CVE-2022-20436 – Android design weakness.There is an unauthorized service in the system service. (11th Oct 2022)

Preface: Looking back at the history of Android, explore Android’s ongoing evolution with this visual timeline of versions, starting Cupcake (early 2009’s Android 1.5 Cupcake) and going all the way to 2022’s Android 13 release. It really was a revolution from cordless phones to smart devices.

Background: What is the role of an Activitymanager in an Android app?
This class gives information about, and interacts with, activities, services, and the containing process. A number of the methods in this class are for debugging or informational purposes and they should not be used to affect any runtime behavior of your app.

Vulnerability details: There is an unauthorized service in the system service. Since the component does not have permission check, resulting in Local Elevation of privilege.Product: AndroidVersions: Android SoCAndroid ID: A-242248369
References: https://source.android.com/security/bulletin/2022-10-01

Techincal Bulltein belongs to Android stated that below vulnerability affect UNISOC components and further details are available directly from UNISOC. The severity assessment of these issues is provided directly by UNISOC.

My observation: Since remedy is strip sensitive information from options before sending it to app.Furthermore, points 10 to 13 on the diagram. All process flow will arrive Activity manager then reach Zygote. So any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. Recently a RemoteTransition object was added which includes some sensitive information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.