Google Camera and Samsung Camera apps exposed camera and video intents to third-party apps
When compared to iOS, Android provides applications a lot of ways to interact with each other, enabling developers to build some of the more common Android features we have come to expect and love. This is made possible thanks to Android’s Intent system, which allows any app to send any intent it wants, and allows receiver apps to handle these intents in creative manners. But as it turns out, the Google Camera app and the Samsung Camera app have left their camera and video intents exposed to third-party apps, which leaves the door open for potential misuse by bypassing critical permissions, as demonstrated by the security researchers at Checkmarx.
Intents on Android are described as “messaging objects that facilitate communication between app components“, which in simpler terms means that Intent allows apps to send data to each other. For example, when you attempt to share a file from within a file manager to an app like WhatsApp, you are sending an intent to WhatsApp with the files as the data. Any app can send any intent it wants, and it is up to the receiving app to decide which intents it wants to listen for, by defining the same in its Manifest file. The receiving app also decides how to react to those intents. Further, the receiving app can also ensure that actions are performed only when an intent is sent from specific whitelisted apps (explicit intents) or from apps that hold certain permissions (protected intents). As it turns out, unprotected intents in the aforementioned camera apps can be exploited by bad actors.
Checkmarx found that the Google Camera app and the Samsung Camera app had unprotected intents to trigger actions like taking a photo and recording a video. An unprotected intent in this context means that the receiving app is not checking if the app sending the intent has the requisite permission to undertake the action itself — android.permission.CAMERA in this case. The camera activity, com.google.android.GoogleCamera/com.android.camera.CameraActivity, was also an exported activity, meaning that other apps could call for it. The unprotected intent and the exported activity thus lead to a permission bypass vulnerability.
A malicious app could thus be constructed which would not have the CAMERA permission, yet would still be able to operate certain camera functions by routing them through these camera apps and taking advantage of their unprotected intents and exported activity.
As a proof-of-concept, Checkmarx created a dummy weather application that did not have the CAMERA permission, but it did come with a single STORAGE permission, one that did not appear out of order for a weather app. Without the camera permission, the weather app was able to trigger Google Camera and Samsung Camera to take photos and record videos. The STORAGE permission comes into play in accessing this and as well as all other photos and videos saved at /DCIM — it isn’t needed for the actions of clicking photos and recording videos.
In a worst-case scenario, this vulnerability can be exploited to do things like record the user’s video during a call, scrape location information from GPS metadata of photos if the location tagging is enabled in the camera app (and effectively get the phone’s current location), and more.
Granted, the UI does indicate that the camera is being accessed, but this can also be worked around by making use of the proximity sensor to gauge when the phone’s display is switched off, and thus, escape the user’s attention. A malicious app could also mute the volume of the phone and effectively silence the device when it is taking a photo or recording a video.
Checkmarx claims that the vulnerability, labeled CVE-2019-2234, also exists in camera apps from other smartphone vendors. But the researchers did not name which vendors and devices were affected, outside of Google and Samsung’s. If other Camera apps have exported activities to start photo capture and video recording, and have unprotected intents that do not check for the permission available to the calling app, they are also affected.
Since this is not a vulnerability within the Android platform or the Linux kernel, it cannot be included and rolled out as a part of the Android Security Bulletin. The vulnerability was fixed in the Google Camera app through an app update in July 2019, and the same has also been fixed in the Samsung Camera app, though there is no specific information on when this update was rolled out.
On unpatched versions of Google Camera, you can force a video to be taken through this vulnerability by running the following ADB command:
adb shell am start-activity -n com.google.android.GoogleCamera/com.android.camera.CameraActivity --ez extra_turn_screen_on true -a android.media.action.VIDEO_CAMERA --ez android.intent.extra.USE_FRONT_CAMERA true
If you use Google Camera or Samsung Camera, ensure that you update to the latest camera app version on your device, rolled out through the Play Store, or through an OTA, as the case may be.