CVE-2024-0245 identifies a vulnerability in the hamza417/inure Android application caused by incorrect default permissions configured in the AndroidManifest.xml file prior to build97. Specifically, the misconfiguration allows task hijacking, where a malicious application can impersonate or intercept tasks intended for the legitimate Inure app. This occurs because exported components or activities within the app are not properly protected, enabling other apps to inherit permissions or interact with the vulnerable app's components without proper authorization. The vulnerability affects all Android versions before Android 11, as later versions introduced stricter permission enforcement and component export restrictions. An attacker can exploit this by developing a malicious app that, once installed by the user, hijacks the Inure app’s tasks and intercepts sensitive information, leading to confidentiality breaches. The CVSS 3.0 score of 5.5 (medium) reflects the local attack vector requiring user interaction but no privileges, with high confidentiality impact but no integrity or availability impact. No known exploits have been reported in the wild, but the vulnerability presents a realistic risk especially in environments where users may install apps from untrusted sources. The root cause is CWE-276 (Incorrect Default Permissions), highlighting the importance of secure manifest configuration in Android app development. Remediation requires developers to review and restrict exported components and permissions in the manifest and to implement proper intent filters and permission checks.

For European organizations, the primary impact of this vulnerability is the potential exposure of sensitive information on Android devices running versions prior to Android 11. Organizations that rely on the hamza417/inure app for any business or personal use could see confidentiality compromised if attackers deploy malicious apps that hijack the legitimate app’s tasks. This could lead to data leakage, privacy violations, and potential compliance issues under GDPR if personal data is exposed. Although the vulnerability does not affect integrity or availability, the confidentiality breach alone can have significant reputational and legal consequences. The requirement for user interaction (installing a malicious app) somewhat limits the attack surface, but social engineering or supply chain attacks could increase risk. Since many European enterprises and users still operate older Android devices, the threat remains relevant. Additionally, sectors with high mobile device usage such as finance, healthcare, and government could be particularly sensitive to such data exposure.

1. Developers should immediately audit the AndroidManifest.xml file in hamza417/inure to identify and restrict exported components that do not require external access. 2. Apply the principle of least privilege by setting android:exported="false" for activities, services, and receivers that should not be accessible by other apps. 3. Implement explicit permission checks on components that must be exported, using custom permissions or system permissions to restrict access. 4. Update the app to target Android 11 or higher SDK levels to benefit from enhanced platform security features. 5. Educate users and administrators to avoid installing apps from untrusted sources and to verify app authenticity. 6. Employ mobile device management (MDM) solutions to control app installations and enforce security policies on corporate devices. 7. Monitor app behavior and network traffic for signs of task hijacking or unusual data flows. 8. Encourage users to upgrade their Android OS to version 11 or later where possible to reduce exposure. 9. Maintain an incident response plan to address potential data exposure incidents stemming from this vulnerability.