Discovering vendor-specific vulnerabilities in Android

Oversecured pointed their code-scanning tool at discovering issues in vendor patches to the Android System APIs and found a number of places where Samsung introduces vulnerabilities.

1. The BackupManagerService’s isBackupEnabled() method in stock Android would perform a android.permission.BACKUP check before returning. Samsung simply added a semIsBackupEnabled() method which does the same but skips the permission check.
2. The StorageManagerService added support for a broadcast action (com.samsung.intent.action.RESTART_OF_SDCARDBADREMOVED_HASAPK) that could be sent by any application and would reboot the device without any permission check.
3. Inside of Settings application as it handles intends, an application can include a boolean from_search_trampoline. Which would then startup the specified activity. As the Settings application runs as System user, they can startup non-exposed activities from any application.