CVE-2023-21177 in Android
Summary
by MITRE • 06/28/2023
In requestAppKeyboardShortcuts of WindowManagerService.java, there is a possible way to infer the app a user is interacting with due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-273906410
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/13/2025
The vulnerability identified as CVE-2023-21177 resides within the Android operating system's WindowManagerService component, specifically in the requestAppKeyboardShortcuts method implementation. This flaw represents a critical security oversight that allows unauthorized information disclosure through improper permission validation mechanisms. The vulnerability affects Android 13 systems and is tracked under Android ID A-273906410, highlighting its significance within the mobile security landscape.
The technical flaw manifests as a missing permission check within the requestAppKeyboardShortcuts method, which is designed to handle keyboard shortcut requests for applications. When this method processes requests without adequate validation of caller permissions, it creates an exploitable condition where malicious applications can potentially infer information about other applications that users are interacting with. This occurs because the method fails to verify whether the requesting application has legitimate authorization to access the keyboard shortcut information of other applications, effectively bypassing the intended security boundaries.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables adversaries to gain insights into user application interactions without requiring any additional privileges or user interaction for exploitation. The absence of user interaction requirements makes this vulnerability particularly concerning from a security perspective, as it can be exploited automatically by malicious applications running on the same device. This type of information leakage could potentially reveal user behavior patterns, application usage habits, and even sensitive contextual information that applications might be processing.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-284, which addresses improper access control issues, and represents a clear violation of the principle of least privilege in Android's security model. The ATT&CK framework categorizes this as a privilege escalation or information gathering technique, as it allows adversaries to extract information that should remain protected within the application sandbox. The vulnerability essentially creates a covert channel through which application context information can be inferred, potentially enabling more sophisticated attacks that leverage this knowledge.
The mitigation approach for CVE-2023-21177 requires implementing proper permission validation within the requestAppKeyboardShortcuts method to ensure that only authorized applications can access keyboard shortcut information for other applications. This involves adding explicit permission checks that verify the calling application's rights before allowing access to sensitive contextual data. System updates and patches should enforce strict access controls, ensuring that applications cannot arbitrarily query keyboard shortcut configurations of other applications. Additionally, developers should implement comprehensive testing procedures to validate that all inter-application communication methods properly enforce permission boundaries and maintain the integrity of the Android security model.