In this chapter, we will learn about "Intent Scheme URLs attack risk". The introduction of this risk in online articles can be said to be the same. Therefore, this article will clearly explain the occurrence and countermeasures of this risk.
1. Vulnerability principle
Using intent scheme URLs (intent protocol URLs), an intent can be sent through a web page to start an App application. An attacker can construct a URL in a special format to directly send an intent to the system, start the Activity component of the App application, or send abnormal data, resulting in the leakage of sensitive information of the application or the crash of the application.
As can be seen from the above vulnerability description, there will be risks if 通过web页面发送intent来启动App应用this operation is not passed 过滤和校验. Let's disassemble the above text.
(1) web页面:Generally refers to the detected APP, that is to say 被检测APP有浏览器功能,并支持Intent Scheme协议,相当于被检测APP是一个桥梁. 当然若是APP使用了Intent.parseUri方法,并且uri来自于外部输入的话,就算没有浏览器功能,也可能产生此漏洞
(2) 启动App应用:Generally, the exposed Activity component of any APP is started
To sum up:Intent Scheme URLs攻击风险,一般会和其它漏洞进行综合利用,比如:Intent Scheme URLs攻击 + Activity组件暴露 = 可产生拒绝服务漏洞(APP崩溃)、WebView相关漏洞(加载恶意页面、远程代码执行等)、APP静默下载安装等。若被检测APP存在intent scheme URLs漏洞,这就会导致手机设备内的任意APP若存在可关联的漏洞,那么就可以通过Intent Scheme URLs漏洞进行恶意攻击
2. Pre-knowledge
The cause of the vulnerability can be known through the principle of the vulnerability, so now let’s understand some knowledge related to this vulnerability
(1) Intent Scheme protocol:
use the Intent protocol to jump to the specified app page in the form of URI loaded by the browser (WebView) . Generally use the Intent.parseUri(String uri, int flags) method to construct an Intent. The value of the second parameter will affect the construction method of the Scheme protocol, which is roughly as follows:
a. Intent.URI_INTENT_SCHEME:Often used, the URI form is similar: scheme://host:port/path
b. Intent.URI_ANDROID_APP_SCHEME:The URI form is similar: android-app://{package_id}[/{scheme}[/{host}[/{path}]]][#Intent;{...}]
c. Intent.URI_ALLOW_UNSAFE:Generally not used, not very safe
(2) android.intent.category.BROWSABLE:
android.intent.category.BROWSABLmeans to allow the browser to open the APP Activity under certain conditions, for example:
<activity
android:name=".MainActivity"
android:launchMode="singleTask">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.BROWSABLE" />
<category android:name="android.intent.category.DEFAULT" />
<!--协议部分,随便设置 test://aaa.com:8088/from?type=abcd -->
<data android:scheme="test"
android:host="aaa.com"
android:path="/from"
android:port="8088"/>
</intent-filter>
</activity>
Pass Intent.parseUri("test://aaa.com:8088/from?type=abcd",Intent.URI_INTENT_SCHEME), construct Intent to startMainActivity
3. Detection methods
step1:Scan the global code to see if Intent.parseUri
step2:the URI comes from external input and uses Intent.parseUrithe method, then the obtained Intent must be strictly filtered to determine whether the Intent contains at least addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3 strategies. If the URI is hardcoded in the code, perform a vulnerability test for this URI.
step3:summary results
4. Repair method
1. If the method is used Intent.parseUri, the acquired intent must be strictly filtered. The intent contains at least addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3 strategies
. 2. The intent from external sources must be strictly filtered, and a whitelist can also be set up.
asjhan for Android reverse