Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Android Fragment Injection vulnerability
From: Roee Hay <roeeh () il ibm com>
Date: Tue, 10 Dec 2013 23:48:53 +0200


We have recently disclosed a new vulnerability to the Android Security
Team. The vulnerability affected many apps, including Settings (the
one that is found on every Android device), Gmail, Google Now, Dropbox
and Evernote. To be more accurate, any App which extended the
PreferenceActivity class using an exported activity was automatically
vulnerable. A patch has been provided in Android KitKat. If you
wondered why your code is now broken, it is due to the Android KitKat
patch which requires applications to override the new method,
PreferenceActivity.isValidFragment, which has been added to the
Android Framework.

Important links:
1. Blog post: http://ibm.co/1bAA8kF
2. Whitepaper: http://ibm.co/IDm2Es

Roee Hay
IBM Application Security Team Lead

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Android Fragment Injection vulnerability Roee Hay (Dec 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]