Microsoft Discovers Significant Security Flaw ‘Dirty Stream’ in Android Apps with Billions of Downloads

Microsoft Attributes Vulnerability to Improper Implementation of Android’s Content Provider System

Microsoft recently uncovered a significant security vulnerability present in multiple Android apps, which could potentially allow unauthorized access to apps and sensitive data on the device. Interestingly, this security flaw doesn’t stem from the Android system codes themselves but rather from developers improperly utilizing a specific system, creating loopholes that are susceptible to exploitation. It’s worth noting that Microsoft has informed Google about this flaw, and Google has taken steps to notify the Android app developer community about the issue.

According to a post on its Security Blog, the Microsoft Threat Intelligence team stated, “Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s home directory.” The researchers noted that several apps on the Google Play Store, with a combined total of more than four billion installations, were affected by this vulnerability.

This vulnerability arises from incorrect usage of Android’s content provider system, which is designed to secure data exchange between different apps on a device. This system includes various security measures such as data isolation, URI permissions, and path validation to prevent unauthorized access by apps or any malicious actors trying to exploit the apps. However, improper implementation affects a component called custom intents, which facilitate two-way communication between different apps. When this vulnerability exists, apps may bypass security measures, allowing other apps or hackers controlling them to access sensitive data stored within them.

Microsoft discovered a major security vulnerability in multiple Android apps last week that could be exploited to gain unauthorised access to apps and sensitive data on the device. Interestingly, this security flaw does not come from the system codes, but an improper usage of a particular system by developers that can lead to loopholes prone to exploitation. Notably, the flaw has been highlighted to Google, and the tech giant has taken steps to make the Android app developer community aware of the issue.

 

 

In a post on its Security Blog, the Microsoft Threat Intelligence team stated, “Microsoft discovered a path traversal-affiliated vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s home directory.” The researchers also highlighted that the vulnerability was spotted in several apps in the Google Play Store that had a combined total of more than four billion installations.

This vulnerability emerges when a developer incorrectly uses Android’s content provider system, which is designed to secure data exchange between different apps on a device. This includes data isolation, URI permissions, path validation and other security measures to stop unauthorised access by the apps or anyone else breaking into the app. However, improper implementation of the system affects a component called custom intents. These are the messaging objects that conduct two-way communication between different apps. When this vulnerability exists the apps can ignore the security measures and let other apps (or hackers controlling them) access sensitive data stored in them.

Google has also taken cognisance of the issue and published a post on its Android Developers blog. The company has highlighted the common errors and ways to fix them. It is expected that developers of affected apps will be fixing the issues in the coming days and release a fix. While end users cannot do much to avoid this vulnerability, it is recommended that they remain proactive in updating the apps on their devices and avoid downloading apps from third-party sources for a while.