For my research I had a look at new functionalities of Android, especially related to security. I came across Protected Confirmation, which is a rather interesting method to ask the user to confirm an action.
In short, an app shows a dialog with a short text and the user has to press physical buttons of the device to confirm or deny the request.
A blog post about this feature states that whatever your user confirms is cryptographically authenticated and a relying party (think: your bank’s server) can verify that you really confirmed a transaction. Since the UI is running inside of a protected hardware mode called Trusted Execution Environment, the process is safe from malicious apps and a compromised Android OS.
Nevertheless, I identified a few pitfalls in the process and found a pretty fun way to lock up the device. Such a Denial-of-Service attack makes sure that the user is not able to operate the device as expected. I wrote a small sample application which required no permissions and was able to repeatedly show a screen asking the user to pay bitcoins to “unlock the device”. Typical ransomware behaviour here, and the user could not do anything about it.
On Jul 30, 2019, I submitted a report on Google’s bug reporting platform. The title was “Security Report – Denial Of Service by abusing Protected Confirmation”, because it seemed to be a rather security-relevant issue in their “rate-limiting” method. I even pointed out the exact code line where the bug was happening.
A response came rather promptly on Aug 14, 2019:
Thank you for your submission. Your issue has been successfully reproduced. Your report was informative and easy to follow. Unfortunately, we have determined this issue to be insufficient to qualify as a security issue. While this issue does result in a denial of service, uninstalling the malicious application through safe mode is sufficient to resume normal operations. We look forward to working with you more in the future.
This was rather surprising, as “Safe mode” disables all third-party apps, sure. But also as a user you have no idea which app is generating this screen, as there is absolutely no indication about it. But at this stage, there was no point discussing this with them.
I heard nothing more after that except for some “Thanks for reporting”. Then, months later, I casually discovered their bugfix in the source code. The bugfix came Jan 24, 2020 and can be seen on the public tracker here.
The bug fix references another Bug ID than my own bug report, so I suppose the “bug” was reported independently of my bug report. It feels good to see your bug report turn into some official action, but also kind of depressing that the security aspect of the bug was not considered.
This was a nice experience, even though it ended like it did. I wish I was motivated (or bored) enough to look for vulnerabilities like many other security experts do, but I can only recommend it to you, because finding these bugs always comes with a great learning experience that you can not get any other way.