Android Fragment Injection vulnerability

2013.12.11
Credit: Roee Hay
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hi, We have recently disclosed a new vulnerability to the Android Security Team. The vulnerability affected many apps, including Settings (the one that is found on every Android device), Gmail, Google Now, Dropbox and Evernote. To be more accurate, any App which extended the PreferenceActivity class using an exported activity was automatically vulnerable. A patch has been provided in Android KitKat. If you wondered why your code is now broken, it is due to the Android KitKat patch which requires applications to override the new method, PreferenceActivity.isValidFragment, which has been added to the Android Framework. Important links: 1. Blog post: http://ibm.co/1bAA8kF 2. Whitepaper: http://ibm.co/IDm2Es Roee Hay IBM Application Security Team Lead

References:

http://ibm.co/1bAA8kF
http://ibm.co/IDm2Es
http://seclists.org/fulldisclosure/2013/Dec/55


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top