On the development of Android Application Security

Time:2020-10-29

1、 Introduction to web open app

Android has a feature: you can open an app by clicking a link in the webpage, or open another app (applink) by clicking a link in other apps. Some apps with large user volume have already released their aplink SDK. Developers need to apply for the corresponding qualification and configure the relevant content before using it. These are all implemented through user-defined URI schemes, but behind them is Android’s intent mechanism. Google’s official document “Android intents with chrome” introduces two methods of opening app in Android Chrome browser. One is user-defined URI scheme (custom URI scheme), the other is “intent based URI”.

The first form of user-defined URI scheme is as follows:
On the development of Android Application Security

The syntax of the second intent based URI is as follows:
On the development of Android Application Security

Because the second form is generally a special case of the first form, many articles call the second form the intent scheme URL, but there is no such statement in the official Google Documents.

Note: when using custom URI scheme to pass data to app, only relevant parameters can be used to transfer data, which cannot be taken for granted scheme://host#intent ; parameter; end to construct the intent data passed to app. See the description in Section 3.1.
In addition, you must configure the relevant options in the Android manifest file of the app to generate the effect of opening the app on the web page, as described below.

2、 Custom scheme URI open app

2.1 basic usage

Requirements: open an app with a web page, and pass some data to app through URL parameters.
If the customized scheme is:
On the development of Android Application Security
Note: URIs are encoded in UTF-8 and URI.

The webpage is written as follows:
On the development of Android Application Security

When the app receives the activity from the web page, it needs to Androidmanifest.xml The corresponding action, category and data scheme are declared in the activity’s intent filter in the file.
If you receive information from a web page in mainactivity, the AndroidManifest.xml The contents in the table are as follows:
On the development of Android Application Security

Code for receiving intent in mainactivity and obtaining corresponding parameters:
On the development of Android Application Security

In addition, there are several APIs to obtain relevant information:
Getintent(). Getscheme(); / / get the scheme name
Getintent(). Getdatastring(); / / get all paths of URI
Getintent(). Gethost(); / / get host

2.2 risk examples

The common usage is to regenerate an intent after the app gets the data from the web page, and then send it to other components to use the data. For example, use WebView related activity to load a URL from a web page. If the URL comes from a parameter in the URL scheme, such as: jaq://jaq.alibaba.com?load_ url= http://www.taobao.com 。

If the load is not checked in the app_ The value of URL, the attacker can construct a phishing website, induce users to click load, and then steal user information.

Following the example in 2.1, create a new webviewactivity component and get load from intent_ URL, and then use WebView to load the URL:
On the development of Android Application Security

Modify the mainactivity component to get the load from the URL on the web page_ URL parameter value, generate a new intent, and pass it to webviewactivity:
On the development of Android Application Security

Web side:
On the development of Android Application Security

Phishing page:
On the development of Android Application Security

Click “open phishing website” to enter the app, and the app loads the phishing website:
On the development of Android Application Security

This example suggests that:
Load in WebView_ URL, combined with the app’s own business, uses the white list mechanism to filter the data from the web site, and the blacklist is easy to be bypassed.

2.3 suggestions of aliju security to developers

1. Any place in the app that receives external input data is a potential attack point. Filter and check the parameters from the web page.

2. Do not transmit sensitive information through the web page. In order to guide users who have logged in to the app, some websites will use scripts to dynamically generate parameters of URL scheme, including user name, password or login status token and other sensitive information, so that users can open the app and log in directly. Malicious applications can also register the same URL sechme to intercept these sensitive information. Android system will let users choose which app to use to open the link, but if the user does not pay attention, it will use malicious application to open the link, resulting in sensitive information disclosure or other risks.

3、 Open app with intent based URI

3.1 basic usage

Intent based URI syntax:
On the development of Android Application Security

Note: the first letter of the second intent must be capitalized, otherwise the app will not be called successfully.

How to construct the intention of web page correctly and quickly?
You can first create an Android demo app, construct the intent object that you want to open a component in the normal way, and then use the touri() method of intent to get the URI string representation of the intent object, which has been encoded in UTF-8 and URI, and can be directly copied to the web. Remember to add “intent:” before it.

For example:
On the development of Android Application Security

result:
On the development of Android Application Security

S.load_ The URL is followed by the data in the putextra () method of the intent object. Other types of data can be tried one by one. If the intent object in the demo cannot be passed to the activity or other components of the target app, it is impossible to open the app in the form of URI on the web page. It is easy to check the errors by writing a demo in this way.

In app Androidmanifest.xml The declaration writing method of is exactly the same as that of APP side in Section 2.1. For the received intention in the form of URI, parseuri() method of intent is generally used to parse and generate new intent object. If it is not handled properly, it will generate an intent scheme URL attack.

Why not scheme://host#intent , parameter; end to construct the intent data to be passed to app?
This form of intent will not be parsed as an intention directly by Android. The whole scheme string data can be obtained by using the getdatasting() method of intent.
For example:
On the development of Android Application Security

Get data in app:
On the development of Android Application Security

The results were as follows:
On the development of Android Application Security

As can be seen from the above figure, the Android system automatically adds the default intent to the custom URI scheme.

To correctly parse, the parseuri() method of intent is also needed to parse the data obtained by getdatastring(), such as:
On the development of Android Application Security

3.2 risk examples

As for the risk of intent based URIs, I think the two articles “Android intent scheme URLs attack” and “intent scheme URL attack” are very well written. They have basically said everything that should be said. I won’t say more. Let’s have a look at these two articles.

3.3 suggestions of aliju security to developers

In the above two articles, we have given a safe way to use the int scheme URL:
On the development of Android Application Security

In addition to the above practice, do not trust any intention from the web page. For security, when using the intention from the web page, you should filter and check.

4、 Reference

[1] Android Intents with Chrome,https://developer.chrome.com/multidevice/android/intents
[2] Intent scheme URL attack,http://drops.wooyun.org/papers/2893
[3] Android Appliaction Secure Design/Secure Coding Guidebook,http://www.jssec.org/dl/android_securecoding_en.pdf
[4] Handling App Links,http://developer.android.com/intl/zh-cn/training/app-links/index.html
[5] Android m app links: implementation, defects and solutions, http://www.jcodecraeer.com/a/anzhuokaifa/androidkaifa/2015/0718/3200.html
[6] Android intent scheme URLs attack, http://blog.csdn.net/l173864930/article/details/36951805

Author: Yiqiao, Daihu, Zhouhai @ Ali mobile security, for more technical articles, please click aliju security blog