search

drpout / boilr

Price alarms for Bitcoin, cryptocurrencies, cryptoassets, futures and options.
http://boilr.mobi
GNU General Public License v3.0
128 stars 67 forks source link

intent is implict can be attacked by phishing #295

Closed liberatorqjw closed 4 years ago

liberatorqjw commented 4 years ago

In onClick method of AboutDialogFragment class, the Intent to start a uri is implict. Also I proved that it can be attacked by phishing. I repair the class and pull it.

dllud commented 4 years ago

Could you please detail how a link to a BTC address inside the About dialog of an app is related with phishing?

According to Wikipedia:

Phishing is the fraudulent attempt to obtain sensitive information […] by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging […]

I cannot understand how phishing relates to that link.

liberatorqjw commented 4 years ago

Yes, I agree your view. In fact, what I want to describe is a scenario of component hijacking attack. Once this Intent is hijacked, then malicious APP can open its own page and then induce the victim of the attack.

dllud commented 4 years ago

I see. Thanks for the explanation. The full scenario would then be:

  1. User installs malicious app that hijacks the bitcoin: URI.
  2. User clicks the donation link in Boilr's About page.
  3. Malicious app is called by Boilr and possibly tricks the user into sending money somewhere else.

Your solution, as far as I can tell, is to always show to the user the full list of installed apps that registered to handle the bitcoin: URI. Such doesn't seem to be a proper solution for this problem. The same user that installed the malicious app is prone to clicking on it in the list, specially if it has a convincing name, and/or shows up as first, and/or is the only one installed.

I haven't read into the best practices on how to handle Intent hijacks. Could you point me to some? Anyway, it seems to me that there is no proper solution besides the do not install malicious apps approach, i.e., users should educate themselves and understand what they are doing. If not, their money is going to get stolen in many other ways besides this one.

liberatorqjw commented 4 years ago

Yes, there is currently no good way to eradicate this attack, unless you only call the method using the explicit Intent.But that is not very user-friendly in some functional scenarios.

The solution I currently solve is just forcing users to choose the browser they want to use, so even if two identical applications such as google chrome appear, users will find exceptions. The advantage of this method is that some malware apps have the highest priority to respond to Intent events.

There is also the ability to mark whether the responding app is a system app through packageInfo

dllud commented 4 years ago

Note: in this particular scenario the Intent won't launch browsers but rather Bitcoin wallets.

Anyway, as we concluded, this is a problem that can only be properly solved through user education. Much like recognizing phishing, users should also be savvy enough not to install malware on their devices. If they do install malware themselves, then any protective measures we employ will always fall short and just create usability issues for all other users. As such I will opt to close this PR. Feel free to open another one in case you come up with a more elegant solution.