Android Fragment Injection vulnerability

2013.12.11

Credit: Roee Hay

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Hi,
We have recently disclosed a new vulnerability to the Android Security
Team. The vulnerability affected many apps, including Settings (the
one that is found on every Android device), Gmail, Google Now, Dropbox
and Evernote. To be more accurate, any App which extended the
PreferenceActivity class using an exported activity was automatically
vulnerable. A patch has been provided in Android KitKat. If you
wondered why your code is now broken, it is due to the Android KitKat
patch which requires applications to override the new method,
PreferenceActivity.isValidFragment, which has been added to the
Android Framework.
Important links:
1. Blog post: http://ibm.co/1bAA8kF
2. Whitepaper: http://ibm.co/IDm2Es
Roee Hay
IBM Application Security Team Lead

References:

http://ibm.co/1bAA8kF

http://ibm.co/IDm2Es

http://seclists.org/fulldisclosure/2013/Dec/55

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Android Fragment Injection vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.