CVE-2024-0022 - How a Notification Access Flaw in CompanionDeviceManagerService Leaks Your Info

CVE-2024-0022 is a security vulnerability affecting Android devices, specifically in the CompanionDeviceManagerService.java component. This flaw allows a malicious local app to use weak input validation to launch the NotificationAccessConfirmationActivity for a different user profile—not just their own. As a result, private notifications and sensitive info can leak between user accounts on the same device. All this can happen with no extra privileges and no user interaction needed.

Let’s unpack the details of this bug, its real-world impact, and how it can be exploited.

Where is the Bug?

The vulnerability lives inside packages/services/CompanionDeviceManagerService.java, a system service that helps apps connect to companion devices like smartwatches.

When an app asks for access to read notifications, the service launches the NotificationAccessConfirmationActivity. However, it does not properly check whether the requesting app is allowed to do this for another user profile (like your kid’s profile on a shared tablet).

If an attacker specifies a different user’s profile in the intent, the service starts the confirmation activity for *that* profile, potentially showing private notifications or transferring access across users.

Let’s look at the simplified logic (not the exact code, but close)

// In CompanionDeviceManagerService.java

void launchNotificationAccessConfirmation(Context context, int userId) {
    Intent intent = new Intent(context, NotificationAccessConfirmationActivity.class);
    intent.putExtra(EXTRA_USER_ID, userId); // User-controllable!
    context.startActivityAsUser(intent, UserHandle.of(userId));
}

What’s the Problem?
The userId here can be controlled (directly or indirectly) by a malicious app, but it’s not properly checked. So, the function can start the notification access confirmation for *any* profile, not just the requesting user's.

Exploitation Scenario

Imagine you’re using an Android tablet with a “Guest” or “Child” user. A local malicious app running in your profile could trigger NotificationAccessConfirmationActivity in the background for the Child profile—all without additional permissions or user taps. This could cause info intended for that user to leak and, depending on implementation, might allow cross-profile notification access or other data leaks.

Here is simple example code an attacker could use to exploit this bug

// Malicious app code
Intent intent = new Intent();
intent.setComponent(new ComponentName(
  "com.android.companiondevicemanager",
  "com.android.companiondevicemanager.NotificationAccessConfirmationActivity"
));

// Supply victim's userId. Usually these are small integers:  (owner), 10, 11...
intent.putExtra("android.intent.extra.USER_ID", 11); // Victim's profile ID, for example

// Use reflection or exposed API to call the method as system user
context.startActivityAsUser(intent, new UserHandle(11)); // Starts the activity for victim

With this, the system could launch the notification access dialog (or other UI) for another profile, possibly leaking private info right onto the attacker’s screen or granting wrong access.

Why is This a Serious Issue?

- No Extra Privileges Needed: The attack requires only a running app on the device—no system-level or root access.

No User Interaction: There’s no click or tap needed. The malicious code runs silently.

- Local Info Disclosure: Other profiles’ notifications or settings can leak, breaking multi-user security assumptions.
- May Affect Work/Child Profiles: In enterprise or shared tablet scenarios, sensitive work or family info may spill.

Android devices using multi-user features (phones, tablets with multiple profiles).

- Android versions with the vulnerable CompanionDeviceManagerService implementation (check security bulletins for details).

Fix and Mitigations

Google's official fix: The validation in CompanionDeviceManagerService.java now checks that the requesting app can only launch activities for its own user profile.

- See Android Security Bulletin - June 2024
- Android patch: AOSP Commit

References

- Google CVE-2024-0022 Security Advisory
- Android Security Bulletin - June 2024
- AOSP Patch Review (search for CVE-2024-0022)

Final Thoughts

CVE-2024-0022 is a perfect example of why Android's multi-user privacy model needs attention. If you manage devices with more than one user or have privacy concerns about notification data, this is an issue you should patch fast.

Always use the latest Android security patches and be careful what you install—especially on shared devices!


*This post was written exclusively for educational purposes. Do not attempt to exploit vulnerabilities on devices you do not own or have permission to test.*

Timeline

Published on: 05/07/2024 21:15:08 UTC
Last modified on: 11/25/2024 13:52:21 UTC