Authorization / Undeclared Permissions

Description

Undeclared Permissions is a type of Authorization vulnerability that occurs in Android or a mobile app. This vulnerability occurs when an application requests permissions that are not declared in the manifest file. According to the Common Weakness Enumeration (CWE) directory, this vulnerability falls under CWE-284: Improper Access Control. The OWASP Testing Guide also lists this vulnerability as a potential attack vector.

Risk

This vulnerability can be assessed as a high-risk vulnerability as it can be exploited to gain access to unauthorized resources or functions. This can lead to malicious activities such as data theft and data manipulation.

Solution

The solution for this vulnerability is to declare all permissions in the application's manifest file. This will ensure that the application does not request any undeclared permissions from the user.

Example

// Code to declare permissions in manifest file
<uses-permission android:name=”android.permission.CAMERA” />
<uses-permission android:name=”android.permission.READ_EXTERNAL_STORAGE” />

In this example, the application has declared two permissions, the camera permission and the external storage permission, in the manifest file. This ensures that the application only requests the permissions that have been declared.