Android fixes 2 places in the Add account code Bug,retme took cool names Launchanywhere, Broadanywhere (reference 1, 2). This article follows the ideas of predecessors to learn the principle of the bug and the use of ideas.
Let's take a look at the code in the source setting to add an account, to understand how the bug produced.
/packages/apps/settings/src/com/android/settings/accounts/addaccountsettings.java under OnCreate:
Public void onCreate (Bundle savedinstancestate) { ...
chooseaccountactivity. Class); if (accounttypesnull) { accounttypes); } Startactivityforresult (Intent, choose_account_request); }
call Startactivityforresult to start the "Add Account" Activity,chooseaccountactivity callback Onactivityresult function after selecting the account:
Public void onactivityresult (intint resultcode, Intent data) { ... Case choose_account_request: ... // Go to Account Setup screen, Finish () is called inside Mcallback. AddAccount (Data.getstringextra (Extra_selected_account)); break;
OK, come to the AddAccount function:
Private voidAddAccount (String accounttype) {... mpendingintent = Pendingintent.getbroadcast ( This, 0,new Intent (), 0); addaccountoptions. putparcelable (key_caller_identity, mpendingintent); Addaccountoptions.putboolean (Extra_has_multiple_users, Utils.hasmultipleusers ( This)); Accountmanager.get ( This ). AddAccount (accounttype, NULL,/*Authtokentype*/ NULL,/*Requiredfeatures*/ addaccountoptions,NULL, Mcallback,NULL /*Handler*/); Maddaccountcalled=true; }
Note that the new Intent () is the cause of the Broadanywhere bug and will be analyzed carefully below. See the source code found Addaccountsettings.addaccount or by the accountmanager.addaccount to achieve. /frameworks/base/core/java/android/accounts/accountmanager.java-addaccount:
Public Accountmanagerfuture<bundle> AddAccount (final String accounttype, ...).
if (addaccountoptions! = null) {
optionsin. Putall (addaccountoptions);
}
return new amstask (activity, Handler, callback) {
Public void doWork throws remoteexception { mservice.addaccount (mresponse, AccountType, Authtokentype, NULL optionsin); } }. Start ();
Look under the addaccount seemingly stuck, but look at the Amstask start function source code you will find this function is to call the DoWork function. So the essence is to carry out the Mservice.addaccount (return to the right), and Mservice is Accountmanagerservice (here does not understand that it does not matter, with the theme of this article is not big; remember, I'll explain it in a different way xxxmanager , Ixxxmanager, Ixxxmanagerservice). /frameworks/base/services/java/com/android/server/accounts/accountmanagerservice.java-addaccount;
Public voidAddAccount (FinalIaccountmanagerresponse response,FinalString AccountType,FinalString Authtokentype,Finalstring[] Requiredfeatures,Final BooleanExpectactivitylaunch,FinalBundle optionsin) { ....... FinalBundleOptions= (Optionsin = =NULL) ?NewBundle (): optionsin; ...... Try { NewSession (Accounts, response, AccountType, Expectactivitylaunch,true /*Stripauthtokenfromresult*/) {@Override Public voidRun ()throwsremoteexception {mauthenticator. AddAccount( This, Maccounttype, Authtokentype, Requiredfeatures, options); } ......
By Mauthenticator to start the AddAccount code to add the account, that mauthenticator why things (here tricky, reference 6来 learn how to add your own account system in Android In fact, directly see Retme launchanywhere POC learning faster), here with Retme POC code to analyze is authenticator, he inherited from Abstractaccountauthenticator. Authenticator.addaccount:
PublicBundle AddAccount (accountauthenticatorresponse response, String accounttype, String authtokentype, string[ ] Requiredfeatures, Bundle options) {... Intent Intent=NewIntent (); //Reset the lock screen pinIntent.setcomponent (NewComponentName ("Com.android.settings", "Com.android.settings.ChooseLockPassword")); Intent.setaction (Intent.action_run); Intent.setflags (Intent.flag_activity_new_task); Intent.putextra ("Confirm_credentials",false); Bundle.putparcelable (Accountmanager.key_intent, INTENT); returnbundle; }
Authenticator.addaccount returns intent, which is handled by the inner class response callback function Onresult in the above Amstask
Private classResponseextendsIaccountmanagerresponse.stub { Public voidOnresult (Bundle bundle) {Intent Intent=bundle.getparcelable (key_intent); if(Intent! =NULL&& mactivity! =NULL) { //since the user provided an Activity we'll silently start intents//That we seemactivity. startactivity (intent); //Leave the future running-to-wait for the real response to this request } .......
StartActivity to activate the Authenticator.addaccount incoming activity above. This activity is the landing page for the normal app, so the account information is added to the Android account. It's the addaccount process.
The account add process is analyzed here, so let's look at how bugs are generated. First look at the Launchanywhere: The above app returns a intent, and startactivity in response, which opens any activity in the Android system ( Because the system permission is executed in the setting process at this point, the system can open any activity regardless of whether it is exported or not. This is the principle of launchanywhere, through a well-constructed app can open any activity (the above-mentioned POC code is to reset the lock screen pin, that does not need to verify the pin before the new PIN can be re-set). Google's repair is also very simple, detect startactivity in the activity signature and the construction of the app's signature is the same (the same signature indicates that the app has permission to open activity Specifically see the android4.4 code, so the Launchanywhere effect is android4.4 the following machine.
Resources:
1. launchanywhere:activity Component Permissions Bypass vulnerability resolution (Google Bug 7699048)
2. Broadanywhere:broadcast Component Permission Bypass Vulnerability (bug:17356824)
3, Android launchanywhere (Google Bug 7699048) The vulnerability of the detailed and defensive measures
4, Android broadcastanywhere (Google Bug 17356824) vulnerability detailed analysis
5, Android Bug 17356824 broadcastanywhere Vulnerability Analysis
6, step by step to teach you to create your own account system in Android (a)
Android Add account process analysis involves bug fixes