The past month has been dominated by highly publicized vulnerabilities such as ‘Stagefright’, ‘Certifi-gate’, and ‘Deserialization’, however the August wave of fixes also included many other fixes, one of which in particular we have received a lot of questions/complaints over.
CVE-2015-3833 affects Android 5.0 and higher, and is officially described as follows:
Mitigation bypass of restrictions on getRecentTasks()
A local application can reliably determine the foreground application, circumventing the getRecentTasks() restriction introduced in Android 5.0.
This is rated as a moderate severity vulnerability because it can allow a local app to access data normally protected by permissions with a “dangerous” protection level.
This particular patch was merged into CM sources on August 12th. As a result, apps that relied on attaining a list of running processes via the now plugged hole will fail to function properly. This includes (but is not limited to) apps like Greenify, FMR Memory cleaner, Zillow and System Panel [1]. Google’s AOSP r9 release also contains this fix, so most devices receiving a 5.0 or a 5.1 OTA update from manufacturers will also be impacted.
[1] System Panel’s author has put out an updated app that contains a workaround for the blockage.
How to know if you have an affected application
If you take a look at your logcat, apps that are blocked due to the vulnerability being addressed will show an error message with the contacts REAL_GET_TASKS. If you see this in your logs, you have an app that is affected by this protection mechanism.
Affected apps will need to implement workarounds as needed.