1. Home
  2. CWE Database
  3. CWE-926
Variant · Low-Medium

CWE-926: Improper Export of Android Application Components

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

CWE-926 · Variant Level ·4 Mitigations

Description

The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

The attacks and consequences of improperly exporting a component may depend on the exported component:

Potential Impact

Availability, Integrity

Unexpected State, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context

Availability, Integrity

Unexpected State, Gain Privileges or Assume Identity, DoS: Crash, Exit, or Restart, DoS: Instability, Varies by Context

Confidentiality, Integrity

Read Application Data, Modify Application Data

Demonstrative Examples

This application is exporting an activity and a service in its manifest.xml:
Bad
<activity android:name="com.example.vulnerableApp.mainScreen">
                        
                           
                           ...
                           <intent-filter><action android:name="com.example.vulnerableApp.OPEN_UI" /><category android:name="android.intent.category.DEFAULT" /></intent-filter>
                           ...
                           
                        
                     </activity><service android:name="com.example.vulnerableApp.backgroundService">
                        
                           
                           ...
                           <intent-filter><action android:name="com.example.vulnerableApp.START_BACKGROUND" /></intent-filter>
                           ...
                           
                        
                     </service>
Because these components have intent filters but have not explicitly set 'android:exported=false' elsewhere in the manifest, they are automatically exported so that any other application can launch them. This may lead to unintended behavior or exploits.
This application has created a content provider to enable custom search suggestions within the application:
Bad
<provider>android:name="com.example.vulnerableApp.searchDB"android:authorities="com.example.vulnerableApp.searchDB"></provider>
Because this content provider is only intended to be used within the application, it does not need to be exported. However, in Android before 4.2, it is automatically exported thus potentially allowing malicious applications to access sensitive information.

Mitigations & Prevention

Build and Compilation

If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

Build and Compilation

If you only intend to use exported components between related apps under your control, use android:protectionLevel="signature" in the xml manifest to restrict access to applications signed by you.

Build and CompilationArchitecture and Design

Limit Content Provider permissions (read/write) as appropriate.

Build and CompilationArchitecture and Design

Limit Content Provider permissions (read/write) as appropriate.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-285: Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource ...

Frequently Asked Questions

What is CWE-926?

CWE-926 (Improper Export of Android Application Components) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.

How can CWE-926 be exploited?

Attackers can exploit CWE-926 (Improper Export of Android Application Components) to unexpected state, dos: crash, exit, or restart, dos: instability, varies by context. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-926?

Key mitigations include: If they do not need to be shared by other applications, explicitly mark components with android:exported="false" in the application manifest.

What is the severity of CWE-926?

CWE-926 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.