1. False Positive(6)
| Service Helper | Service Api |
|---|---|
| android.security.KeyStore | <android.security.IKeystoreService: int getState(int)> |
| <android.security.IKeystoreService: int lock(int)> | |
| <android.security.IKeystoreService: int isEmpty(int)> | |
| android.content.pm.IPackageManager | <com.android.server.pm.PackageManagerService: android.content.pm.InstrumentationInfo getInstrumentationInfo(android.content.ComponentName,int)> |
| <com.android.server.pm.PackageManagerService: boolean performDexOptIfNeeded(java.lang.String,java.lang.String)> | |
| android.content.RestrictionsManager | <com.android.server.restrictions.RestrictionsManagerService$RestrictionsManagerImpl: android.os.Bundle getApplicationRestrictions(java.lang.String)> |
2. True Positive which cause to privilege escalation or DoS(17)
| Service Helper | Service Api |
|---|---|
| android.print.PrintManager | <com.android.server.print.PrintManagerService$PrintManagerImpl: android.os.Bundle print(java.lang.String,android.print.IPrintDocumentAdapter,android.print.PrintAttributes,java.lang.String,int,int)> |
| android.bluetooth.BluetoothHealth | <android.bluetooth.IBluetoothHealth: boolean registerAppConfiguration(android.bluetooth.BluetoothHealthAppConfiguration,android.bluetooth.IBluetoothHealthCallback)> |
| android.media.AudioManager | <com.android.server.audio.AudioService: void setStreamVolume(int,int,int,java.lang.String)> |
| <com.android.server.audio.AudioService: void setRingerModeExternal(int,java.lang.String)> | |
| <com.android.server.audio.AudioService: void adjustStreamVolume(int,int,int,java.lang.String)> | |
| <com.android.server.audio.AudioService: void setWiredDeviceConnectionState(int,int,java.lang.String,java.lang.String,java.lang.String)> | |
| <com.android.server.audio.AudioService: void setMode(int,android.os.IBinder,java.lang.String)> | |
| <com.android.server.audio.AudioService: boolean isValidRingerMode(int)> | |
| <com.android.server.audio.AudioService: int requestAudioFocus(android.media.AudioAttributes,int,android.os.IBinder,android.media.IAudioFocus Dispatcher,java.lang.String,java.lang.String,int,android.media.audiopolicy.IAudioPolicyCallback)> | |
| android.widget.Toast | <android.app.INotificationManager: void enqueueToast(java.lang.String,android.app.ITransientNotification,int)> |
| android.media.session.MediaController | <android.media.session.ISessionController: void adjustVolume(int,int,java.lang.String)> |
| <android.media.session.ISessionController: void setVolumeTo(int,int,java.lang.String)> | |
| android.hardware.fingerprint.FingerprintManager | <com.android.server.fingerprint.FingerprintService$FingerprintServiceWrapper: boolean hasEnrolledFingerprints(int,java.lang.String)> |
| <com.android.server.fingerprint.FingerprintService$FingerprintServiceWrapper: java.util.List getEnrolledFingerprints(int,java.lang.String)> | |
| <com.android.server.fingerprint.FingerprintService$FingerprintServiceWrapper: long getAuthenticatorId(java.lang.String)> | |
| <com.android.server.fingerprint.FingerprintService$FingerprintServiceWrapper: void cancelAuthentication(android.os.IBinder,java.lang.String)> | |
| <com.android.server.fingerprint.FingerprintService$FingerprintServiceWrapper: boolean isHardwareDetected(long,java.lang.String)> |
3. True Positive which not cause to serious security problems(36)
| Service Helper | Service Api |
|---|---|
| android.app.AppOpsManager | <com.android.server.AppOpsService: int noteOperation(int,int,java.lang.String)> |
| <com.android.server.AppOpsService: void finishOperation(android.os.IBinder,int,int,java.lang.String)> | |
| <com.android.server.AppOpsService: int noteProxyOperation(int,java.lang.String,int,java.lang.String)> | |
| <com.android.server.AppOpsService: int startOperation(android.os.IBinder,int,int,java.lang.String)> | |
| android.app.backup.BackupManager | <android.app.backup.IBackupManager: android.app.backup.IRestoreSession beginRestoreSession(java.lang.String,java.lang.String)> |
| android.app.WallpaperManager | <com.android.server.wallpaper.WallpaperManagerService: boolean isWallpaperSupported(java.lang.String)> |
| android.view.inputmethod.InputMethodManager | <com.android.server.InputMethodManagerService: com.android.internal.view.InputBindResult startInput(com.android.internal.view.IInputMethodClient,com.android.internal.view.IInputContext,android.view.inputmethod.EditorInfo,int)> |
| <com.android.server.InputMethodManagerService: boolean hideSoftInput(com.android.internal.view.IInputMethodClient,int,android.os.ResultReceiver)> | |
| <com.android.server.InputMethodManagerService: com.android.internal.view.InputBindResult windowGainedFocus(com.android.internal.view.IInputMethodClient,android.os.IBinder,int,int,int,android.view.inputmethod.EditorInfo,com.android.internal.view.IInputContext)> | |
| android.app.admin.DevicePolicyManager | <android.app.admin.IDevicePolicyManager: int getCurrentFailedPasswordAttempts(int)> |
| <android.app.admin.IDevicePolicyManager: boolean getCameraDisabled(android.content.ComponentName,int)> | |
| <android.app.admin.IDevicePolicyManager: boolean getScreenCaptureDisabled(android.content.ComponentName,int)> | |
| <android.app.admin.IDevicePolicyManager: android.content.ComponentName getProfileOwner(int)> | |
| android.content.ClipboardManager | <com.android.server.clipboard.ClipboardService: void setPrimaryClip(android.content.ClipData,java.lang.String)> |
| android.app.AlarmManager | <com.android.server.AlarmManagerService$2: android.app.AlarmManager$AlarmClockInfo getNextAlarmClock(int)> |
| android.content.pm.IPackageManager | <android.content.pm.IPackageManager: java.lang.String[] getPackagesForUid(int)> |
| android.net.wifi.WifiManager | <com.android.server.wifi.WifiServiceImpl: java.util.List getBatchedScanResults(java.lang.String)> |
| android.hardware.display.DisplayManagerGlobal | <com.android.server.display.DisplayManagerService$BinderService: int createVirtualDisplay(android.hardware.display.IVirtualDisplayCallback,android.media.projection.IMediaProjection,java.lang.String,java.lang.String,int,int,int,android.view.Surface,int)> |
| <com.android.server.display.DisplayManagerService$BinderService: android.view.DisplayInfo getDisplayInfo(int)> | |
| android.media.MediaRouter | <com.android.server.media.MediaRouterService: void setSelectedRoute(android.media.IMediaRouterClient,java.lang.String,boolean)> |
| <com.android.server.media.MediaRouterService: android.media.MediaRouterClientState getState(android.media.IMediaRouterClient)> | |
| <com.android.server.media.MediaRouterService: void setDiscoveryRequest(android.media.IMediaRouterClient,int,boolean)> | |
| <com.android.server.audio.AudioService: int getStreamVolume(int)> | |
| <com.android.server.audio.AudioService: int getStreamMaxVolume(int)> | |
| android.location.LocationManager | <com.android.server.LocationManagerService: void removeUpdates(android.location.ILocationListener,android.app.PendingIntent,java.lang.String)> |
| android.widget.Toast | <android.app.INotificationManager: void cancelToast(java.lang.String,android.app.ITransientNotification) |
| android.nfc.cardemulation.CardEmulation | <android.nfc.INfcCardEmulation: boolean registerAidGroupForService(int,android.content.ComponentName,android.nfc.cardemulation.AidGroup)> |
| <android.nfc.INfcCardEmulation: boolean setDefaultForNextTap(int,android.content.ComponentName)> | |
| <android.nfc.INfcCardEmulation: android.nfc.cardemulation.AidGroup getAidGroupForService(int,android.content.ComponentName,java.lang.String)> | |
| <android.nfc.INfcCardEmulation: boolean removeAidGroupForService(int,android.content.ComponentName,java.lang.String)> | |
| <android.nfc.INfcCardEmulation: java.util.List getServices(int,java.lang.String)> | |
| <android.nfc.INfcCardEmulation: boolean isDefaultServiceForCategory(int,android.content.ComponentName,java.lang.String)>" | |
| android.app.VoiceInteractor | <com.android.internal.app.IVoiceInteractor: boolean[] supportsCommands(java.lang.String,java.lang.String[])> |
| android.app.usage.UsageStatsManager | <com.android.server.usage.UsageStatsService$BinderService: boolean isAppInactive(java.lang.String,int)> |
| android.nfc.NfcAdapter | <android.nfc.INfcAdapter: android.nfc.INfcAdapterExtras getNfcAdapterExtrasInterface(java.lang.String)> |
1. False Positive(1)
| Service Helper | Service Api |
|---|---|
| android.app.AppOpsManager | <com.android.server.AppOpsService: android.os.IBinder getToken(android.os.IBinder)> |
2. True Positive(9)
| Service Helper | Service Api |
|---|---|
| android.app.WallpaperManager | <com.android.server.wallpaper.WallpaperManagerService: android.os.ParcelFileDescriptor getWallpaper(android.app.IWallpaperManagerCallback,android.os.Bundle)> |
| android.hardware.display.DisplayManagerGlobal | <com.android.server.display.DisplayManagerService$BinderService: void releaseVirtualDisplay(android.hardware.display.IVirtualDisplayCallback)> |
| android.view.inputmethod.InputMethodManager | <android.inputmethodservice.IInputMethodSessionWrapper: void displayCompletions(android.view.inputmethod.CompletionInfo[])> |
| android.media.MediaRouter | <com.android.server.media.MediaRouterService: void unregisterClient(android.media.IMediaRouterClient)> |
| <com.android.server.media.MediaRouterService: android.media.MediaRouterClientState getState(android.media.IMediaRouterClient)> | |
| <com.android.server.audio.AudioService: void setBluetoothA2dpOn(boolean)> | |
| <com.android.server.audio.AudioService: android.media.AudioRoutesInfo startWatchingRoutes(android.media.IAudioRoutesObserver)> | |
| android.service.wallpaper.WallpaperService$Engine | <android.view.IWindowSession: void finishDrawing(android.view.IWindow)> |
| <android.service.wallpaper.IWallpaperConnection: void engineShown(android.service.wallpaper.IWallpaperEngine)> |
1. True Positive(13)
| Service Helper | Service Api |
|---|---|
| android.view.accessibility.AccessibilityManager | <com.android.server.accessibility.AccessibilityManagerService: void interrupt(int)> |
| <com.android.server.accessibility.AccessibilityManagerService: boolean sendAccessibilityEvent(android.view.accessibility.AccessibilityEvent,int)> | |
| android.app.IUiAutomationConnection | <android.app.IUiAutomationConnection: void disconnect()> |
| android.media.tv.TvInputManager$Session | <android.media.tv.ITvInputManager: void createOverlayView(android.os.IBinder,android.os.IBinder,android.graphics.Rect,int)> |
| android.nfc.Tag | <android.nfc.INfcTag: android.nfc.Tag rediscover(int)> |
| android.hardware.camera2.impl.CameraDeviceImpl | <android.hardware.camera2.ICameraDeviceUser: int waitUntilIdle()> |
| android.service.voice.VoiceInteractionSession | <com.android.server.voiceinteraction.VoiceInteractionManagerService$VoiceInteractionManagerServiceStub: boolean showSessionFromSession(android.os.IBinder,android.os.Bundle,int)> |
| <com.android.internal.app.IVoiceInteractionManagerService: void finish(android.os.IBinder)> | |
| <com.android.internal.app.IVoiceInteractionManagerService: boolean hideSessionFromSession(android.os.IBinder)> | |
| android.view.WindowId | <android.view.IWindowId: void registerFocusObserver(android.view.IWindowFocusObserver)> |
| <android.view.IWindowId: void unregisterFocusObserver(android.view.IWindowFocusObserver)> | |
| android.nfc.NfcAdapter | <android.nfc.INfcAdapter: void setForegroundDispatch(android.app.PendingIntent,android.content.IntentFilter[],android.nfc.TechListParcel)> |
| android.service.trust.TrustAgentService | <android.service.trust.ITrustAgentServiceCallback: void grantTrust(java.lang.CharSequence,long,int)> |
2. False Positive(6)
| Service Helper | Service Api |
|---|---|
| android.service.voice.VoiceInteractionService | com.android.server.voiceinteraction.VoiceInteractionManagerService$VoiceInteractionManagerServiceStub: void showSession(android.service.voice.IVoiceInteractionService,android.os.Bundle,int)> |
| android.hardware.camera2.impl.CameraDeviceImpl | <android.hardware.camera2.ICameraDeviceUser: int endConfigure(boolean)> |
| <android.hardware.camera2.ICameraDeviceUser: int createInputStream(int,int,int)> | |
| <android.hardware.camera2.ICameraDeviceUser: int createStream(android.hardware.camera2.params.OutputConfiguration)> | |
| android.net.wifi.RttManager | <com.android.server.wifi.RttService$RttServiceImpl: android.net.wifi.RttManager$RttCapabilities getRttCapabilities()> |
| android.bluetooth.BluetoothGatt | android.bluetooth.IBluetooth: java.lang.String getAddress()> |
Illegal parameters and IPC flooding can be verified via automatically analysis. Some of these APIs can cause to app crash or system carsh and some may throw exception and captured by the Parcel.
The results and poc apps are shown in: