Open LukasMarckmiller opened 2 years ago
Hi @LukasMarckmiller, thanks for raising the issue. We should definitely cover that. Would you like to help us by writing a short test case for it?
The PR addressing this should also cover this (now closed) issue #941:
With Android Oreo, you now have new broadcast (implicit intent) limitations, as well as limitations as a background service. This will influence how the rogue apps might be able to get to your intents.
time to update the MSTG on the android sections regarding broadcasts and (possibly) background services for platform interaction for Android:
Task: update section "Testing for Sensitive Functionality Exposure Through IPC (MSTG-PLATFORM-4)" with these changes.
@cpholguera, yes i would love to contribute and help. so should I fork the chapter and include a description of the problem aswell as coding samples? Or how should a test case look like?
That's great, thank you @LukasMarckmiller!
You can read how to setup your contributor environment here.
However, if you prefer, there's a much easier way thanks to GitHub.
.
on your keyboardYou can use the online vscode to make & push your changes (GitHub will help you with setting up your fork and branch).
You can enhance the test case ## Testing for Injection Flaws (MSTG-PLATFORM-2)
with the new info. I'd suggest:
#### Implicit Intents
under ### Overview
(at the end): here you can add any relevant theory including inline links/references to the official Android docs and other helpful blog posts.### Static Analysis
section and #### Testing Implicit Intents Injection
### Dynamic Analysis
section please put a title to the current content (e.g. #### Testing Content Provider Injection
) and add a new #### Testing Implicit Intents Injection
with your content.All please as short and concise as possible. If you have any questions please let me know here or on Slack.
Thanks for the information! I'll definitely do that :)
Chapter 0x04h-Testing-Code-Quality, Testing for Injection Flaws (MSTG-PLATFORM-2) could provide a better background to intent hijacking and spoofing (see e.g https://onlinelibrary.wiley.com/doi/abs/10.1002/spe.2643).
What's missing in the MSTG is testing for a tech I read about here. Implicit intents are rarely discovered by automated tools but can contain some critical flaws. For example in the provided blog post an implicit intent is used to call a file picker dialog. The returned file path is not properly checked and an attacker could provide a malicious app that responds to the implicit intent with arbitrary file uri's.
ENHANCEMENT:
(originally in #1962)
OWASP section related to implicit intents doesn't say about
startActivityForResult(...)
that can return values viasetResult(...)
. If content pickers are used (such asandroid.intent.action.GET_CONTENT
orandroid.intent.action.PICK
), it leads to theft and/or overwrite of arbitrary files (in the first case, if the URI's content is saved to a public directory; in the second case if the attacker can control output path via, e.g.Uri.getLastPathSegments()
or_display_name
when a vulnerable app queries it from the attacker-controlled content provider)Activities that handle
android.intent.action.SEND
accept a Uri to share. They cache the contents somewhere and then process it as a file. The attacks are the same as in the previous item.