Fri. Aug 7th, 2020

A large number of Android ROMs are not properly configured to cause information leakage

3 min read
On November 22nd, Magisk author topjohnwu published an article mentioning that he discovered a vulnerability in millions of Android devices when he researched the root detection mechanism of the Fate/Grand Order mobile game. Using this vulnerability will leak the process information on the system. In addition to a few manufacturers such as Samsung, most manufacturers’ equipment is affected.
According to the information on the XDA Forum, the affected and unaffected devices are as follows:
OEM Device Android Version procfs Leaks
Asus ZenFone 5Z Android 8.0 Oreo Yes
BlackBerry KEY2 Android 8.0 Oreo No
Essential PH-1 Android 9 Pie No
Google Pixel 2 Android 9 Pie No
Google Pixel 3 Android 9 Pie No
Google Pixel 3 XL Android 9 Pie No
Honor Magic 2 Android 9 Pie Yes
HTC U12+ Android 8.0 Oreo Yes
Huawei Mate 20 X Android 9 Pie Yes
LG G7 ThinQ Android 8.0 Oreo Yes
LG V40 ThinQ Android 8.1 Oreo Yes
Motorola Moto G4 Android 8.1 Oreo No
Nokia 7.1 Android 8.1 Oreo No
OnePlus 6 Android 8.1 Oreo/Android 9 Pie Yes
OnePlus 6T Android 9 Pie Yes
Razer Phone 2 Android 8.1 Oreo Yes
Samsung Galaxy Note 8 Android 8.0 Oreo No
Samsung Galaxy Note 9 Android 8.1 Oreo/Android 9 Pie No
Samsung Galaxy S7 Android 8.0 Oreo No
Samsung Galaxy S8 Android 8.0 Oreo No
Samsung Galaxy S9 Android 9 Pie No
Samsung Galaxy S9+ (Exynos) Android 8.0 Oreo Yes
Sony Xperia XZ1 Android 9 Pie No
Xiaomi Mi Mix 2S Android 9 Pie Yes
Xiaomi POCO F1 Android 8.1 Oreo Yes
In the Linux system, you can access the internal information of many kernels through the /proc file system. The hidepid option has been added to the Linux kernel 3.2 and above. This option defines how many other users can view information.
Google prevents apps from reading the status of other apps via procfs by mounting /proc with the flag “hidepid=2.” By mounting procfs with hidepid=2, apps can only see the status of their own process. Thus, an app would need to use the accepted APIs like UsageStats or AccessibilityService to gain information on what apps and services are running on the device.
Starting with android7.0, hidepid=2 should be set to 2 when /proc is mounted. In android9.0, SELinux has been enhanced. If the target API of the APP compile time is API 28 (Android 9.0), then even if a process without hidepid=2 is set, the information of other processes cannot be obtained. However, many APP compile time target APIs are still lower than API 28 (Android 9.0).
A SELinux context is like a label for a file which has information like the user and role. Apps with the same SELinux context can read information about other apps in the same context if the hidepid=2 flag is not enabled for procfs. On devices running Android 9 Pie, only apps that are built targeting Android Pie will have Android Pie’s new SELinux changes apply to them. Apps that target Android 8.1 Oreo or below will use the old SELinux rules, allowing them to access information about processes in the same SELinux context so long as procfs is mounted without hidepid=2.
At present, OEMs have been aware of this problem. Before the system update is released, users can download and install the ProcGate detection tool written by topjohnwu here. If your Android system is vulnerable, the ProcGate app will show other processes.
If you have root privileges, you can choose to use the app to run a”mount -o remount,hidepid=2,gid=3009 /proc” command to remount /proc to fix the problem. Users who affected by this vulnerability but cannot be repaired without root privileges are not too worried. The weakness is limited, and only some other process information can be leaked. The vulnerability cannot be used to obtain sensitive data such as root privileges or user passwords.