cpholguera
commented
2 years ago Hi @LukasMarckmiller, thanks for raising the issue. We should definitely cover that. Would you like to help us by writing a short test case for it?
Open LukasMarckmiller opened 2 years ago
cpholguera
commented
2 years ago Hi @LukasMarckmiller, thanks for raising the issue. We should definitely cover that. Would you like to help us by writing a short test case for it?
cpholguera
commented
2 years ago The PR addressing this should also cover this (now closed) issue #941:
With Android Oreo, you now have new broadcast (implicit intent) limitations, as well as limitations as a background service. This will influence how the rogue apps might be able to get to your intents.
time to update the MSTG on the android sections regarding broadcasts and (possibly) background services for platform interaction for Android:
Task: update section "Testing for Sensitive Functionality Exposure Through IPC (MSTG-PLATFORM-4)" with these changes.
LukasMarckmiller
commented
2 years ago @cpholguera, yes i would love to contribute and help. so should I fork the chapter and include a description of the problem aswell as coding samples? Or how should a test case look like?
cpholguera
commented
2 years ago That's great, thank you @LukasMarckmiller!
You can read how to setup your contributor environment here.
However, if you prefer, there's a much easier way thanks to GitHub.
. on your keyboardYou can use the online vscode to make & push your changes (GitHub will help you with setting up your fork and branch).
You can enhance the test case ## Testing for Injection Flaws (MSTG-PLATFORM-2) with the new info. I'd suggest:
#### Implicit Intents under ### Overview (at the end): here you can add any relevant theory including inline links/references to the official Android docs and other helpful blog posts.### Static Analysis section and #### Testing Implicit Intents Injection### Dynamic Analysis section please put a title to the current content (e.g. #### Testing Content Provider Injection) and add a new #### Testing Implicit Intents Injection with your content.All please as short and concise as possible. If you have any questions please let me know here or on Slack.
LukasMarckmiller
commented
2 years ago Thanks for the information! I'll definitely do that :)
Chapter 0x04h-Testing-Code-Quality, Testing for Injection Flaws (MSTG-PLATFORM-2) could provide a better background to intent hijacking and spoofing (see e.g https://onlinelibrary.wiley.com/doi/abs/10.1002/spe.2643).
What's missing in the MSTG is testing for a tech I read about here. Implicit intents are rarely discovered by automated tools but can contain some critical flaws. For example in the provided blog post an implicit intent is used to call a file picker dialog. The returned file path is not properly checked and an attacker could provide a malicious app that responds to the implicit intent with arbitrary file uri's.
ENHANCEMENT:
(originally in #1962)
OWASP section related to implicit intents doesn't say about
startActivityForResult(...)that can return values viasetResult(...). If content pickers are used (such asandroid.intent.action.GET_CONTENTorandroid.intent.action.PICK), it leads to theft and/or overwrite of arbitrary files (in the first case, if the URI's content is saved to a public directory; in the second case if the attacker can control output path via, e.g.Uri.getLastPathSegments()or_display_namewhen a vulnerable app queries it from the attacker-controlled content provider)Activities that handle
android.intent.action.SENDaccept a Uri to share. They cache the contents somewhere and then process it as a file. The attacks are the same as in the previous item.