search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.67k stars 2.31k forks source link

0x5h - Add PendingIntents #1874

Closed cpholguera closed 1 year ago

cpholguera commented 3 years ago

Using Intent as a mechanism to implement a callback to an Activity can lead to vulnerabilities, both in the provider and client apps. This is due to the fact that Intents are always processed in the Context of the app they are called within. This Context opens the possibility to start any non-exported activities in the provider app, and forces the client app to export the activity that should receive the callback.

PendingIntents, by contrast, are always processed inside the Context that created them. This not only allows a provider app to freely use them, without exposing non-exported activities, but also allows the client to specify any activity, including non-exported activities, to receive callbacks.

Source: https://medium.com/androiddevelopers/android-nesting-intents-e472fafc1933

https://medium.com/androiddevelopers/all-about-pendingintents-748c8eb8619

su-vikas commented 2 years ago

i will take this.

Let me know in which section does this fit in.

cpholguera commented 2 years ago

Hi @su-vikas, could you please write a new test case in 0x05h for it, it should cover for MSTG-PLATFORM-4. Right after this one:

https://mas.owasp.org/MASTG/Android/0x05h-Testing-Platform-Interaction/#testing-for-sensitive-functionality-exposure-through-ipc-mstg-platform-4

Please include an Overview section with the theory and a paragraph of what the test will do and then the sections for Static and Dynamic Analysis as always.

Thank you!