CVE-2024-13916 in com.pri.applock
Summary
by MITRE • 05/30/2025
An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.android.providers.settings.fingerprint.PriFpShareProvider“ content provider's public method query() allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code.
Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/10/2025
The vulnerability identified as CVE-2024-13916 affects a pre-loaded application named "com.pri.applock" on Kruger&Matz smartphones, which provides encryption capabilities for applications using either user-provided PIN codes or biometric authentication methods. This application represents a critical security flaw within the device's security architecture, as it exposes a content provider that should remain protected but instead allows unauthorized access to sensitive authentication data. The vulnerability specifically targets the "com.android.providers.settings.fingerprint.PriFpShareProvider" content provider, which serves as an interface for fingerprint and PIN management within the Android system.
The technical flaw manifests through the public method query() of the exposed content provider, which operates without proper authentication or authorization checks. This design flaw enables any malicious application to access the PIN code information simply by invoking the query method without requiring any system permissions or elevated privileges. The absence of proper access controls creates a direct pathway for credential theft, as the malicious application can retrieve the PIN code data that should be protected within the system's secure storage mechanisms. This vulnerability directly relates to CWE-284, which addresses inadequate access control, and represents a significant weakness in the Android security model where sensitive user authentication data is exposed through improper content provider configuration.
The operational impact of this vulnerability is severe, as it allows attackers to bypass the security controls designed to protect user authentication credentials. Any application installed on the device can potentially exploit this flaw to extract PIN codes, which may then be used to unlock encrypted applications or gain unauthorized access to protected data. The vulnerability affects the fundamental security model of the device, as it undermines the trust model that should exist between the user's authentication data and the applications that legitimately require access to such information. Attackers could potentially use this vulnerability to compromise multiple applications that rely on PIN-based encryption, leading to widespread data exposure across the device's application ecosystem.
The lack of vendor-provided information about vulnerable versions represents a significant gap in the security landscape, as it prevents users and security professionals from properly assessing the scope of the vulnerability. The fact that only version 13 (version code: 33) was tested and confirmed to have this vulnerability suggests that the issue may be present in other versions as well, but without proper disclosure, the true extent remains unknown. Security professionals should consider this vulnerability as potentially affecting all versions of the application until the vendor provides comprehensive information about affected releases. Mitigation efforts should focus on immediate application updates, implementation of runtime monitoring for unauthorized content provider access, and potentially disabling the vulnerable application until a patched version is available. This vulnerability also highlights the importance of proper Android security practices, including the principle of least privilege and proper content provider access control, as outlined in the Android Security Best Practices guidelines and relevant ATT&CK framework techniques for credential access and privilege escalation.