The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[oCERT-2009-011] Android improper camera and audio permission


<< Previous INDEX Search src / Print Next >> 
Date: Thu, 16 Jul 2009 15:23:29 +0100
From: Andrea Barisani <lcars@ocert.org.>
To: ocert-announce@lists.ocert.org, oss-security@lists.openwall.com,
Subject: [oCERT-2009-011] Android improper camera and audio permission
        verification
Message-ID: <20090716142329.GN4038@inversepath.com.>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-GPG-Key: 0x864C9B9E
X-GPG-Fingerprint: 0A76 074A 02CD E989 CE7F  AC3F DA47 578E 864C 9B9E
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
X-Virus-Scanned: antivirus-gw at tyumen.ru


#2009-011 Android improper camera and audio permission verification

Description:

Android, an open source mobile phone platform, improperly checks permissions
when applications access the camera and audio resources.

The permissions are Manifest.permission.CAMERA and
Manifest.permission.AUDIO_RECORD respectively.

Normally an Android application is allowed to access the camera and audio
resources only if the user explicitly allows the application to do so.  However
if the user installs an application that does not request the permissions then
the application is implicitly allowed to use the device camera and/or
microphone.

Affected version:

Android all 1.5 CRBxx versions (where xx are digits)

Fixed version:

Android 1.5 CBDxx, CRCxx and COCxx (where xx are digits)

Credit: Chris Palmer, iSEC Partners, under contract with Google.

CVE: CVE-2009-2348

Timeline:

2009-07-06: Android Security Team requested assistance from oCERT
2009-07-07: assigned CVE
2009-07-07: Android requests embargo period
2009-07-16: advisory release

References:
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=7b7225c8fdbead25235c74811b30ff4ee690dc58
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=4d8adefd35efdea849611b8b02d61f9517e47760
http://android.git.kernel.org/?p=platform/packages/apps/Camera.git;a=commit;h=e655d54160e5a56d4909f2459eeae9012e9f187f

Permalink:
http://www.ocert.org/advisories/ocert-2009-011.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars@ocert.org.>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру