External Storage in Android

Android allows apps to read data from and write data to external storage. External storage is meant to be accessible by all apps in the device. There are two types of external storage: public and private. To read from and write to the public external storage, an app needs to request read/write permission from the user. However, an app does not need any permissions to read from or write to its own private external storage. An app needs to request for appropriate permissions if it is accessing another app's private external storage.

The vulnerability

An app requires the WRITE_EXTERNAL_STORAGE permission to write to (any type of) external storage and READ_EXTERNAL_STORAGE to read from (any type of) external storage. An app can write to another app's private external storage by holding the READ_EXTERNAL_STORAGE permission instead of the WRITE_EXTERNAL_STORAGE permission.

Test to reproduce the vulnerability

We created a Benign app and a Malicious app. The Benign app reads data from its private external storage and displays it to the user. Malicious requests the user for READ_EXTERNAL_STORAGE to read from external storage. But uses the permission to write data into Benign's private external storage without having the appropriate permission i.e., WRITE_EXTERNAL_STORAGE.

Expected test results

We tested the presence of the vulnerability on API levels 22,23,24,25,26, and 27. The vulnerability can be successfully exploited on API levels 22-25 but is absent in API levels 26 and 27.