Android Window Manager Flaw: How Apps Leak Installation Data

What Happened

A critical vulnerability was discovered in Android's Window Manager component that allows attackers to determine whether specific applications are installed on a device—without requesting any permissions. The flaw, tracked as CVE-2023-21348, exploits a side-channel information disclosure vulnerability that leaks app installation status through timing and behavioral patterns.

This isn't a traditional "break-in" attack. Instead, it's a stealthy reconnaissance technique. An attacker or malicious app can query the system and infer whether apps like banking software, security tools, or messaging platforms are installed—all without triggering permission prompts or system alerts.

Originally reported by NIST NVD, this vulnerability affects multiple Android versions and has serious implications for users in India where financial apps, government services, and healthcare platforms are increasingly critical. The attack requires no special execution privileges and doesn't need user interaction, making it particularly dangerous for background exploitation.

Why This Matters for Indian Businesses

If you run a mobile app—whether it's a fintech platform, e-commerce service, or SaaS tool—this vulnerability directly impacts your users' security. Here's why this is critical for Indian SMBs:

Regulatory Impact: Under the Digital Personal Data Protection (DPDP) Act 2023, Indian businesses are responsible for protecting user data. If your app is installed on a device and an attacker exploits CVE-2023-21348 to detect its presence, they're gathering intelligence about users. This falls under "personal data" collection without consent—a direct DPDP violation.

Financial App Targeting: Attackers can detect banking apps, payment platforms, and investment apps. Once they know a user has HDFC Bank or Paytm installed, they can craft targeted phishing attacks, malware, or social engineering campaigns. Indian financial crime is rising—RBI's latest security framework emphasizes app-level security as a priority.

Enterprise Risk: If your SMB develops apps for Indian customers, you're potentially exposing user behavior patterns. An attacker could map which employees use which corporate apps, enabling targeted espionage or supply chain attacks.

CERT-In Obligation: While CERT-In's 6-hour breach notification mandate applies to data breaches, side-channel vulnerabilities like this create a gray area. If exploited at scale, you may need to notify CERT-In depending on your interpretation of "unauthorized access."

Technical Breakdown

How the Attack Works

The vulnerability exploits the Window Manager's activity resolution mechanism. When Android resolves whether an activity (screen/app component) exists, it returns different responses based on whether the app is installed. By measuring response times, monitoring system behavior, or analyzing error patterns, an attacker can infer installation status.

Here's the attack flow:

graph TD
    A[Attacker App Launched] -->|Query Window Manager| B[Request Activity Resolution]
    B -->|App Installed| C[Fast Response / Success]
    B -->|App Not Installed| D[Slow Response / Error]
    C -->|Measure Timing| E[Infer Installation]
    D -->|Measure Timing| E
    E -->|Build Device Profile| F[Target User with Phishing/Malware]
    F -->|Exploit Known Vulnerabilities| G[Compromise Device]

The Technical Root Cause

Android's PackageManager and Activity Manager don't consistently hide information about installed apps when querying without QUERY_ALL_PACKAGES permission. The vulnerability exists in how the Window Manager responds to activity resolution requests—the response patterns differ based on:

1. Whether the app exists (installed vs. not installed)
2. App state (enabled vs. disabled)
3. Permission availability (whether the querying app has visibility)

// Example: Detecting if Paytm is installed without QUERY_ALL_PACKAGES permission

PackageManager pm = getPackageManager();
Intent intent = new Intent("com.paytm.android.app.wallet.MainActivity");

List<ResolveInfo> activities = pm.queryIntentActivities(intent, 0);

if (activities.size() > 0) {
    // Paytm is installed - attacker now knows this
    Log.d("Reconnaissance", "Paytm detected on device");
} else {
    // Paytm is not installed
    Log.d("Reconnaissance", "Paytm not found");
}

While this code looks innocent, the attacker can run it without declaring sensitive permissions, and the app behavior leaks installation data through timing analysis or response codes.

Timing-Based Detection

An even more sophisticated attack uses timing side-channels:

// Timing-based app detection (harder to detect)

long startTime = System.nanoTime();
Intent intent = new Intent();
intent.setComponent(new ComponentName("com.example.bank", 
    "com.example.bank.LoginActivity"));

ResolveInfo info = pm.resolveActivity(intent, 0);
long elapsedTime = System.nanoTime() - startTime;

if (elapsedTime < 5000000) { // Nanoseconds
    // Fast response = app likely installed
} else {
    // Slow response = app likely not installed
}

This technique is nearly impossible to detect without monitoring app behavior at the OS level.

How to Protect Your Business

If you develop Android apps for Indian users, here's your defense strategy:

For App Developers

1. Update Your Minimum SDK Target

Ensure your app targets Android 13 or higher, where Google implemented mitigations:

android {
    compileSdk 34
    defaultConfig {
        targetSdk 34  // Enforce Android 13+ targeting
        minSdk 26     // Minimum safe version
    }
}

2. Declare Proper Permissions

If your app legitimately needs to query other apps, declare it explicitly:

<!-- AndroidManifest.xml -->
<uses-permission android:name="android.permission.QUERY_ALL_PACKAGES" />

<!-- Or target specific packages in Android 11+ -->
<queries>
    <package android:name="com.paytm.android.app" />
    <package android:name="com.whatsapp" />
</queries>

3. Validate Inputs Consistently

Never leak response differences based on whether an app exists:

// BAD: Leaks information through different responses
public void checkApp(String packageName) {
    try {
        pm.getPackageInfo(packageName, 0);
        return "Found";  // Different response = leak
    } catch (PackageManager.NameNotFoundException e) {
        return "Not found";  // Attacker detects the difference
    }
}

// GOOD: Consistent response regardless of app existence
public void checkApp(String packageName) {
    try {
        pm.getPackageInfo(packageName, 0);
    } catch (PackageManager.NameNotFoundException e) {
        // Do nothing - don't leak information
    }
    // Always return the same response
    return "Operation complete";
}

For Indian SMBs Using Android Apps

1. Patch Your Devices

If you provide devices to employees, ensure they run the latest Android security patch:

# Check Android version and security patch level
adb shell getprop ro.build.version.release
adb shell getprop ro.build.version.security_patch

2. Restrict App Permissions

Regularly audit which apps have dangerous permissions:

# List all apps with sensitive permissions
adb shell pm list permissions -d

3. Monitor for Suspicious Apps

Uninstall apps that request excessive permissions or come from untrusted sources. In India, prefer apps from official sources like Google Play Store with verified developers.

For Your DPDP Compliance

In my years building enterprise systems, I've seen this pattern repeatedly: companies focus on data breaches but ignore data inference. CVE-2023-21348 is a data inference vulnerability—attackers infer user behavior without stealing data.

Under DPDP Act 2023, you must:

1. Document that your app doesn't leak installation data
2. Notify users if you collect app usage patterns
3. Implement safeguards to prevent side-channel leaks
4. Report to CERT-In if exploited at scale

Book Your Free VAPT Scan → We'll test your Android app (or any web/cloud app) for vulnerabilities like this in 48 hours.

Key Takeaways

1. CVE-2023-21348 allows attackers to detect installed apps without permissions through side-channel attacks
2. This violates DPDP Act 2023 if your app leaks user data through similar mechanisms
3. Update to Android 13+, declare proper permissions, and audit your app's response patterns
4. Indian SMBs must treat app security as a compliance requirement, not an afterthought
5. Regular penetration testing (like Bachao.AI's VAPT Scan) catches these vulnerabilities before attackers do

Originally reported by NIST NVD

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.

Frequently Asked Questions

What is CVE-2023-21348? CVE-2023-21348 is an Android security vulnerability that allows attackers to exploit weaknesses in the Android operating system. It was publicly disclosed and patched by Google as part of the Android Security Bulletin.

Why does this affect Indian SMBs? Indian SMBs increasingly rely on Android devices for business operations, from mobile banking to customer communication. Many organizations run BYOD policies with unpatched devices, making them prime targets for attackers exploiting known vulnerabilities like CVE-2023-21348.

How can I protect my organization? Ensure all Android devices in your organization are updated to the latest security patch level. Implement an MDM solution to enforce patch compliance, conduct regular VAPT assessments via platforms like Bachao.AI by Dhisattva AI Pvt Ltd, and align with CERT-In guidelines for incident reporting.

Written by Shouvik Mukherjee, Founder & CEO of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.