Android update fixes vulnerability that let system apps be downgraded beyond fac...
source link: https://blog.esper.io/android-system-app-downgrade-vulnerability-fix/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Android update fixes vulnerability that let system apps be downgraded beyond factory version
There are several valid reasons to downgrade or rollback an update to an Android app, but the OS doesn’t provide a way to do so without using developer tools. Downgrading an app can cause problems if the app’s data isn’t cleared, but bugs and stability issues aren’t the only problems to consider. Rolling back an update can expose the device to security vulnerabilities that exist in older versions of the software. That’s why Android now no longer lets users downgrade system apps beyond the factory installed version.
Devices that have applied the latest Android security patches detailed in the May 2023 Android Security Bulletin are now protected against CVE-2023-21116, an escalation-of-privilege (EoP) vulnerability that made it possible to roll back a system app below the system image version. A patch is available for AOSP versions 11-13 that fixes a logic error in the verifyReplacingVersionCode method of the InstallPackageHelper class. For testing purposes, Android still allows downgrading a system app beyond the factory version if the build or app is marked debuggable, but otherwise, the INSTALL_FAILED_VERSION_DOWNGRADE error will be given.
Since this vulnerability can only be readily exploited by an attacker with ADB or shell privileges, it makes sense why it only has a severity rating of “moderate.” Ordinary, user-installed apps or attackers without physical access to the device can’t pass the necessary flag to initiate an app downgrade, so the existence of this vulnerability should not concern most users and admins who have yet to or cannot update their devices to the May 2023 security patch level (2023-05-0X). Still, it is worth applying the update as soon as it is made available, as older versions of system apps may have vulnerabilities that can be chained into escalating privileges or exfiltrating sensitive data.
For example, a vulnerability in older versions of the Samsung TTS app can be exploited to escalate the privileges of a regular app to the system level. This vulnerability, assigned CVE-2019-16253, was identified and fixed in 2019 but could still be exploited by downgrading the app to a vulnerable version. Samsung devices with the May 2023 SPL should be fully protected against this vulnerability, as the version of the Samsung TTS app that’s preinstalled in the system image isn’t vulnerable to CVE-2019-16253 and Android won’t allow users to downgrade to a version that is vulnerable.
Recommend
-
31
Samsung Galaxy Note 10 leak points to incredible water resistance but downgraded screen By John McCann July 30, 2019 Plus a c...
-
4
Apple has officially stopped signing iOS 14.7.1 Apple has just rolled out iOS 15, but this isn’t the only news on the iOS front coming this week. The company has also stopped signing iOS 14.7.1, the...
-
5
iPhone 13 Pro Max Has anyone “downgraded” their iPhone?
-
6
Air M1 w/8gb of ram is great again - downgraded from Monterey to Big Sur
-
7
Coinbase struggles: Downgraded to “sell” by Goldman Sachs Becky | Jun 27, 2022
-
14
Once updated to Android 13, Google Pixel 6, 6 Pro, and 6a cannot be downgraded Today, Google surprised everyone with the public release of...
-
2
This week’s top stories: Android 13 arrives, Pixel 6 can’t be downgraded, Pixel 7 hits FCC, more
-
3
Home ...
-
6
Downgraded System App Resets After Reboot ...
-
10
Leak: the Moto G13 is a slightly downgraded G23, Moto E13 with Android Go also surfaces Recent leaks have revealed upcoming Motorola mid-r...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK