CVE-2021-35079 Incorrect permissions for third-party application access can lead to information disclosure in Snapdragon Compute, Connectivity, and IOT.

and other applications where permissions are required to access data from the Telephony service.

This issue can be triggered by third party applications using the Telephony service API, or by an application that does not validate the permissions required by the application when accessing the Telephony service API.

In some cases, information disclosure in third party applications can be exploited by attackers to exfiltrate data from the device, or to perform identity theft, as well as to obtain sensitive information such as unencrypted SMS, calls list, contacts list, or location.
In some cases, information disclosure in an application that does not validate the permissions required by the application when accessing the Telephony service API can be exploited by attackers to exfiltrate data from the device, or to perform identity theft, as well as to obtain sensitive information such as unencrypted SMS, calls list, contacts list, or location.
In order to discover if your application is vulnerable to information disclosure via the Telephony service API, you can check if the following information is exposed to the device outside the application. Information that is usually exposed via the Telephony service API:

Information that is usually not exposed via the Telephony service API:

Detecting if your application is vulnerable to information disclosure via the Telephony service API

To detect if your application is vulnerable to information disclosure via the Telephony service API, you can use the following steps:

1. Determine if your application is using the Telephony service API by checking the "Telephony" permission under AndroidManifest.xml:

Step 1: Check if the Telephony service is accessible

If your application is vulnerable to information disclosure via the Telephony service API, you should check if the following information is exposed to the device outside of your application.

Step 2: Check if any permissions are required
If any permissions are required by an application when accessing the Telephony service API, you should check if the following information is exposed to the device outside of your application.

Step 3: Validate whether permission requests are valid
If permission requests are not valid, you should ensure that they do not leak sensitive information.

Check if your application is vulnerable to information disclosure via the Telephony service API

If you want to find out if your application is vulnerable to information disclosure via the Telephony service API, you can use a vulnerability assessment tool like Tenable.
If your application is vulnerable to information disclosure via the Telephony service API, it is very important that you update your application to protect the information of users and their device from attackers.
In some cases, an update may include:
- hardening the application's security
- adding a permission system in place for accessing the Telephony service API
- implementing a sandboxing system in place for access to sensitive data
- adding analytics on user usage of the app

Timeline

Published on: 06/14/2022 10:15:00 UTC
Last modified on: 06/22/2022 20:02:00 UTC

References