Android is known for its balance of functionality and security, but sometimes logic errors open the door to privilege escalation—even without user interaction. CVE-2022-20113 is one such flaw, centered in the mPreference handling within DefaultUsbConfigurationPreferenceController.java. Here, we'll break down what happened, how it works, and what it could mean for your device.
TL;DR
- Vulnerability: Incorrect logic in DefaultUsbConfigurationPreferenceController.java lets a local app enable USB File Transfer (MTP), even if the owner doesn't want it.
Patched in May 2022.
---
The Root of the Problem
On most Android devices, the USB mode (how your device interacts with computers over USB—charging only, file transfer, MIDI, etc.) must be carefully controlled. Access to File Transfer exposes a device's files to the computer it’s plugged into. Android users expect to have explicit control over enabling/disabling this feature.
However, in certain Android 12 and 12L builds, a logic issue in the handling of the user’s preferences— specifically the mPreference object in the DefaultUsbConfigurationPreferenceController—let unprivileged, local apps force file transfer mode. The vulnerable code doesn't adequately check whether the action is authorized, and ends up allowing the change.
Vulnerable Code Walkthrough
The root of the bug lies in how the controller saves and applies user preferences for USB connections. The code roughly looks like this:
public class DefaultUsbConfigurationPreferenceController {
private Preference mPreference;
// ...other code...
public boolean onPreferenceChange(Preference preference, Object newValue) {
// Logic error: There isn't sufficient checking here!
// Should check if caller is authorized to change this
setDefaultUsbFunction((String) newValue); // enable file transfer mode if asked
return true;
}
}
In a secure implementation, there would be checks to ensure only authorized users or processes can switch USB modes. In this case, the call to setDefaultUsbFunction could be triggered by any local app, regardless of permissions.
No user interaction is needed at all.
---
Exploit Scenario
Let’s imagine an attacker makes a simple Android app. After install, it silently sends a request (maybe using reflection or direct access through Settings APIs) to change the USB mode using the flawed logic above.
Disclaimer: Don’t use this code for malicious purposes!
// Pseudocode PoC: attempt to switch USB mode to File Transfer
ContentResolver resolver = getContext().getContentResolver();
Settings.Global.putString(resolver,
"default_usb_configuration", "mtp");
If the device uses the flawed controller, this could trigger the logic error, and turn on file transfer mode.
Why This Matters
- Data Exfiltration: If a user plugs in to an untrusted computer, their private files could be accessed.
- Mobile Device Management: Corporate configurations might expect settings to be locked down, but a rogue app could override policies.
Google’s Security Bulletin, May 2022:
https://source.android.com/docs/security/bulletin/2022-05-01
Android Issue Tracker (A-205996517):
https://issuetracker.google.com/issues/205996517
NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2022-20113
Mitigation
- Update to the latest security patch (May 2022 or later) for Android 12/12L.
Monitor app installs and avoid sideloading.
- If you manage devices, restrict USB configuration through DPC/EEM policies.
Conclusion
CVE-2022-20113 is a textbook example of how a small logic slip in the Android framework—specifically the handling of sensitive hardware preferences—can alter the security profile of millions of devices. The flaw was patched quickly, but it’s a reminder to keep devices up-to-date and to pay close attention to who can change what on your phone.
Timeline
Published on: 05/10/2022 20:15:00 UTC
Last modified on: 05/16/2022 15:36:00 UTC