CVE-2024-0021 - How a NotificationAccess Bug in Android Could Let Work Apps Enable Notification Listeners

Android's multi-user support and Work Profile are must-haves for anyone who needs to separate personal and work life on the same device. But what happens when a bit of code lets apps overstep their boundaries? That’s exactly what CVE-2024-0021 is about—a logic bug in NotificationAccessConfirmationActivity.java that gives local work profile apps a way to enable notification listener services they shouldn’t, turning the trusted Work Profile into a weak spot for local privilege escalation.

In this post, I'll break down what the bug is, what the vulnerable code looks like, how attackers can exploit it, and give you all the context you need to understand why this seemingly simple logic slip matters.

What is CVE-2024-0021?

CVE-2024-0021 is a local privilege escalation vulnerability found in AOSP's NotificationAccessConfirmationActivity.java. The bug allows an app running inside the Work Profile to enable notification listener services—something normally reserved for the device owner or personal profile. No extra permissions are needed beyond what a regular app already gets, but the exploit does require some user interaction.

Exploit Scenario

- A malicious app in the Work Profile triggers the system dialog to request notification listener access.
- Due to the logic flaw, Android fails to make sure only the device owner (personal profile) can enable this for apps.
- If the user OK’s the dialog (thinking it's legit), the work profile app is given access it shouldn’t have.
- With this access, the malicious app can read and interact with all device notifications—major privacy trouble!

Anatomy of the Vulnerable Code

Let’s zoom in on the flawed code. Here’s what a relevant chunk from NotificationAccessConfirmationActivity.java might look like:

// Simplified, illustrative example
public class NotificationAccessConfirmationActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        String packageName = getIntent().getStringExtra("package_name");
        UserHandle user = getIntent().getParcelableExtra("user_handle");

        // Logic error: fails to check if user is in Work Profile
        if (packageName != null) {
            // Starts the notification listener enable process
            enableNotificationListener(packageName, user);
        }
    }

    private void enableNotificationListener(String packageName, UserHandle user) {
        // Should ensure only owner user can do this, but doesn't!
        NotificationManager nm = (NotificationManager) getSystemService(Context.NOTIFICATION_SERVICE);
        nm.setNotificationListenerAccessGranted(packageName, true);  
    }
}

Here, the missing part is a check to ensure the caller/user is the device owner and not a managed (work) profile. Without that, any app—including those in Work Profile—can trigger this path and get system-wide notification access if the user approves.

Attacker Deploys a Malicious Work Profile App

- Say you install a “Work Utility” app via your company’s device manager. The attacker could sneak in a malicious version.

`

- User sees the standard system dialog/prompt.

Work App Gets Notification Access

- Thanks to CVE-2024-0021, Android grants the requested access to the app, even though this shouldn’t happen for apps in the work profile.

Done — Work App Sees All Your Notifications!

- The app can now listen to all device notifications, including DMs, emails, OTP codes, etc.—even from the personal profile.

Data Privacy: Work apps can spy on your personal and other notifications without consent.

- Bypassing Security Boundaries: The whole point of Work Profile is isolation. This bug blows a hole through that.
- Easy to Trigger: No special hacking skills needed, just an app that asks for notification listener permission.

Remediation

The fix—which is in newer AOSP versions (see Google’s AOSP commit)—adds a check to block work profile apps from getting notification listener service access.

For users:

Update your phone to the latest security patch.

- Don’t approve notification listener requests in work profile unless you’re certain it’s needed.

For devs/Admins:

AOSP Diff with Fix:

https://android.googlesource.com/platform/packages/apps/Settings/+/4d18b072d81ad9ba460123abb1ef582407da9aba

CVE-2024-0021 at NVD:

https://nvd.nist.gov/vuln/detail/CVE-2024-0021

Android Security Bulletins:

https://source.android.com/security/bulletin

Summary Table

| Aspect | Detail |
| ------------- | ----------------------------------------------------- |
| Affected File | NotificationAccessConfirmationActivity.java |
| Problem | No user profile check before granting listener access |
| Attack Vector | Work profile app, user interaction (“Allow”) |
| Impact | Work app can read all device notifications |
| Fix | Add user profile verification in the code |

Bottom Line

CVE-2024-0021 is another reminder that profile separation on devices is only as good as the code backing it. This bug, though it needed human approval, let work apps break out of their sandbox and access your world of notifications—no hacking black magic required, just a slick permission dialog. Always keep your device updated, and be skeptical of what “work” apps are asking for.

Stay safe, and happy patching! 👾

*This analysis is original and exclusive. For more in-depth technical details, check the official references above.*

Timeline

Published on: 02/16/2024 20:15:47 UTC
Last modified on: 08/28/2024 15:35:10 UTC