CVE-2025-7892 in IDnow App
Summary
by MITRE • 07/20/2025
A vulnerability classified as problematic has been found in IDnow App up to 9.6.0 on Android. This affects an unknown part of the file AndroidManifest.xml of the component de.idnow. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/17/2025
This vulnerability resides within the IDnow App Android application version 9.6.0 and earlier, specifically targeting the AndroidManifest.xml file configuration. The flaw represents a critical misconfiguration that allows for improper export of application components, creating potential security exposure pathways. The vulnerability classification as "problematic" indicates significant risk potential, particularly given that exploitation has been publicly disclosed and is actively available. The attack vector requires local access to the device, meaning an attacker must already have physical or administrative access to the target system before executing the exploit. This prerequisite significantly reduces the attack surface but does not eliminate the risk entirely, as local access is often obtained through social engineering, compromised credentials, or other initial compromise techniques.
The technical implementation of this vulnerability stems from improper component export configuration within the AndroidManifest.xml file, which governs how application components interact with the operating system and other applications. When components are improperly exported, they may become accessible to other applications or system processes without proper authorization mechanisms. This misconfiguration creates potential for privilege escalation, data leakage, or further attack vector exploitation. The vulnerability aligns with CWE-922, which addresses insufficient export of Android components, and represents a direct violation of the principle of least privilege in mobile application security. The Android operating system's security model relies heavily on proper manifest configuration to enforce component isolation and prevent unauthorized access to sensitive application functionality.
The operational impact of this vulnerability extends beyond simple data exposure, potentially enabling attackers to manipulate application behavior or extract sensitive information from the IDnow App environment. Since the vulnerability requires local access, it primarily affects users who have already been compromised or those who have inadvertently granted unauthorized access to their devices. However, the implications are severe because the IDnow App likely handles sensitive personal identification and verification data, making any unauthorized access to its components potentially devastating for user privacy and security. The lack of vendor response to early disclosure attempts compounds the risk, as users remain unaware of the vulnerability and cannot obtain timely patches or mitigations. This scenario aligns with ATT&CK technique T1068, which covers the use of local system exploitation techniques, and represents a failure in the security supply chain where vendors do not adequately respond to security disclosures.
Organizations and users should immediately implement mitigations including disabling unnecessary application components, reviewing and restricting local access permissions, and monitoring for suspicious application behavior. The recommended approach involves conducting comprehensive security audits of the AndroidManifest.xml configuration to identify and properly restrict exported components. Security teams should also consider implementing device access controls, network monitoring, and application whitelisting to reduce the attack surface. The vulnerability demonstrates the critical importance of proper manifest configuration and vendor security response protocols, as the lack of vendor communication leaves users exposed to potential exploitation. Additionally, users should be educated about the risks of granting local access to applications and the importance of keeping applications updated with security patches. The incident highlights the need for robust security disclosure processes and vendor accountability in maintaining application security.