PTKDMobile App Security
Knowledge base / PTKD-CFG-SHAREDUID
medium M8 MASVS-PLATFORM-1 static analysis PTKD-CFG-SHAREDUID

Deprecated android:sharedUserId in use

sharedUserId makes the app share its Linux UID (and therefore private data and permissions) with other same-signer apps. It is deprecated and a lateral-movement risk.

How it's exploited

sharedUserId merges your app's Linux UID with any app signed by the same key that declares the same value. One compromised or careless app in the set reads every other app's private storage.

Why it matters

Your app's sandbox is only as strong as the weakest app sharing the UID; the mechanism is deprecated for exactly this reason.

How to fix it

  1. Plan the migration off sharedUserId (Android 10+ supports untangling with sharedUserMaxSdkVersion).
  2. Move cross-app data flows to a ContentProvider or bound service with signature permissions.

References