CVE-2023-5321 is a recently discovered security vulnerability affecting the hamza417/inure project on GitHub. This vulnerability is related to missing authorization checks in versions prior to build94. In this post, we’ll break down what this CVE is, how an attacker could exploit it, and how you can stay safe—all in plain English.
What is “Missing Authorization”?
In simple terms, authorization is about making sure the right people have the right permissions to do certain actions in an app. If authorization is missing, any user might be able to do things that are supposed to be restricted—like deleting files, viewing sensitive data, or changing settings.
## About hamza417/inure
Inure is an open-source Android app designed for exploring and managing apps installed on a device. It provides details like installed packages, permissions, and more. This tool is especially popular among Android enthusiasts and developers.
CWE: CWE-862: Missing Authorization
- Affected Project: hamza417/inure
What’s the Problem?
In build versions earlier than build94, the app exposes certain features to users without checking their authorization status. That means any user who can run the app can access sensitive functions or information that should only be granted to privileged users.
Original References
- NIST National Vulnerability Database: CVE-2023-5321
- GitHub Advisory Database: CVE-2023-5321
- Inure Repository
Changing settings: Alter configuration options that should be admin-only.
- Launching privileged activities: Trigger features in the app with higher privileges, possibly leading to further exploitation.
> Example: If there is a “clear cache for all apps” option meant only for the owner of the phone, this vulnerability could let any app user (even by mistake!) snap their fingers and clear caches without intended control.
Dive into the Code
Let’s illustrate with a generic code snippet reflecting the issue.
Problematic Code (Missing Authorization)
// This function is exposed in the app
public void exportAppInfo(Context context) {
// No checks - anyone can call this
List<AppDetails> allApps = getInstalledApps(context);
File exportFile = new File(context.getExternalFilesDir(null), "apps_info.txt");
writeToFile(exportFile, allApps);
}
What’s wrong?
There’s no authorization check. If any component in the app or possibly another app triggers this function (directly or via IPC), sensitive export tasks will occur.
How Should It Be?
// Improved: Check that the caller has proper authorization
public void exportAppInfo(Context context) {
if (!isUserAuthorized(context)) {
throw new SecurityException("Unauthorized access");
}
List<AppDetails> allApps = getInstalledApps(context);
File exportFile = new File(context.getExternalFilesDir(null), "apps_info.txt");
writeToFile(exportFile, allApps);
}
Now: Only authorized users (e.g., owner, admin) will be able to call this function.
Chain with other vulnerabilities
- If there’s also a local privilege escalation or exposed file path, an attacker could even gain entry to other parts of the Android phone.
Example Attack Intent
Intent intent = new Intent();
intent.setComponent(new ComponentName("app.simple.inure", "app.simple.inure.activities.ExportActivity"));
intent.putExtra("EXPORT", "ALL_INFO");
context.startActivity(intent); // No checks in vulnerable version!
How to Fix
Upgrade immediately to build94 or newer!
The maintainers have patched this issue by adding proper authorization checks on sensitive actions.
Get the fixed version
- Latest releases on Inure GitHub
Impact: Data leaks, unauthorized actions on device.
> Stay Safe!
Keep your apps and devices updated, and always build with the principle of “least privilege” in mind.
More Reading
- OWASP Top 10: Broken Access Control
- Android Security Best Practices
Have questions or want to share your experience?
Drop a comment below or reach out on GitHub!
*By keeping security in focus, we keep our apps—and our users—safe from harm.*
Timeline
Published on: 09/30/2023 14:15:00 UTC
Last modified on: 10/03/2023 20:58:00 UTC