Microsoft warns of security vulnerability impacting Android applications

Microsoft has reported a vulnerability impacting Android devices called "Dirty Stream," which allows a malicious application to overwrite files in another app's home directory. This could lead to arbitrary code execution or the theft of sensitive information. The vulnerability arises from incorrect implementations in Android's content provider system, which is designed to securely share structured data between applications.

Vulnerability details

The flaw results from incorrect usage of the content provider system, which usually includes URI permissions, data isolation, and path validation to prevent unauthorized access and path traversal attacks. Vulnerable apps trust unvalidated filenames and paths in custom intents, which are messaging objects for inter-app communication, and misuse components like the FileProvider.

A malicious app can send a file with a manipulated filename or path via a custom intent to a vulnerable app, tricking it into executing or storing the file in a critical directory, which can then be exploited.

Potential impact

Microsoft reported that vulnerable applications are widespread and have been installed over four billion times. Two notable affected apps are Xiaomi's File Manager and WPS Office, which have one billion and 500 million installations, respectively.

Mitigation Recommendations

Applications should ignore filenames provided by the server application and generate unique filenames for files stored locally. If generating unique filenames is impractical, sanitize the provided filenames by removing path traversal characters and ensuring canonical paths.

Xiaomi and WPS Office worked with Microsoft to address the vulnerabilities in their applications.

Google updated its app security guidelines to prevent similar implementation errors.