation", "Architecture and Design"], "Strategy": "Attack Surface Reduction", "Description": "Limit Content Provider permissions (read/write) as appropriate."}, {"Phase": ["Build and Compilation", "Architecture and Design"], "Strategy": "Separation of Privilege", "Description": "Limit Content Provider permissions (read/write) as appropriate."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"Intro_Text": "This application is exporting an activity and a service in its manifest.xml:", "Example_Code": {"@Nature": "Bad", "@Language": "XML", "xhtml:div": {"xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:i": ["...", "..."], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "<action android:name=\"com.example.vulnerableApp.OPEN_UI\" /><category android:name=\"android.intent.category.DEFAULT\" />"}, "#text": "<intent-filter></intent-filter>"}}, {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:i": ["...", "..."], "xhtml:div": {"@style": "margin-left:1em;", "#text": "<action android:name=\"com.example.vulnerableApp.START_BACKGROUND\" />"}, "#text": "<intent-filter></intent-filter>"}}], "xhtml:br": null, "#text": "<activity android:name=\"com.example.vulnerableApp.mainScreen\"></activity><service android:name=\"com.example.vulnerableApp.backgroundService\"></service>"}}, "Body_Text": "Because these components have intent filters but have not explicitly set 'android:exported=false' elsewhere in the manifest, they are automatically exported so that any other application can launch them. This may lead to unintended behavior or exploits."}, {"Intro_Text": "This application has created a content provider to enable custom search suggestions within the application:", "Example_Code": {"@Nature": "Bad", "@Language": "XML", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "android:name=\"com.example.vulnerableApp.searchDB\"android:authorities=\"com.example.vulnerableApp.searchDB\">"}, "#text": "<provider></provider>"}}, "Body_Text": "Because this content provider is only intended to be used within the application, it does not need to be exported. However, in Android before 4.2, it is automatically exported thus potentially allowing malicious applications to access sensitive information."}]}, "References": {"Reference": {"@External_Reference_ID": "REF-923"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2013-07-02", "Submission_Version": "2.5", "Submission_ReleaseDate": "2013-07-17"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-01-22", "Modification_Version": "2.6", "Modification_ReleaseDate": "2014-02-19", "Modification_Importance": "Critical", "Modification_Comment": "Expanded entry to be more general and include all types of Android components that may be improperly exported."}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-02-18", "Modification_Version": "2.6", "Modification_ReleaseDate": "2014-02-19", "Modification_Comment": "updated Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Name, Potential_Mitigations, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Applicable_Platforms, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Background_Details"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Detection_Factors, References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Relationships, Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2014-02-18", "#text": "Improper Restriction of Content Provider Export to Other Applications"}}}
