Skip to content

Two Security Issues #241

Open
Open
Two Security Issues#241
Labels
triage neededThe admins must determine the type
@YXHTLT

Description

@YXHTLT
YXHTLT
opened on Feb 13, 2026

Your opinion

Hello Developer,
I am writing to report two potential security issues I discovered while using Dhizuku.
Environment Information:
· Device Model: Huawei Enjoy 70x Vitality Edition
· System Version: HarmonyOS 4.2.0.193
· Dhizuku Version: 2.11.1 (the version you published on F-Droid)
Issue 1: Silent Authorization (No Authorization Dialog)
A certain video application was able to obtain Dhizuku permissions silently, without any authorization dialog appearing. I only discovered that it had been authorized after uninstalling the app and checking the authorization list.
Reason for Not Providing the Sample:
The content of that application involves obscene material, and I am concerned that providing the installation package might carry the risk of dissemination. Therefore, I cannot attach the sample – I hope you understand.
Issue 2: MT Manager Does Not Appear in the Authorization List After Being Granted Permission
The well‑known file management tool MT Manager does not show its package name in Dhizuku’s list of authorized applications after it invokes Dhizuku permissions (e.g., when installing an APK via Dhizuku). Users cannot perceive from the list that it holds permissions, which could introduce a hidden security risk.
Sample Available:
MT Manager is a legitimate tool. I can provide its installation package if needed. Its official website is: mt2.cn
Two Suggestions for Your Reference:

  1. I hope you can examine Dhizuku’s authorization verification mechanism (especially the package name / signature verification part) and the logic that updates the authorization list, to see if there is any possibility of bypass or omission.
  2. I suggest adding a security option: after a new app is authorized, automatically terminate all Dhizuku processes, requiring the user to manually restart it before it can be used again. In my own environment, this mechanism has proven effective in preventing malicious apps from immediately calling permissions, and it also makes the user aware that a new authorization has occurred.
    Thank you for developing and maintaining this useful tool. I wish Dhizuku continued improvement!

Metadata

Metadata

Assignees

No one assigned

    Labels

    triage neededThe admins must determine the type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions