Any App Can Be Hit By This Authentication Bypass Vulnerability

Xiaomi Security Compromised Illustration Hack AH Spring 2019 1

Android users across the board may be at risk from a newly discovered Authentication Bypass vulnerability that can affect any app, according to security researchers at Trustwave. And there may not be much that Google can do about it, despite that it’s impacting applications. In fact, the company says that it’s presently impossible to even determine how widespread the problem is. And that’s because it isn’t an issue with Android itself.

Instead, the problem at hand appears to be the direct result of “poor programming” and can potentially affect every application. That places the blame squarely with apps themselves and, subsequently, with developers. The damage that can be caused comes back to the fact that it can cause apps to leak critical information. That, in turn, can potentially lead to a larger compromise or data breach.

Abuse of this Authentication Bypass vulnerability isn’t widespread but the potential is there

As noted above, this is one vulnerability that can be traced back to programming practices that don’t lend to the security of a given app. Trustwave says that boils down to how easily the Intents in a given app can be manipulated. For clarity, Intents are used by applications to interact with different components that make up an app. Those include Activities, Services, or Broadcast Receivers.


In particular, Trustwave indicates that one type of Intent is to blame for the vulnerability. Those are referred to as “exported Activities” and present a problem because they are easily viewed via app manifests. Every Android app comes packed with an AndroidManifest.xml file. That file can be exported in a variety of ways but apps and software are the most common.

Because the activities found there can be interacted with, it becomes easy for a malicious entity to manipulate apps into doing what they shouldn’t.

Trustwave uses the example of a messaging app built for internal company use. The app’s manifest exported activities that allowed Trustwave to log in directly to the messaging system without credentials. That allowed Trustwave to access all of the messages in the system. The requisite activities were plainly visible in the app’s manifest file. All that was needed was a way to access the manifest file and a way to execute activities — such as ADB.


Misuse and abuse of app components found the manifest file can potentially lead to just about any malicious activity. What the vulnerability does or doesn’t allow for changes on an app-by-app basis. But it ranges from remote code execution to fake notifications and ads. And it comes down to exactly what the developer has revealed in the app manifest.

What’s the fix?

As noted above, the fix to this particular issue rests with developers, according to Trustwave. Namely, developers need to be more cautious about what they’re allowing to appear in the manifest for any given app. Trustwave indicates that the simplest and potentially most impactful solution is straightforward. App developers should limit exported components to those that absolutely need to be. That would mean only exporting components that need to be exposed to other apps.

Secondary to that, developers should not be accepting just any Intent calling for an activity, service, or other components. Instead, the apps should be self-checking to validate all of the data that’s received in an Intent. Moreover, app developers should apply permissions to restrict where those Intents can come from. In effect, limiting the apps that can access the data.


Finally, developers can disable external composure of components in the manifest itself. All they need to do is specify that the “android:exported=” value is set to “false” in the manifest.