Blog
K-9 mail client is vulnerable to privacy leak
By TrustGo Security Labs On February 15, 2012 In Security
K-9 is the most popular email client for Android. It is an open-source e-mail client with numerous features, including search, IMAP push email, multi-folder sync, flagging, filing, signatures, bcc-self, PGP, mail on SD, etc. It has been downloaded between 1 million and 5 million times from Google Android Market.
K-9 version 4.005 has a vulnerability wherein a user’s email may be exposed to other apps. A malicious app without any system permissions can easily exploit K-9’s vulnerability to collect all the user’s emails and leak them to an arbitrary website.
Application information
| App name | K-9 Mail |
|---|---|
| App vendor | K-9 Dog Walkers |
| Package name | com.fsck.k9 |
| Affected version | 4.005 |
| Updated | January 27, 2012 |
| Affected users | 1,000,000 – 5,000,000 |
| Category | Communication |
| Vendor’s website | http://code.google.com/p/k9mail/ |
| App download link | https://market.android.com/details?id=com.fsck.k9&feature=search_result&hl=en |
Vulnerability information
| Found date | 2012/2/13 |
|---|---|
| Found by | trustGo |
| Impact | Privacy leak |
| Severity | High |
| Distribution | High |
| Has POC | Yes |
Details
A malicious app can obtains user’s email from K-9 without user’s consent.
K-9 claims ContainProvidercom.fsck.k9.provider.MessageProvider:
<provider android:name="com.fsck.k9.provider.MessageProvider" android:authorities="com.fsck.k9.messageprovider" android:multiprocess="true" android:grantUriPermissions="true" android:readPermission="com.fsck.k9.permission.READ_MESSAGES" android:writePermission="com.fsck.k9.permission.DELETE_MESSAGES"/>
K-9 claims permission “com.fsck.k9.permission.READ_MESSAGES” as:
<permission android:name="com.fsck.k9.permission.READ_MESSAGES" android:permissionGroup="android.permission-group.MESSAGES" android:protectionLevel="normal" android:label="@string/read_messages_label" android:description="@string/read_messages_desc"/>
Since permission “com.fsck.k9.permission.READ_MESSAGES” protection level is normal, any app can request this permission. Meanwhile, app has this permission can read emails in K-9 mail client.
Thus an app can get emails from K-9 by only claim permission “com.fsck.k9.permission.READ_MESSAGES”. Combined with INTERNET permission which is very common used, an app can easily leak user’s emails to certain websites. Even without INTERNET permission, an app can also leak user’s emails to internet by exploiting another feature of web browser on Android system.
This is very dangerous when users access business email with K-9 mail client.
