PTKDMobile App Security
Knowledge base / PTKD-CFG-CUSTOMPERM
low M8 MASVS-PLATFORM-1 static analysis PTKD-CFG-CUSTOMPERM

Custom permission with a weak protection level

A custom permission is declared with a normal/dangerous protection level, so any installed app can be granted it, weak protection for whatever it guards.

How it's exploited

A custom permission with protectionLevel normal or dangerous can be requested by any third-party app. Anything you guarded with it (providers, services) is effectively open to apps the user happens to install.

Why it matters

Internal interfaces believed to be private are callable by other apps, leaking data or triggering privileged actions.

How to fix it

  1. Set android:protectionLevel="signature" so only your own signing key can hold the permission.
  2. Audit which components are guarded by the permission and what they expose.

References