report elevated privileges: installer, accessibility, VPN, and input method (!82) · Merge requests · F-Droid / issuebot

Hans-Christoph Steiner requested to merge eighthave/issuebot:report-elevated-privs into master Apr 01, 2024

There are four key types of elevated privileges: installer, accessibility, VPN, and input method. @IzzySoft mapped out some new methods for checking them in https://www.kuketz-blog.de/android-apps-auf-dem-seziertisch-eine-vertiefte-betrachtung/ and IzzyOnDroid/repo#475 (closed) I expanded on that.

The installer permissions can be used to do things like self-update and include non-free software. So when they are present, their usage should be reviewed by a human. The list here was generated by all perms with "INSTALL" in the name or with protectionLevel "installer".

The list of permissions was generated by this python snippet:

import requests
r = requests.get('https://gitlab.com/fdroid/fdroid-website/-/raw/master/_data/android_permissions.json')
r.raise_for_status()
for k, v in r.json().items():
    if 'INSTALL' in k or 'installer' in v.get('protectionLevel', ''):
        print("    r'%s'," % k)

@jugendhacker @linsui @licaon-kter

The results look like:

Scan APK

com.example_1.apk

`cleartextTrafficPermitted`
`<base-config cleartextTrafficPermitted="true" />`	🚩 privacy leak
`intent-filters`
`android.accessibilityservice.AccessibilityService`	🚩 privacy leak

Edited Apr 01, 2024 by Hans-Christoph Steiner

report elevated privileges: installer, accessibility, VPN, and input method

Scan APK

Merge request reports