artectrex's blog - Security update for PixelDroid, Bunny & Android Media Editor library

A security quickscan by Radically Open Security found several issues in the android-media-editor library that impact both PixelDroid and Bunny

đź“… 21 Dec 2024

A couple weeks ago, I released updates to Bunny and PixelDroid that incorporated the latest android-media-editor version. This version’s only changes were to update dependencies and change a single line from the manifest:

    android:name="com.yalantis.ucrop.UCropActivity"
-   android:exported="true"
+   android:exported="false"

This makes the UCropActivity not be “exposed”1 2, which means that external apps now can’t use Intents that target that activity anymore.

UCropActivity is used for the cropping functionality of android-media-editor (and by extension Bunny and PixelDroid). It is implemented in the uCrop library.

To sum up the main issue with exporting this activity: because of the way it downloads images and stores them, it is possible to store or overwrite to any path that the host application (so for example, Bunny or PixelDroid) can access.

Extract of code in the uCrop library that allows writing to an arbitrary path the host application has access to:

if (isContentUri(mOutputUri)) {
outputStream = mContext.getContentResolver().openOutputStream(outputUri);
} else {
outputStream = new FileOutputStream(new File(outputUri.getPath()));
}

Concretely, any app installed on the device can now overwrite any file that is accessible by all apps that use vulnerable versions of android-media-editor.

This includes settings of the apps, and login data. The worst case I can imagine in the context of PixelDroid is overwriting the uri of the instance to get the app to leak access tokens to an attacker-controlled server. However, the attacker would first have to obtain a copy of the sqlite database in order to modify the uri, which means they have to have the token already in order to exfiltrate the token.

More realistic scenarios are overwriting the settings of the integrating app. An example with PixelDroid was provided by the Radically Open Security researchers and embedded below:

I have also uploaded a copy of Radically Open Security’s report where you can read their findings and non-findings in detail: Penetration test report. Thank you ROS for your great work.

In terms of concrete action that end users should take, I suggest upgrading Bunny and PixelDroid to their latest versions. Developers using android-media-editor should update to the latest version of the library and release a new version of their app.

However, in the context of PixelDroid and Bunny, and except if combined with other vulnerabilities, I don’t see these findings being usable for attacks beyond denial of service (breaking the host app) or small annoyances.

  1. Android Manifest documentation of the exported attribute 

  2. Android security risk information about the exported attributeÂ