Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2020-0023

CVE-2020-0023: Android Information Disclosure Vulnerability

CVE-2020-0023 is an information disclosure vulnerability in Google Android that allows unauthorized access to user contacts via Bluetooth. This article covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2020-0023 Overview

CVE-2020-0023 is an information disclosure vulnerability in Android 10's Bluetooth stack. The flaw exists in the setPhonebookAccessPermission method of AdapterService.java. A missing permission check allows a malicious local application to grant itself access to user contacts over a Bluetooth connection. Exploitation requires local access with user execution privileges but no user interaction. The vulnerability is classified under CWE-862: Missing Authorization.

Critical Impact

A malicious app with local execution can silently enable Bluetooth phonebook access and exfiltrate the device owner's contacts without prompting the user.

Affected Products

  • Google Android 10
  • Android Open Source Project (AOSP) Bluetooth stack
  • Android ID: A-145130871

Discovery Timeline

Technical Details for CVE-2020-0023

Vulnerability Analysis

The vulnerability resides in AdapterService.java, the central service that manages Android's Bluetooth adapter state and permissions. The setPhonebookAccessPermission method is intended to control which paired Bluetooth devices may access the Phone Book Access Profile (PBAP). PBAP exposes the device's contact list to remote Bluetooth peers such as car infotainment systems and headsets.

The method fails to verify that the calling application holds the required BLUETOOTH_PRIVILEGED permission before modifying the access grant. As a result, any installed app with standard Bluetooth permissions can change the phonebook access state for a paired device. The change occurs without the system prompt that normally asks the user to authorize contact sharing.

An attacker can pair a controlled Bluetooth peripheral with the victim device, then call the unprotected interface from a low-privilege local app to elevate phonebook access for that peer. The peripheral then retrieves the full contact list over PBAP.

Root Cause

The root cause is a missing authorization check [CWE-862]. The setPhonebookAccessPermission API was exposed without enforcement of the privileged Bluetooth permission gate that protects other sensitive Bluetooth state mutations. Android's permission model relies on explicit enforceCallingOrSelfPermission calls in service methods, and this enforcement was absent on the affected code path.

Attack Vector

Exploitation requires a malicious app installed on the Android 10 device. The app does not need the privileged permission it bypasses, and it does not require user interaction. The attacker pre-pairs a Bluetooth device or leverages an existing pairing, then invokes the vulnerable method to silently grant PBAP access. The remote Bluetooth peer then pulls contacts over the air. See the Android Security Bulletin February 2020 for the official advisory.

Detection Methods for CVE-2020-0023

Indicators of Compromise

  • Unexpected changes to Bluetooth phonebook access permissions for paired devices in /data/misc/bluedroid/ configuration files.
  • Outbound PBAP (Phone Book Access Profile) connections to unknown or unexpected Bluetooth peers.
  • Installed applications that hold BLUETOOTH and BLUETOOTH_ADMIN permissions but exhibit no legitimate Bluetooth use case.

Detection Strategies

  • Audit installed apps on Android 10 fleet devices for calls into Bluetooth AdapterService APIs through static analysis of APKs.
  • Monitor Mobile Device Management (MDM) telemetry for Bluetooth pairing events on devices that should not have peripherals attached.
  • Review Android system logs (logcat) for setPhonebookAccessPermission invocations originating from non-system UIDs.

Monitoring Recommendations

  • Enroll Android 10 endpoints in an MDM solution and enforce a minimum patch level of February 2020 or later.
  • Alert on installation of unsigned or sideloaded APKs that request Bluetooth permissions.
  • Track Bluetooth pairing and PBAP session events through enterprise mobility telemetry where available.

How to Mitigate CVE-2020-0023

Immediate Actions Required

  • Apply the February 2020 Android security patch level (2020-02-01) or later to all Android 10 devices.
  • Upgrade end-of-life Android 10 devices that cannot receive the patch to a supported Android release.
  • Remove untrusted or sideloaded applications that request Bluetooth permissions without justification.

Patch Information

Google addressed the issue in the Android Security Bulletin February 2020 by adding the missing permission enforcement to setPhonebookAccessPermission in AdapterService.java. Devices reporting a Security Patch Level of 2020-02-01 or higher contain the fix. OEM-specific builds may release the patch on later dates; consult the device vendor for the precise build identifier.

Workarounds

  • Disable Bluetooth on affected devices when not actively in use to eliminate the attack surface.
  • Unpair all non-essential Bluetooth peripherals and review the paired device list regularly.
  • Restrict app installation to Google Play and block sideloading through enterprise policy.
bash
# Verify the Android security patch level on a device via ADB
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2020-02-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne