Android Service Security

Android Service Security
0x00 Popular Science

A Service is an application component that has no interface and can run on the background for a long time. other application components can start a service and run on the background, even if the user switches to another application, it will continue to run. in addition, a component can be bound to a service for interaction, even if the interaction is inter-process communication. for example, a service may process network things, play music, execute file I/O, or interact with a content provider, all of which are performed in the background.

0x01 knowledge points

Lifecycle

 

The left figure shows startService () Creation service, and the right figure shows bindService () Creation service. StartService and bindService can both start the Service. What is the difference between them? The difference between them is to change the Service cycle. The Service started by startService must have stopService to end the Service. If you do not call stopService, the Activity ends and the Service is still running. The Service started by bindService can be ended by unbindService, or automatically ends after the Activity ends (onDestroy.

Key Methods

The onStartCommand () system calls this method when other components, such as activity, call startService () to request service startup. once this method is executed, the service starts and runs in the background for a long time. if you implement it, you need to stop the service when it completes the task by calling stopSelf () or stopService (). (If you only want to provide binding, you do not need to implement this method ).

OnBind () This method is called by the system when the component calls bindService () and wants to bind it to the service (for example, to execute inter-process communication. in your implementation, you must provide an IBinder for the client to communicate with the service. You must always implement this method, but if you do not allow binding, then you should return null.

The OnCreate () system executes this method when the service is created for the first time to execute initialization only once (before calling the method such as onStartCommand () or onBind ). if the service is already running, this method will not be called.

The OnDestroy () system calls this method when the service is no longer used and is to be destroyed. your service should release resources in this method, such as threads, registered listeners, and receivers. this is the last call received by the service.

Public abstract boolean bindService (Intent service, ServiceConnection conn, int flags)

BindService uses the bindService () method to bind the service. The caller and the biner are bound together. Once the caller (all) exits the service, the service is terminated.

StartService ()

The startService () method returns immediately and then the Android system calls the onStartCommand () method of the service. However, if the service is not running, the system first calls onCreate () and then calls onStartCommand ().

Protected abstract void onHandleIntent (Intent intent)

Call a working thread to process requests

Public boolean onUnbind (Intent intent)

It is called when all clients are disconnected from interfaces released by the service. By default, no operation is performed and false is returned.

Extends

Service

This is the base class of all services. when you derive this class, it is very important to create a new thread in the service to do all the work. this service will use the main thread (UI thread) of your application by default, which will lower the performance of all running activities in your application.

IntentService

This is a sub-class of a Service. A worker thread is used to process all startup requests. this is the best choice when you do not need your service to process multiple requests at the same time. all you need to do is implement onHandleIntent (). This method receives intent from each startup request, so you can do background work.

Representation

Started

A service is in the "started" state when startService () is called by an application component (such as an activity ). after running, the service can run indefinitely in the background, even if its components are destroyed. generally, a startedservice executes a single operation and does not return the result to the caller. for example, it may download or upload an object over the network. after the operation is complete, the service stops itself.

Bound

A service is in the "bound" status when an application component calls bindService. A boundservice provides a client-server interface to allow components to interact with the service, send requests, obtain results, and even perform cross-process interaction. A boundservice runs only when it is bound to a component of another application. multiple application components can be bound to a single service at the same time. However, when all the competing components are no longer bound, the service is destroyed.

Bound Service

When creating a bound service, you must provide an IBinder client for interaction with the service. You can define this interface in three ways:

Derived from class Binder

If your service is a private object of your own application and runs in the same process as the client (this is generally the case ), you should create your interface by deriving from the class Binder and return an instance of it from onBind. the client receives the Binder and then uses it to directly perform operations on the implemented public interfaces of the Binder and even the Service.

This is the best choice when your service is only working in the background and only serving your own applications. the only reason you cannot create your interface in this way is that your service is used by other applications or cross-process.

Use a Messenger

If you need your interface to work across processes, you can create an interface with Messager for the service. in this way, the service defines a Handler to take charge of different types of Message objects. this Handler is the basis for Messenger to share an IBinder with the client. It allows the client to send commands to servic using the Message object. the client can define its own Messenger so that the service can send messages back.

This is the easiest way to execute IPC, because Messenger puts all requests in the queue and sends them to one thread in sequence, so you do not have to design your service as thread-safe.

Use AIDL

AIDL (Android Interface Definition Language) executes all the work of IPC by breaking down objects into basic bodies that can be understood by the operating system and can be sent across processes. as mentioned above, the use of a Messenger is actually based on AIDL. as mentioned above, Messenger creates a queue in a thread to accommodate all client requests, and uses the service to receive only one request at a time. however, if you want your service to process multiple requests at the same time, you can directly use AIDL. in this case, your service must be multi-threaded and secure.

To directly use AIDL, you must create. the aidl file defines the program interface. the AndroidSDK tool uses this file to generate an abstract class that implements interfaces and processes IPC. Then you can derive it from your service.

Note: Most applications should not use AIDL to process a bound service, because it may require multithreading and make the implementation more complex. similarly, AIDL is not suitable for most applications and this document will not discuss how to use it in your service. if you are sure you need to use AIDL directly, please refer to the AIDL documentation.

Note:

If you want to use your own service only in this application, you do not need to specify any intent filter. if you do not use the intent filter, you must use an intent that explicitly specifies the service class name to start your service.

In addition, you can also ensure that your service is private by including the android: exported attribute and specifying its value as "false. even if your service uses the intent filter, it also works.

After a service is started, its life cycle no longer depends on the components that start it and can run independently on the background, even if the components that start it are too powerful. therefore, the service should call stopSelf () to stop itself after work is completed, or other components can also call stopService () to stop the service. if the service does not provide the binding function, the intent sent to startService () is the only communication method between the application component and service. however, if you want the service to send a result back, the client that starts the service can create a PendingIntent for broadcast (using getBroadcast () and then transmit it to the service in the intent, then you can use broadcast to return the results.

0x02 Security suggestions

Service Category

Private service: it cannot be called by other applications. relatively secure public service: it can be called by any application. Cooperative service: it can only be called by applications of a trusted company. Internal service can only be called by internal applications.

Intent-filter and exported combination suggestions

Summary:

The exported attribute clearly defines that private services do not define intent-filter and set exported to false to set exported to true, intent-filter can be defined or internal/cooperative service is not defined, and exported is set to true, intent-filter is not defined

Rule book

Services used only by the application should be set to private

The data received by the service must be processed with caution.

The internal service must use the signature-level protectionLevel to determine whether internal applications have not called the service.

You should not decide whether to provide the service when creating the service (onCreate method is called). You should make a judgment when onStartCommand, onBind, onHandleIntent, and other methods are called.

When the service returns data again, it determines whether the data receiving app has the risk of information leakage.

Explicit

Try not to send sensitive information

The partner service must verify the app signature of the partner company.

0x03 Test Method

Unlike broadcast receicer, a service can only be registered statically. You can determine the service by checking the configuration file Androidmanifest. xml through decompilation. If an exported service exists, proceed to the next step.

Method to view the service class, focusing on the onCreate/onStarCommand/onHandleIntent Method

Retrieve startService/bindService methods and data transmitted in all classes

Compile a testing poc based on business conditions or directly use the adb command for testing

0x04 case

Case 1: Permission Improvement

WooYun: Music phone any software package installation and deletion vulnerability WooYun: Red Rice mobile Kingsoft cleanup master app memory cleanup permission leakage vulnerability WooYun: cheetah cleanup master memory cleanup permission leakage Vulnerability

Case 2: Service hijacking

Attack principle: Enable services implicitly. If a service with the same name exists, the priority of services installed on the application is high.

Attack Model

Case 3: DoS

WooYun: snowball Android client NULL pointer exception and Information Leakage Vulnerability (java. lang. NullPointerException NULL pointer exception)

Now, in addition to the NULL pointer exception crash, there is also another type of crash: the conversion exception occurs when intent is passed into the object.

Serializable:

Intent I = getIntent (); if (I. getAction (). equals ("serializable_action") {I. getSerializableExtra ("serializable_key"); // No exception is detected}

Parcelable:

This. B = (RouterConfig) this. getIntent (). getParcelableExtra ("filed_router_config"); // triggers a transformation exception crash

Crash can be triggered by inputting malformed data in the POC, which is easy to fix.

Case 4: Message forgery

Youku Android 4.5 client Upgrade Vulnerability 0x05 reference

Http://blog.csdn.net/niu_gao/article/details/7307462

Http://developer.android.com/reference/android/app/Service.html

Http://developer.android.com/guide/components/services.html