Authorization / Unused Permissions (Overprivileged)
Description
Unused permissions (overprivileged) is an authorization vulnerability in Android and mobile apps, where the application has been granted more permissions than it requires for its intended purpose. This type of vulnerability is classified under CWE-284, Improper Access Control, and is described in the OWASP Testing Guide as “Application is granted excessive permissions that are not required to fulfill its purpose.” This type of vulnerability can potentially lead to a large-scale security breach.
Risk
This type of vulnerability can pose a serious risk to the security of a system, as these excessive permissions can be used to access restricted data or resources. A malicious attacker can exploit this vulnerability to gain access to the application and its associated data, leading to data loss, unauthorized access to restricted resources, or even complete system compromise. As such, it is important to ensure that all applications are properly configured with the minimum necessary permissions, and that no more access is granted than is required.
Solution
The best way to prevent this type of vulnerability is to properly configure applications with the minimum necessary permissions. If an application does not require a certain permission, it should not be granted. Additionally, it is important to ensure that all applications are regularly monitored and updated to ensure that no additional permissions are granted without prior authorization.
Example
The following code example from the CVE directory (CVE-2020-9673) demonstrates an unused permission vulnerability in an Android application:
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// This line grants the application WRITE_EXTERNAL_STORAGE permission
// even though it does not use this permission for its intended purpose
requestPermissions(new String[] { Manifest.permission.WRITE_EXTERNAL_STORAGE }, 0);
}