Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, “information the system must have before it can run any of the app’s code.” We came across a vulnerability related to the manifest file that may cause an affected device to experience a continuous cycle of rebooting—rendering the device nearly useless to the user.

The Manifest File Vulnerability

The vulnerability can cause the OS to crash through two different ways.

The first involves very long strings and memory allocation. Some apps may contain huge strings in their .XML files, using document type definition (DTD) technology. When this string reference is assigned to some of the tags in AndroidManifest.xml (e.g., permission name, label, name of activity), the Package Parser will require memory to parse this .XML file. However, when it requires more memory than is available, the PackageParser will crash. This triggers a chain reaction wherein all the running services stops and the whole system consequently reboots once.

The second way involves .APK files and a specific intent-filter, which declares what a service or activity can do. An icon will be created in the launcher if the manifest file contains an activity definition with this specific intent-filter:

<intent-filter> <action android:name=”android.intent.action.MAIN”/> <category android:name=”android.intent.category.LAUNCHER”/> </intent-filter>

If there are many activities defined with this intent-filter, the same number of icons will be created in the home page after installation. However, if this number is too large, the .APK file will trigger a loop of rebooting.

If the number of activities is bigger than 10,000:

For Android OS version 4.4, the launcher process will undergo the reboot.

For version L, the PackageParser crashes and reboots. The malformed .APK will be installed but no icon will be displayed.

If the number of activities is larger than 100,000, the devices will undergo the loop of rebooting.

Testing the Vulnerability, Part 1

We created an .APK file with a manifest file containing a huge string reference, as seen in Figure 1. During installation, the device reboots, seen in the logcat information in Figure 2.



Figure 1. AndroidManifest with DTD huge string reference



The OS crashes and reboots during installation

We have tested and proven that this created APK could crash both Android OS 4.4.4, Android OS L, and older versions of the platform.

Testing the Vulnerability, Part 2

We also created an application with the manifest file as shown in Figure 3, which can make Android devices undergo a loop of reboots. After installation, the device was unresponsive, save for the rebooting. A user will not even be able to uninstall the APK or switch off the device. It will simply reboot until the device runs out of the power. The only solution is to flash the ROM or install the platform again.



Figure 3. AndroidManifest.xml with 100,000 icons

Knowing the Risks

While this vulnerability isn’t a technically a security risk, it does put devices at risk in terms of functionality. This vulnerability can essentially leave devices useless. Affected devices can be “rescued” but only if the Android Debug Bridge (ADB) is activated or enabled. The only solution would be to connect the device to a computer, boot the phone in fastboot mode, and flash the ROM. Unfortunately, such actions can only be done by highly technical users as a mistake can possibly brick a device. For this issue, we recommend that users contact customer service (if their devices are still under warranty) or a reputable repair shop.

We have notified Google about this issue.