Android Security Development-start of private component Vulnerabilities

Android Security Development-start of private component Vulnerabilities
0x00 private components

In android applications, if a component is exported externally, this component is an attack surface. There may be many problems, because attackers can test the component in various ways. However, developers may not consider all security issues comprehensively.

The most convenient way to solve this problem is to export the problematic component to a private component without affecting the service. This is indeed effective, and private components are secure.However, if a private component can be started by the exported component,This private component is no longer private. If attackers can control private components by controlling the exported components, the attacker's attack surface will be greatly expanded. If you do not pay attention to this situation, a series of security problems may occur.

Normal situation:

 

 

Private components can be started:

 

 

0x01 principle of starting private components

There is A private component A and an export component B. If B can enable private component A based on the content of external Intent, and start the Intent content of private component A from the Intent content of the export component B, attackers can export component B to control the private export component. This may cause serious security risks.

 

The following is a simple example to illustrate some security problems that can be caused by the startup of private components.

PrivateActivity. class

 

Obviously, PrivateActivity is faulty because no exception processing is performed after the value is directly obtained from the Intent. If PrivateActivity is a private Activity, and the Development engineer can ensure that the Intent passed into the Activity has a value, then it cannot cause a threat. However, if there is another MainActivity, as follows:

 

 

Then, attackers can execute an attack using a command:

 

 

Then the application will crash.

 

 

Here is a simple demo to illustrate the problem. If PrivateAcitivty contains important logical business processing, malicious attackers can control PrivateActivity by controlling MainActivity, thereby controlling the logical trend in PrivateActivity, which is very likely to cause serious harm.

 

In addition to the above, there is also a situation, that is, Intent Scheme URL. if not properly handled, it is very likely to attack other private components by parsing the exported component of the Uri. The essence is the same. We will not discuss this situation here.

 

0x03 start case study of private components

Here, an app7.5.0 version is used as an example to analyze the serious problems caused by the startup of private components. (Currently, the app has no longer used faulty components, and the problematic SDK has fixed the problem)

First, this app has a private component VersionUpdateActivity:

 

 

This private component is used to determine whether to update the apk. If yes, it downloads the updated apk package based on the url link in the Intent.

In addition, this apk has another externally exported component.

 

 

This component enters the pushClickedResult function through a series of checks through the obtained Intent during implementation.

 

 

The pushClickedResult function mainly performs the following operations:

1. first obtain the activity in intent

2. Use this value as the classname of the activity to be started.

3. Pass intent to the activity to be started

4. Start the activity

 

 

Obviously, attackers can control all private activities of the application by controlling XGPushActivity.

The POC that attacks the private component VersionUpdateActivity is as follows:

 

 

This command will open VersionUpdateActivity. If there is an update, click Update to download the url content.

 

0x04 suggestions from Alibaba Cloud security for developers

First, Alibaba Cloud universal security can detect such problems. For the app in the above case analysis, the results scanned by the Ali poly security scanner are as follows:

 

 

For such security risks, Alibaba Cloud universal security suggestions:

1. Set exported to false for components that do not need to be exported.

2. If the component needs to be exported for various reasons, check whether the component can start other private components based on the intent of the component. If yes, strictly filter and verify the content in intent according to the business control, and take various security measures for the started private components.

 

Alibaba Cloud universal security | Android Security Development Series

Secure use of HTTPS for Android Development

Android Security Development-risks of universal signature

Android Security Development-ZIP file directory traversal

Android Security Development-Provider component security

Key hard coding for Android Security Development

Android Security Development

Security Development of Android applications: difficulties in encryption algorithms

-------------------------------------------------------------------

* Author: Zhou Hai, Dan Hu @ aliyunju security. For more Alibaba security technical articles, visit the official Alibaba Cloud universal security blog.