Gitiles
Code Review Sign In
review.blissroms.org / platform_prebuilts_clang_host_linux-x86_clang-r416183b1 / fd96bde6a4c966eebde5f368e323235f168de6eb
commitfd96bde6a4c966eebde5f368e323235f168de6eb[log] [tgz]
authorduki.hong <duki.hong@samsung.com>Wed Jul 22 17:32:19 2020 +0900
committerduki.hong <duki.hong@samsung.com>Wed Jul 22 17:32:19 2020 +0900
treee92d78d0504b21ab43368a3f4b17831d2d5a995f
parentdc99dba89c49ceeb5332b02c0332407480a101a0 [diff]
Unprivileged applications can retrieve the ICCID

The phone system service did not properly enforce permissions on its getPhoneAccountHandleForSubscriptionId method.
When called by an unprivileged application, the parceled response contained the ICCID number (Integrated Circuit Card Identifier), a 20-digit number that uniquely identifies a SIM card.
Such identifier should not be accessible to unprivileged applications due to the privacy implications that unique, tied to the SIM card, identifiers have.
The PhoneAccountHandle include ICCID

Test: adb shell run-as <unprivileged_app> service call phone 153

Bug: https://partnerissuetracker.corp.google.com/issues/161860604

Signed-off-by: duki.hong <duki.hong@samsung.com>
Change-Id: Id3b155a9cf4a4fbf3dc326de50f978a12bd5f6cd
1 file changed
tree: e92d78d0504b21ab43368a3f4b17831d2d5a995f
  1. apex/
  2. assets/
  3. ecc/
  4. res/
  5. sip/
  6. src/
  7. testapps/
  8. tests/
  9. Android.bp
  10. AndroidManifest.xml
  11. CleanSpec.mk
  12. lint.xml
  13. NOTICE
  14. OWNERS
  15. PREUPLOAD.cfg
  16. proguard.flags
  17. TEST_MAPPING