Android Security: Intent Scheme Url Attack

0X01 Introduction

Intent scheme URL is a special URL used to start terminal app activity in a web page. Before the outbreak of attacks against intent scheme URL, many Android browsers supported intent scheme URL.

Although the introduction of intent scheme URLs has brought certain conveniences, on the other hand, it has also made it easier for malicious attack pages to attack installed applications on the terminal through intent-based attacks. Although browser apps have adopted certain security strategies to reduce this type of risk, it is obviously not enough.

In March 2014, an article about intent scheme URL attacks:

Whitepaper – Attacking Android browsers via intent scheme URLs

The relevant attack methods were introduced in detail, and then domestic vulnerability collection platforms began to be flooded with this type of vulnerability.

0X02 Intent scheme url parsing

An example of using an intent scheme URL:

If the browser supports intent scheme URL, after loading the web page, it will generate an intent based on the URL and try to open the specified activity through the intent. The work that the browser needs to complete in this process can be divided into three steps:

Step 1:

Generate the corresponding intent object according to the URL. This process is completed through the following code:

Intent intent = Intent.parseUri(url);

The content of intent scheme url can be set according to the following grammatical rules:

intent:

 HOST/URI-path // Optional host
 #Intent;
 package=[string];
 action = [string];
 category=[string];
 component=[string];
 scheme=[string];
 end ;

Step2:

Intent filtering: For security reasons, many browsers filter the intent object in step 1 to defend against intent-based attacks. Different browsers have different filtering rules.

Step 3:

Component call, the last step is to use the intent filtered in step 2 to call the specified component. In the browser, it is generally implemented using the Context#startActivityIfNeeded() or Context#startActivity() method.

The following are the major browsers' support for Intent scheme URLs:

0X03 Attack Scenario

There are mainly two attack scenarios.

Type 1 : Browser attack

Because the intent is generated by the browser based on the URL and sent as the browser itself, the intent scheme URL in the attacker's malicious page can not only call up exported components, but also private components.

Type 2 : Any APP installed on the terminal

Intent-based attacks are usually implemented through malicious apps installed on the terminal, but by loading a malicious page containing a specific intent scheme URL through the browser, it is possible to achieve the effect of remote intent-based attacks on any app installed on the terminal. In the 2013 Pwn2Own competition in Tokyo, this attack method was used to compromise the Samsung Galaxy S4.

0X04 Attack Case

The following introduces three cases of intent scheme URL attacks in browsers. The attacks are mainly caused by defects in step 2 (that is, the intent filtering process) of these browsers.

Opera mobile for Android cookie theft

Opera browser lacks the intent filtering step. It is possible to call any activity of the browser, including private activities, through the intent scheme URL in the malicious page. The cookies of Opera browser can be obtained through the following attack code:

"com.admarvel.android.ads.AdMarvelActivity" is a private component of the Opera browser, and "url=file:///data/data/com.opera.browser/app_opera/cookies" is the storage location of the Opera browser cookie file.

Chrome for Android UXSS (Universal XSS)

The Chrome UXSS vulnerability is relatively complex to exploit. Here we will first introduce the Intent Selector. The Intent Selector mechanism provides a solution to set a substitute when the main intent does not match. The following intent scheme url:

Where "SEL" is the identifier of the selector intent.

In chrome include the following code:

1: Intent intent = Intent.parseUri(uri);

2: intent.addCategory("android.intent.category.BROWSABLE");

3: intent.setComponent(null);

4: context.startActivityIfNeeded(intent, -1);

The second line adds the BROWSABLE category (the target Activity allows itself to be launched through a web browser to display the data referenced by the link, thereby filtering/preventing some components that should not be called up from being called up). The third line sets the component to null to defend against intent-based attacks, but if you use a selector intent, you can perfectly bypass the above restrictions.

The following is a POC of a UXSS attack on Android Chrome:

Old stock browser cookie theft

The problem of Android stock browser (com.android.browser) is similar to that of Android Chrome, which is also a problem of intent filtering in step 2. Finally, the attacker can steal the browser's cookies. This vulnerability may only exist in devices below Android 4.3. The stock browser may not be pre-installed in later versions.

0X05 Summary

The method to effectively defend against intent scheme URL attacks is to impose strict security restrictions on intent in step 2:

 // convert intent scheme URL to intent object
 Intent intent = Intent.parseUri(uri);
 // forbid launching activities without BROWSABLE category
 intent.addCategory( "android.intent.category.BROWSABLE" );
 // forbid explicit call
 intent.setComponent( null );
 // forbid intent with selector intent
 intent.setSelector( null );
 // start the activity by the intent
 context.startActivityIfNeeded(intent, -1);

0X06 Reference

http://www.mbsd.jp/Whitepaper...

Tencent Yu Security has launched security protection services for developers, including vulnerability scanning, application hardening, SO hardening, etc., which can help enterprise software discover potential vulnerability risks, prevent reverse engineering, tampering, and secondary packaging. Teams with needs can log in to the official website of Yu Security for a trial.

(Original by Tencent Yu Security, please indicate the source when reprinting)