Freedom Factory dGEN1 Improper Authorization Vulnerability in ethOS Launcher

A broken authorization vulnerability exists in the Freedom Factory dGEN1 phone, specifically within the Android launcher application 'org.ethosmobile.ethoslauncher'. The issue arises in an exported ContentProvider called 'FakeAppProvider', which improperly validates trusted callers by relying on untrusted data from 'ContentValues'. This flaw allows any local application to impersonate the legitimate dGEN App Directory and manipulate launcher entries. Consequently, unauthorized apps can enumerate, add, modify, or delete 'FakeApp' icons, potentially leading to phishing and user deception.

Impact

Exploitation of this vulnerability allows a local application to manipulate 'FakeApp' entries in the launcher, including enumerating, adding, modifying, or deleting entries. This could result in replacing trusted decentralized application links with attacker-controlled URLs, causing user deception and potential phishing.

Reproduction

The vulnerability can be reproduced by sending requests to the 'FakeAppProvider' ContentProvider while spoofing the calling package to 'org.ethereumphone.dappstoreapp'. This can be done using 'adb' commands to query, update, insert, or delete 'FakeApp' entries. No special permissions are required beyond standard application capabilities.