App reads content from incoming SMS

[define]

Sony, 4.3 JB. App - https://play.google.com/store/apps/details?id=by.belinvestbank , version 1.0.1. SMS category is totally blocked and on-demand restricting is enabled.

W/ActivityManager( 975): Permission denied: checkComponentPermission() owningUid=10230 W/BroadcastQueue( 975): Permission Denial: broadcasting Intent { act=android.provider.Telephony.SMS_RECEIVED flg=0x10 (has extras) } from com.android.phone (pid=1239, uid=1001) is not exported from uid 10230 due to receiver by.belinvestbank/.utils.IncomingSmsReceiver

10230 - by.belinvestbank

[M66B]

Please provide steps to reproduce and a logcat with XPrivacy debug logging enabled.

[define]

This is a mobile banking client and it's only available for bank's clients. It uses two factor authentication - server sends verification code via SMS and app automatically reads it. So for you there are no ways to reproduce it.

Log - http://pastebin.com/KCp4uV6p

I have rebooted my phone, connected it to the internet and started the app. App showed field for code and then automatically read it from SMS. Notification about incoming SMS was shown after a few seconds.

[M66B]

I am sorry, but the logcat is too long to look through on my mobile phone (I am currently on the road).

Did you check the usage data for (dangerous) restrictions which are not yet restricted?

[define]

I'm sorry, didn't get you. What did you mean? Expert mode is enabled in XPrivacy. SMS category in the app has no usage data.

[an0n981]

I had a look at the log, the app does not request anything related to SMS. From looking at the apps (reverse engineered) source code, it uses an intent receiver to intercept the incoming sms, which it then processes using an internal java function (since I am not a developer, I could also be reading the code wrong) There is a (closed source) xposed mod available (de.defim.apk.receiverstop) which can prevent the app from using the intent receiver.

[M66B]

@an0n981: good work! With the name of the intent, I can add a new restriction. Do you know the intent (action) name?

[an0n981]

From app android-mainfest: receiver android:exported="false" android:name="by.belinvestbank.utils.IncomingSmsReceiver" action android:name="android.provider.Telephony.SMS_RECEIVED"

But shouldn't this actually already be restricted?

[M66B]

Yes, this intent can be restricted in the messages category. Please try again by restricting all functions in the messages category and please check the usage data again.

[an0n981]

Does the debug log log 'danerous' restrictions? If so then in the log provided by @define there should be a reference to the app requesting it, which there isn't, the only app the requests anything is uid 10033.

Here is the relevent part of the provided log
08-02 16:58:12.395 W/XPrivacy(  982): Get service 10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted? (ccached) 241 ms

08-02 16:58:12.405 W/XPrivacy/XActivityThread( 2196): Get client 10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted 245 ms

08-02 16:58:12.405 W/XPrivacy/XActivityThread( 2196): handleReceiver 246 ms

08-02 16:58:12.415 W/ActivityManager(  982): Permission denied: checkComponentPermission() owningUid=10230

08-02 16:58:12.415 W/BroadcastQueue(  982): Permission Denial: broadcasting Intent { act=android.provider.Telephony.SMS_RECEIVED flg=0x10 (has extras) } from com.android.phone (pid=1256, uid=1001) is not exported from uid 10230 due to receiver by.belinvestbank/.utils.IncomingSmsReceiver

08-02 16:58:12.425 I/XPrivacy/XActivityThread( 2196): Get client 10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted (cached) 0 ms

08-02 16:58:12.425 W/qdhwcomposer(  354): Excessive delay reading vsync: took 133 ms

08-02 16:58:12.545 I/XPrivacy(  982): Get service 10033/SmsProvider(content://sms/inbox;null) messages=!restricted? (ccached) 1 ms

08-02 16:58:12.545 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted 3 ms

08-02 16:58:12.545 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms

08-02 16:58:12.585 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms

08-02 16:58:12.585 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms

08-02 16:58:12.615 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms

08-02 16:58:12.615 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms

08-02 16:58:12.635 W/AppOps  (  982): Bad call: specified package com.android.phone under uid 10033 but it is really 1001

08-02 16:58:12.645 I/XPrivacy(  982): Get service 10033/MmsProvider(content://mms-sms/threadid?recipient=1239;null) messages=!restricted? (ccached) 1 ms

08-02 16:58:12.645 I/XPrivacy/XContentResolver( 1256): Get client 10033/MmsProvider(content://mms-sms/threadid?recipient=1239;null) messages=!restricted 3 ms

08-02 16:58:12.645 I/XPrivacy/XContentResolver( 1256): Get client 10033/MmsProvider(content://mms-sms/threadid?recipient=1239;null) messages=!restricted (cached) 0 ms

[M66B]

Dangerous restrictions are treated like all other restrictions by the XPrivacy core, so the logcat will list them as any other restriction.

Looking at:

10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted?

receiving SMS was simply not restricted and since this issue contains all information now how to solve this, I will close this issue.

[an0n981]

That's the thing, 10033 is not the UID in question, 10230 is

[M66B]

It would be helpful to know which application this uid belongs to, since there might be a helper application doing the SMS stuff or the intent may be attributed to the wrong uid (although this is not very likely).

[define]

10033 - com.sonyericsson.conversations - standard app for sms. As for 10230 - by.belinvestbank - it's totally restricted.

[M66B]

This says not restricted:

10033/SmsProvider(content://sms/inbox;null) messages=!restricted

Note that I am currently traveling and cannot do much and even if I could, there is little I can do if I cannot reproduce this. So, maybe find another application with the same problem.

[define]

Yes, standard app "Conversations" with uid 10033 is not restricted. But by.belinvestbank with uid 10230 is restricted and receives SMS before "Conversations".

[define]

I will try to repeat it with another apps.

[define]

I've just restrict SMS_RECEIVED for 10033 - "Conversations". Restricting and on-demand restricting work as they should.

[an0n981]

@M66B Do I read this correctly that in compatibility mode this method is only hooked on SDK 19 and above?

mListHook.add(new Hook("messages", "getAllMessagesFromIcc", "RECEIVE_SMS", 10, null, null).notAOSP(19));

[an0n981]

Also, another app that uses such a method is WhatsApp during the registration process. However, from I have read here the way incoming SMS are handled was changed in SDK 19. Meaning this issue can only be properly tested on a 4.3 device. From what I understand this method

mListHook.add(new Hook("messages", Telephony.Sms.Intents.SMS_RECEIVED_ACTION, "RECEIVE_SMS", 1, null, null));

is only available starting with SDK 19 and can only be used by the default SMS app, which in this case is 'Conversations' (com.sonyericsson.conversations). This method is not available for API 18 and lower according to the Android Developer website.

@define: Could you test this with WhatsApp, see if WhatsApp can 'intercept' the registration sms with the entire Messaging category restricted. (If you already use WhatsApp be sure to backup your messages using the in app backup option so that you can restore these later, then delete WhatsApp data in the Android settings app)

[define]

@an0n981 I have installed WhatsApp. It was successfully registered and verified SMS code with totally restricted Messaging category. In the log I don't see anything about SMS, excepting:

I/ActivityManager( 982): START u0 {cmp=com.whatsapp/.RegisterPhone} from pid 26111 ... I/ActivityManager( 982): START u0 {cmp=com.whatsapp/.VerifySms (has extras)} from pid 26111

I didn't get any notification about SMS. But verification is completed and in the provider's log I found that there was SMS from +17542**.

Also, autostarts doesn't show SMS_RECEIVED subscription for WhatsApp unlike by.belinvesbank.

[M66B]

So, we have to figure out how these applications receive an SMS.

[an0n981]

I will try to find a 4.3 based rom for my device and try to reproduce the issue

[an0n981]

The good news is I can reproduce the issue on Slim 4.3 with the latest version of WhatsApp. The bad news is this issue has been around for quite some time, I tested all stable version back to 2.0, none were able to prevent the registration.

[M66B]

I am sorry for this, but as an excuse: there are so many Android APIs (for Lollipop alone more than 5000 new ones), which I did research as good as I could, but it is inevitable I missed something and in this respect it is a pity nobody is helping.

I have no idea yet how the SMS is being read.

[an0n981]

I have an idea that I wanted to test but I am getting compile errors :(

[define]

Maybe it helps https://stackoverflow.com/questions/4257045/android-register-application-to-receive-sms

[M66B]

Please send me the code charges and the errors you get by PM and I will take a look.

[M66B]

@define this intent can be restricted already

[define]

From WhatsApp's manifest

   <activity android:configChanges="keyboard|keyboardHidden|orientation|screenLayout|screenSize|smallestScreenSize|uiMode" android:label="@string/verify_sms_header" android:launchMode="singleTask" android:name="com.whatsapp.VerifySms" android:theme="@style/Theme.App.Gray">
       <intent-filter>
           <action android:name="android.intent.action.VIEW"/>
           <category android:name="android.intent.category.DEFAULT"/>
           <category android:name="android.intent.category.BROWSABLE"/>
           <data android:host="r" android:scheme="whatsapp"/>
       </intent-filter>
   </activity>

[M66B]

@define: can you please provide the complete manifest (preferable through a gist link ?

[M66B]

Given that the standard SMS application can be restricted (intent SMS_RECEIVED):

https://github.com/M66B/XPrivacy/blob/master/src/biz/bokhorst/xprivacy/XActivityThread.java#L44

The SMS is likely being received in another way, but unfortunately I have no idea how.

[define]

@M66B https://gist.github.com/define/e384d13fabb7aa1a6e6f - WhatsApp manifest.

[M66B]

@define unfortunately there is nothing in the manifest regarding automatically receiving and processing of SMS messages (except for the corresponding permission).

[define]

@M66B Did you try to decompile com.whatsapp? I have tried but it looks obfuscated. https://gist.github.com/define/b9f0839dc6701687816c

[M66B]

Only if I really need to, I will decompile an application. I would not be surprised when WhatsApp is obfuscated.

[bonanza123]

When I remember correctly, then I've seen the same behavior using registering for textsecure. Maybe looking into this is easier than for whatsapp.

[M66B]

@bonanza123 what I need to know is how these applications receive/read an SMS. They are not using the standard method of listening to the intent _android.provider.Telephony.SMSRECEIVED.