The Permission Slip Attack — Leveraging a Confused Deputy in Android with 'pSlip'
Edward Warren
ShmooCon XX (Final) · Day 2 · Build It
Edward Warren's ShmooCon 2025 talk, "The Permission Slip Attack," unveils a critical vulnerability pattern in Android applications that leverages the **confused deputy** problem. This attack allows an unprivileged, malicious application to coerce a trusted, privileged application into performing sensitive actions, specifically placing phone calls, without the user's explicit consent or the attacker's app possessing the necessary `CALL_PHONE` permission. Warren introduces `pSlip`, a specialized toolkit designed to identify applications vulnerable to this class of intent injection, along with other insecure coding practices like JavaScript scheme exploitation and hardcoded cryptographic keys.
AI review
Warren presents a clear dissection of the "Permission Slip" attack, a specific instance of a confused deputy vulnerability in Android applications leveraging misconfigured ACTION_CALL intents. He demonstrates how unprivileged apps can force privileged apps to make phone calls without explicit user consent, backed by a custom tool 'pSlip' that has already identified numerous vulnerable applications and recent CVEs. This is a practical, high-impact finding that highlights critical developer oversights.