Authorization / Services Declared without Permissions

Description

Services declared without permissions is a vulnerability of the Authorization category (CWE-285) which affects Android and Mobile App systems. It occurs when an application declares a service in its AndroidManifest.xml file, but does not assign a permission to access the service. This can allow any application to access the service, which could lead to an attack or data leakage. According to the OWASP Testing Guide, this vulnerability can be detected by examining the application’s AndroidManifest.xml file to determine if it includes a service without an associated permission.

Risk

Services declared without permissions can lead to serious security issues, including data leakage, malicious code execution, and privilege escalation. The risk of this vulnerability can be assessed as high, since it can lead to an attack or data leakage.

Solution

The solution to this vulnerability is to assign a permission to each service declared in the AndroidManifest.xml file. In order to determine which permission to assign, the application developer must first determine the purpose of the service and then assign the appropriate permission. For example, if the service is used to access a database, then the developer should assign the “android.permission.READ_DATABASE” permission.

Example

<service android:name="MyService" />

This example shows a service declared without a permission, meaning any application can access the service.