A vulnerability called CVE-2023-40135 might sound like just another jumble of numbers and letters in Android’s long list of flaws. But if you care about who can see your private photos, this one is worth understanding. In this deep dive, I’ll break down what happened in SaveUi.java, show you some code, explain the exploit (in plain language), and link to official sources. I’ll keep things simple—but in more detail than anywhere else.

What is CVE-2023-40135?

CVE-2023-40135 affects Android systems, specifically an internal component called SaveUi.java. There’s a method named applyCustomDescription, and thanks to a logic error called a confused deputy, any malicious local application can view images belonging to another user (profile) on the same device, with:

No root or advanced exploits needed

Think of it as a sneaky shortcut for apps to see photos they have absolutely no business seeing.

What’s a “Confused Deputy” Anyway?

A “confused deputy” is a classic software bug. Imagine you give your house keys to a trusted dog-walker (the deputy), but they unknowingly let in a thief who asks to “just check the windows.” The dog-walker trusts the request—and the thief gets in without permission. In coding, this happens when a trusted component inadvertently misuses its own privileges on behalf of another app.

The Role of SaveUi.java and applyCustomDescription

The file SaveUi.java is part of the Android SystemUI—the part of Android that handles system pop-ups, save dialogs, and other user interface screens.

applyCustomDescription() is supposed to let apps customize how save dialogs look or behave. But the code fails to check who is making the request and which images are being shown.

Here’s a simplified (but pretty close) code example

// SaveUi.java - simplified
void applyCustomDescription(CustomDescription desc) {
    // ... setup UI ...
    // Let's say we want to show a preview image from the user's gallery
    ImageView preview = findViewById(R.id.preview_image);
    Uri imageUri = desc.getPreviewImageUri();

    // * SECURITY FLAW HERE *
    preview.setImageURI(imageUri); // This loads image as SYSTEM, not requesting app!
}

What’s the problem? If a malicious app calls applyCustomDescription() with a URI pointing to another user’s images, the system loads it with SYSTEM privileges, ignoring standard app permissions. This means:

- You could point to /storage/emulated//DCIM/Camera/private-photo.jpg from another user/profile, and get the operating system to load and pass along the image data, even if your app shouldn’t ever see it.

Exploiting CVE-2023-40135 Step by Step

Skill level needed: Basic Android app-making skills and some knowledge of Android Intent APIs.

Craft a Custom Save Request.

Use Android’s autofill or save-request features to trigger a CustomDescription, referencing another user’s content URI, like:

`java

// Example malicious service (assume you've set up your app as an autofill service)

public void onSaveRequest(SaveRequest request, SaveCallback callback) {

Uri victimUri = Uri.parse("content://media/external/images/media/1234"); // Item owned by another user

.build();

// ... set the image to victimUri

triggerSaveUiWithDescription(desc);

}

When the user logs in (or the system triggers SaveUi), your app's CustomDescription is loaded.

The SystemUI runs *as the privileged system user* and loads the image. Your app can then access the displayed image data from the UI tree despite not having permissions.

Result:

You get to see or process images from another user/profile—something your app was never allowed to do.

No warning: The user has no clue it happened.

- Works across profiles/users: Common in shared devices.

Real-World Impact

On Android, this means that a rogue app a child installs on their profile could spy on pictures belonging to a parent, or vice versa. On multi-user tablets or phones, it’s a silent privacy leak.

Android 13, 14 security updates (look for 2023-09-01 security patch level and up).

The fix? Enforce identity checks: Only allow loading of images from URIs that *belong* to the calling app/user, denying attempts to cross the profile/sandbox line.

- Android Security Bulletin—September 2023
- CVE Details: CVE-2023-40135
- Google’s AOSP commit addressing this bug

Conclusion

CVE-2023-40135 is a textbook “confused deputy” flaw. Through a logical loophole, Android’s save UI could be tricked into exposing private images to malicious local apps—*without user involvement and without extra permissions*. If your device runs a recent Android update, you should be safe; but this shows why keeping up with patches is so important.

If you build apps, never trust requests blindly—even from “safe” system components. If you use Android, always update when security patches come out.

*Do you want to know if your phone is affected? Check your Android version and patch level—if you see “2023-09-01” or newer, you’re covered from this CVE. Stay safe!*

Timeline

Published on: 10/27/2023 21:15:09 UTC
Last modified on: 10/30/2023 17:19:07 UTC