Android vulnerabilities are sometimes mysterious but many of them have good analogies in web application security. CARF, Cross-Application Request Forgery is a mobile application analogy for the similarly named web vulnerability. I found a vulnerability of this type in the Settings app of the Android framework and will be going through the Java source code in detail and show what an Android vulnerability looks like in general. Google rated this bug as high severity. Android framework and system application vulnerabilities are similar to regular Android application vulnerabilities, but the added complexity introduces a lot of bugs. A misconception that Android vulnerabilities require a malicious application to be installed is shown to not be true, as this vulnerability can be exploited remotely through the browser.