oCERT-2009-011 Android improper camera and audio permission verification


Android, an open source mobile phone platform, improperly checks permissions when applications access the camera and audio resources.

The permissions are Manifest.permission.CAMERA and Manifest.permission.AUDIO_RECORD respectively.

Normally an Android application is allowed to access the camera and audio resources only if the user explicitly allows the application to do so. However if the user installs an application that does not request the permissions then the application is implicitly allowed to use the device camera and/or microphone.

Affected version:

Android all 1.5 CRBxx versions (where xx are digits)

Fixed version:

Android 1.5 CDBxx, CRCxx and COCxx (where xx are digits)

Credit: Chris Palmer, iSEC Partners, under contract with Google.

CVE: CVE-2009-2348


2009-07-06: Android Security Team requested assistance from oCERT
2009-07-07: assigned CVE
2009-07-07: Android requests embargo period
2009-07-16: advisory release