{"id":134119,"date":"2024-05-01T11:00:00","date_gmt":"2024-05-01T18:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=134119"},"modified":"2024-05-01T09:43:27","modified_gmt":"2024-05-01T16:43:27","slug":"dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/05\/01\/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps\/","title":{"rendered":"\u201cDirty stream\u201d attack: Discovering and mitigating a common vulnerability pattern in Android apps"},"content":{"rendered":"\n
Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application\u2019s home directory. The implications of this vulnerability pattern include arbitrary code execution and token theft, depending on an application\u2019s implementation. Arbitrary code execution can provide a threat actor with full control over an application\u2019s behavior. Meanwhile, token theft can provide a threat actor with access to the user\u2019s accounts and sensitive data.<\/p>\n\n\n\n
We identified several vulnerable applications in the Google Play Store that represented over four billion installations. We anticipate that the vulnerability pattern could be found in other applications. We\u2019re sharing this research so developers and publishers can check their apps for similar issues, fix as appropriate, and prevent introducing such vulnerabilities into new apps or releases. As threats across all platforms continue to evolve, industry collaboration among security researchers, security vendors, and the broader security community is essential in improving security for all. Microsoft remains committed to working with the security community to share vulnerability discoveries and threat intelligence to protect users across platforms.<\/p>\n\n\n\n
After discovering this issue, we identified several vulnerable applications. As part of our responsible disclosure policy, we notified application developers through Coordinated Vulnerability Disclosure<\/a> (CVD) via Microsoft Security Vulnerability Research<\/a> (MSVR) and worked with them to address the issue. We would like to thank the Xiaomi, Inc. and WPS Office security teams for investigating and fixing the issue. As of February 2024, fixes have been deployed for the aforementioned apps, and users are advised to keep their device and installed applications up to date.<\/p>\n\n\n\n Recognizing that more applications could be affected, we acted to increase developer awareness of the issue by collaborating with Google to publish an article on the Android Developers website<\/a>, providing guidance in a high-visibility location to help developers avoid introducing this vulnerability pattern into their applications. We also wish to thank Google\u2019s Android Application Security Research team for their partnership in resolving this issue.<\/p>\n\n\n\n In this blog post, we continue to raise developer and user awareness by giving a general overview of the vulnerability pattern, and then focusing on Android share targets<\/a>, as they are the most prone to these types of attacks. We go through an actual code execution case study where we demonstrate impact that extends beyond the mobile device\u2019s scope and could even affect a local network. Finally, we provide guidance to users and application developers and illustrate the importance of collaboration to improve security for all.<\/p>\n\n\n\n The Android operating system enforces isolation by assigning each application its own dedicated data and memory space. To facilitate data and file sharing, Android provides a component called a content provider, which acts as an interface for managing and exposing data to the rest of the installed applications in a secure manner. When used correctly, a content provider provides a reliable solution. However, improper implementation can introduce vulnerabilities that could enable bypassing of read\/write restrictions within an application\u2019s home directory.<\/p>\n\n\n\nOverview: Data and file sharing on Android<\/h2>\n\n\n\n