13th December 2011 Samsung Galaxy S2 (I9100XWKI4) – Android 2.3.4 Other models running these applications may be affected
Affected Versions CVE Reference
Severity
None Tyrone Erasmus Mike Auty (Channels SQLi) High Risk
Local/Remote
Local
Vulnerability Class
Android Content Providers
Vendor
Samsung Vendor updated all vulnerable software and firmware releases after 13th March 2012 contain the fixes.
Authors
Vendor Response
Description Many Samsung applications are pre-installed by default on Samsung Android devices and these applications cannot be removed by the user. Some of these applications make use of content providers which are implicitly exported by default. This results in these content providers allowing other applications on the device to request sensitive information and successfully obtain it. This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from these applications. It should be noted that only applications disclosing potentially sensitive information are being reported on in this document. The following applications allow the retrieval of sensitive information from their content providers without any granted permissions:
Impact Malicious applications installed on the same device as the vulnerable applications could steal sensitive information from the user and transmit it back to the attacker.
Interim Workaround Avoid using the vulnerable applications if you do not have access to the firmware update. To clear information stored in these applications go to Settings->Applications->Manage Applications and press “Clear data”.
Solution In the AndroidManifest.xml file of each application that contains a content provider, it was recommended that read and write permissions are set. An example is shown below: