search

ionic-team / capacitor

Build cross-platform Native Progressive Web Apps for iOS, Android, and the Web ⚡️
https://capacitorjs.com
MIT License
11.47k stars 977 forks source link

intent scheme injection on Android Device #1833

Closed alghifari24 closed 4 years ago

alghifari24 commented 4 years ago

Description of the problem: Im develop using some cordova plugins :

When application running on Android device im got unwanted dialogs appearing in applications, dialog is ads from unknown source. Im searching on app and did not found any script who make dialog for ads. So im testing on another device with same spec and running without unwanted dialogs, its running well on another device. So i conclude this is because intent scheme injection on my first Android Device who already infected with malware. Im already setting on config.xml and capacitor.config.json to blocking access get and post resource from unwanted domain. But unwanted ads dialog still apearing.

This is config.xml, are config.xml will not used when using capacitor?

<?xml version='1.0' encoding='utf-8'?>
<widget id="io.example.app" version="2.0.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
    <name>Example App</name>
    <description>-</description>
    <author email="admin@example.com" href="http://example.com/">Ionic Framework Team</author>
    <content src="index.html" />

    <!-- Allow images, xhrs, etc. to google.com -->
    <access origin="http://google.com" />
    <access origin="https://google.com" />
    <access origin="http://example.com" />
    <access origin="https://example.com" />

    <!-- Access to all the subdomains on google.com -->
    <access origin="http://*.google.com" />
    <access origin="https://*.google.com" />
    <access origin="http://*.example.com" />
    <access origin="https://*.example.com" />

    <!-- Allow images, xhrs, etc. to google.com -->
    <allow-intent href="http://google.com/*" />
    <allow-intent href="https://google.com/*" />
    <allow-intent href="http://example.com/*" />
    <allow-intent href="https://example.com/*" />

    <!-- Access to all the subdomains on google.com -->
    <allow-intent href="http://*.google.com/*" />
    <allow-intent href="https://*.google.com/*" />
    <allow-intent href="http://*.example.com/*" />
    <allow-intent href="https://*.example.com/*" />

    <!-- <allow-intent href="http://*/*" /> -->
    <!-- <allow-intent href="https://*/*" /> -->
    <allow-intent href="tel:*" />
    <allow-intent href="sms:*" />
    <allow-intent href="mailto:*" />
    <allow-intent href="geo:*" />
    <preference name="ScrollEnabled" value="false" />
    <preference name="android-minSdkVersion" value="19" />
    <preference name="BackupWebStorage" value="none" />
    <preference name="SplashMaintainAspectRatio" value="true" />
    <preference name="FadeSplashScreenDuration" value="300" />
    <preference name="SplashShowOnlyFirstTime" value="false" />
    <preference name="SplashScreen" value="screen" />
    <preference name="SplashScreenDelay" value="3000" />
    <preference name="ShowSplashScreenSpinner" value="false" />
    <platform name="android">
        <preference name="loadUrlTimeoutValue" value="700000" />
        <allow-intent href="market:*" />
        <icon density="ldpi" src="resources/android/icon/drawable-ldpi-icon.png" />
        <icon density="mdpi" src="resources/android/icon/drawable-mdpi-icon.png" />
        <icon density="hdpi" src="resources/android/icon/drawable-hdpi-icon.png" />
        <icon density="xhdpi" src="resources/android/icon/drawable-xhdpi-icon.png" />
        <icon density="xxhdpi" src="resources/android/icon/drawable-xxhdpi-icon.png" />
        <icon density="xxxhdpi" src="resources/android/icon/drawable-xxxhdpi-icon.png" />
        <splash density="land-ldpi" src="resources/android/splash/drawable-land-ldpi-screen.png" />
        <splash density="land-mdpi" src="resources/android/splash/drawable-land-mdpi-screen.png" />
        <splash density="land-hdpi" src="resources/android/splash/drawable-land-hdpi-screen.png" />
        <splash density="land-xhdpi" src="resources/android/splash/drawable-land-xhdpi-screen.png" />
        <splash density="land-xxhdpi" src="resources/android/splash/drawable-land-xxhdpi-screen.png" />
        <splash density="land-xxxhdpi" src="resources/android/splash/drawable-land-xxxhdpi-screen.png" />
        <splash density="port-ldpi" src="resources/android/splash/drawable-port-ldpi-screen.png" />
        <splash density="port-mdpi" src="resources/android/splash/drawable-port-mdpi-screen.png" />
        <splash density="port-hdpi" src="resources/android/splash/drawable-port-hdpi-screen.png" />
        <splash density="port-xhdpi" src="resources/android/splash/drawable-port-xhdpi-screen.png" />
        <splash density="port-xxhdpi" src="resources/android/splash/drawable-port-xxhdpi-screen.png" />
        <splash density="port-xxxhdpi" src="resources/android/splash/drawable-port-xxxhdpi-screen.png" />
    </platform>
    <platform name="ios">
        <allow-intent href="itms:*" />
        <allow-intent href="itms-apps:*" />
        <icon height="57" src="resources/ios/icon/icon.png" width="57" />
        <icon height="114" src="resources/ios/icon/icon@2x.png" width="114" />
        <icon height="40" src="resources/ios/icon/icon-40.png" width="40" />
        <icon height="80" src="resources/ios/icon/icon-40@2x.png" width="80" />
        <icon height="120" src="resources/ios/icon/icon-40@3x.png" width="120" />
        <icon height="50" src="resources/ios/icon/icon-50.png" width="50" />
        <icon height="100" src="resources/ios/icon/icon-50@2x.png" width="100" />
        <icon height="60" src="resources/ios/icon/icon-60.png" width="60" />
        <icon height="120" src="resources/ios/icon/icon-60@2x.png" width="120" />
        <icon height="180" src="resources/ios/icon/icon-60@3x.png" width="180" />
        <icon height="72" src="resources/ios/icon/icon-72.png" width="72" />
        <icon height="144" src="resources/ios/icon/icon-72@2x.png" width="144" />
        <icon height="76" src="resources/ios/icon/icon-76.png" width="76" />
        <icon height="152" src="resources/ios/icon/icon-76@2x.png" width="152" />
        <icon height="167" src="resources/ios/icon/icon-83.5@2x.png" width="167" />
        <icon height="29" src="resources/ios/icon/icon-small.png" width="29" />
        <icon height="58" src="resources/ios/icon/icon-small@2x.png" width="58" />
        <icon height="87" src="resources/ios/icon/icon-small@3x.png" width="87" />
        <icon height="1024" src="resources/ios/icon/icon-1024.png" width="1024" />
        <splash height="1136" src="resources/ios/splash/Default-568h@2x~iphone.png" width="640" />
        <splash height="1334" src="resources/ios/splash/Default-667h.png" width="750" />
        <splash height="2208" src="resources/ios/splash/Default-736h.png" width="1242" />
        <splash height="1242" src="resources/ios/splash/Default-Landscape-736h.png" width="2208" />
        <splash height="1536" src="resources/ios/splash/Default-Landscape@2x~ipad.png" width="2048" />
        <splash height="2048" src="resources/ios/splash/Default-Landscape@~ipadpro.png" width="2732" />
        <splash height="768" src="resources/ios/splash/Default-Landscape~ipad.png" width="1024" />
        <splash height="2048" src="resources/ios/splash/Default-Portrait@2x~ipad.png" width="1536" />
        <splash height="2732" src="resources/ios/splash/Default-Portrait@~ipadpro.png" width="2048" />
        <splash height="1024" src="resources/ios/splash/Default-Portrait~ipad.png" width="768" />
        <splash height="960" src="resources/ios/splash/Default@2x~iphone.png" width="640" />
        <splash height="480" src="resources/ios/splash/Default~iphone.png" width="320" />
        <splash height="2732" src="resources/ios/splash/Default@2x~universal~anyany.png" width="2732" />
    </platform>
    <engine name="browser" spec="5.0.4" />
    <plugin name="cordova-plugin-android-permissions" spec="^1.0.0" />
    <plugin name="cordova-plugin-badge" spec="^0.8.8" />
    <plugin name="cordova-plugin-market" spec="^1.2.0" />
    <plugin name="com-sarriaroman-photoviewer" spec="^1.2.2" />
    <engine name="android" spec="~7.1.0" />
    <plugin name="cordova-plugin-whitelist" spec="^1.3.4" />
</widget>

config.capacitor.json

{
  "appId": "io.example.app",
  "appName": "Example App",
  "bundledWebRuntime": false,
  "npmClient": "npm",
  "webDir": "www",
  "server": {
    "allowNavigation": [
      "google.com",
      "*.google.com",
      "example.com",
      "*.example.com"
    ]
  },
  "plugins": {
    "SplashScreen": {
      "launchAutoHide": false,
      "backgroundColor": "#ffffffff",
      "androidSplashResourceName": "splash",
      "androidScaleType": "CENTER_CROP",
      "showSpinner": false
    },
    "PushNotifications": {
      "presentationOptions": ["badge", "sound", "alert"]
    }
  }
}

is my setting correct?

This is screenshots From unwanted script :

ads2

ads

Affected platform

OS of the development machine

Other information: Capacitor version: 1.1.0 node version: 9.11.1 npm version: 5.7.1 Android version: Nougat7.0 Cordova version: 7.1.0

jcesarmobile commented 4 years ago

Capacitor doesn't block scripts or iframes, you have to do that with a Content-Security-Policy tag in the index.html https://content-security-policy.com/