Google Android LaunchAnywhere Vulnerability in TvSettings AppRestrictionsFragment

A time-of-check to time-of-use (TOCTOU) race condition vulnerability has been identified in the TvSettings application, specifically within the AppRestrictionsFragment.java file. This vulnerability allows for the unauthorized initiation of activities supplied by an attacker, executed within the context of the Settings application, which operates under system-level privileges. The issue arises from the opportunity to manipulate the state of the target component between the initial intent verification and its subsequent use, thereby circumventing the intended security measures. This vulnerability affects all Android versions, including the latest release at the time of writing.

Impact

Exploitation of this vulnerability reinstates the LaunchAnywhere privilege escalation issue, previously addressed by Google. It allows unprivileged applications to invoke protected activities, bypassing security measures and potentially leading to unauthorized actions or access within the system.

Reproduction

The vulnerability can be reproduced by creating an application that sends an intent to launch a protected activity, while simultaneously manipulating the state of the target component to bypass security checks. This can be done by exploiting the timing of the intent verification process, taking advantage of the window between the check and the execution to introduce malicious modifications.

Remediation

Users are advised to update to the latest version of the TvSettings application, where this vulnerability has been patched.