[Blog post here: https://wwws.nightwatchcybersecurity.com/2018/05/24/android-os-didnt-use-flag_secure-for-sensitive-settings-cve-2017-13243/]
SUMMARY Android OS did not use the FLAG_SECURE flag for sensitive settings, potentially exposing sensitive data to other applications on the same device with the screen capture permissions. The vendor (Google) fixed this issue in 2018-02-01 Pixel security update. Google has assigned CVE-2017-13243 to track this issue. DETAILS Android OS is a mobile operating systems for phones and tablets developed by Google. The OS has multiple screens where sensitive information maybe shown such as the device lock screen, passwords in the WiFi settings, pairing codes for Bluetooth, etc. FLAG_SECURE is a special flag available to Android developers that prevents a particular screen within an application from being seen by other application with screen capture permissions, having screenshots taken by the user, or have the screen captured in the “Recent Apps” portion of Android OS. We have published an extensive post last year discussing this feature is and what it does: https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/ During our testing of various Google mobile applications, we found that the lock screen, password entry screen for WiFi, and the screen for entering pairing codes for Bluetooth devices did not use FLAG_SECURE to prevent other applications for capturing that information. By contrast other Google applications like Android Pay and Google Wallet use this flag to prevent capture of sensitive information. Exploiting this bug requires user cooperation in installing a malicious app and activating the actual screen capture process, thus the likelihood of exploitation is low. To reproduce: 1. Lock the device, OR go to WiFi settings and try to add a network, or try to pair a Bluetooth device. 2. Press Power and volume down to capture screenshot. 3. Confirm that a screenshot can be taken. All testing was done on Android 7.1.2, security patch level of May 5th, 2017, on Nexus 6P. Vulnerable versions of Android include: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2 and 8.0. VENDOR RESPONSE This issue was responsibly reported to the vendor and was fixed in the 2018-02-01 Pixel bulletin. The vendor assigned CVE-2017-13243 to track this issue. BOUNTY INFORMATION This issue satisfied the requirements of the Android Security Rewards program and a bounty was paid. REFERENCES Android ID # A-38258991 CVE ID: CVE-2017-13243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13243 CVSS scores: 7.5 (CVSS v3.0) / 5.0 (CVSS v2.0) Google Bug # 38254822 Google Pixel Bulletin: 2018-02-1 https://source.android.com/security/bulletin/pixel/2018-02-01 CREDITS Advisory written by Yakov Shafranovich. TIMELINE 2017-05-12: Initial report to the vendor 2017-06-15: Follow-up information sent to the vendor 2017-06-19: Follow-up communication with the vendor 2018-01-02: Vendor communicates plan to patch this issue 2018-01-29: Bounty reward issued 2018-02-01: Vendor publishes a patch for this issue 2018-05-24: Public disclosure / advisory published _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/