Guest

Preview Tool

Cisco Bug: CSCvt70955 - Cisco Jabber for Android Call States Protection Levels Enhancement

Last Modified

Jun 29, 2020

Products (1)

  • Cisco Unified Mobile Communicator

Known Affected Releases

12.8(2)

Description (partial)

Symptom:
This is a modification on Cisco Jabber Application for Android to adopt new secure code best practices to enhance the security posture and resiliency of the product.

Currently, the use of custom permissions READ_CALL_STATE (protection level: normal), WRITE_CALL_STATE (protection level: dangerous) is an expected behaviour. The purpose of this choice is to export call states to third party apps and increase the interoperability with other applications.
- For the permission to read the call state, the third party apps need to declare the permission in their Android Manifest.
- For the permission to write the call state, the third party apps need a user to grant the permission explicitly.

This defect tracks the enhancement of the READ_CALL_STATE and WRITE_CALL_STATE states protection levels.
This design choice can lead to a security issue under the circumstances of a user unknowingly granting write permissions to third-party applications that may be malicious. This could allow those applications to write arbitrary call states in the Cisco Jabber App.

Conditions:
Application running with default configuration.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.