Protect Application Services

Details

Services are typically used for background processing. Like BroadcastReceivers and application activities, application services can be invoked by external applications and so should be protected by permissions and export flags.

Remediation

A service may have more than one method which can be invoked from an external caller. It is possible to define arbitrary permissions for each method and check if the calling package has the corresponding permission by using checkPermission(). Alternatively, one could define separate services and secure access through the use of permissions defined in the AndroidManifest.

When calling a service with sensitive data, validate that the correct service is being called and not a malicious service. If you know the exact name of the component to which you wish to connect, specify that name in the Intent used to connect. Another method is to use checkPermission() again to verify whether the calling package has the permissions required to receive the desired Intent. The user grants permissions to the app during installation.

Here is an example where a custom permission is declared and required to be used when accessing the com.example.MyService.

  1. <permission android:name="com.example.mypermission"
  2. android:label="my_permission" android:protectionLevel="dangerous"></permission>`
  1. <service
  2. android:name="com.example.MyService"
  3. android:permission="com.example.mypermission">
  4. <intent-filter>
  5. <action android:name="com.example.MY_ACTION" />
  6. </intent-filter>
  7. </service>

CWE/OWASP