Startup private component vulnerability of Android security development

0x00 Private Components talking about

In Android apps, if a component is exported externally, then this component is an attack surface. There is a good chance that there are many problems because an attacker could test the component in a variety of ways. But developers don't necessarily have all the security issues to consider comprehensively.

?

The most convenient way to fix this problem is to make sure that the problematic component is not exported to a private component without affecting the business. This is really effective, and private components are safe. However, if there is a private component that can be started by the exported component, then this private component is not actually private anymore. If an attacker can control a private component by controlling the exported component, the attacker's attack surface is greatly expanded. Not paying attention to this situation can lead to a range of security issues.

Normal Condition:

Private components can be started:

0x01 Startup Private component Principle Analysis

There is a private component A, and a externally exported component, B. If B is able to open private component a based on the contents of the incoming intent, and the intent of the private component A starts from the content of the intent that initiated the Export component B, the attacker can control the private export component A by exporting component B externally. This can pose a serious security risk.

Here is a simple example of some security issues that can arise if you can start a private component.

Privateactivity.class

Obviously, privateactivity is problematic because no exception handling has been done since the value was obtained directly from the intent. If Privateactivity is a private activity, and the development engineer can guarantee that the intent that is passed into the activity must have value, it is not a threat. But if there is another mainactivity, the following:

Then an attacker could execute an attack through a command:

Then the application will crash.

Here is a simple demo to illustrate the problem. If there is a very important logical business in the privateacitivty, then the malicious attacker can control the mainactivity to control the privateactivity, and then control the logical direction inside the privateactivity, Very likely to cause serious harm.

In addition to the above, there is also the case that the intent Scheme URL, if handled improperly, it is also very likely to parse the URI of this exported component to attack the launch of other private components. The essence is the same, this is not discussed here.

0x03 Starting a private component case study

Here is an example of a app7.5.0 version that analyzes the serious problems it causes because it can start a private component. (The app is no longer using the problematic component, and the problematic SDK has already been fixed.)

First, the app has a private component versionupdateactivity:

This private component is used to determine whether the update, if any, will be based on the URL link in the intent to download the corresponding update APK package.

Additionally, the APK has another externally exported component.

During the implementation of the component, through the acquisition of the intent, a series of checks, into the Pushclickedresult function.

In the Pushclickedresult function, the following operations are mainly done:

1, first get the activity in intent

2. Then use this value as the classname of the activity that will start

3. Intent incoming activity to be started

4. Then start the activity

It is clear, then, that an attacker could control all of the private activity of the application by controlling the xgpushactivity.

The POC for attacking the private component versionupdateactivity is as follows:

This command will open versionupdateactivity, if there is an update, then click Update, download will be the URL corresponding content.

0x04 Ali Poly Security Tips for Developers

First, Ali Poly Security has been able to detect such a problem. For the app in the case study above, the results of the Ali-Poly security scanner are as follows:

For such security risks, Alibaba Poly security Recommendations:

1. For components that do not need to be exported externally, please set the exported=false.

2. If the component needs to be exported for various reasons, then check that the component can start other private components based on the intent of the component. If possible, filter and verify the contents of the intent according to the strict control of the business, while the private components that are being launched need to be well protected.

Ali Poly Security | Android Security Development Series articles

Secure use of HTTPS for Android security development

Common signing risk for Android security development

Android Security Development zip file directory traversal

Provider component security for Android security development

On the security development of Android key hard-coded

On Android Security Development Web page open app

On the security development of Android application pit of encryption algorithm

-------------------------------------------------------------------

* Boat sea, stay Fox @ Ali Poly Security, more Ali security technology articles, please visit the official Ali Poly Security Blog

Startup private component vulnerability of Android security development