AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Granting URI Permissions With Intent Broadcasting

The malicious applications can get sensitive data by intercepting broadcasts without any required permissions

Severity

High

Fix Cost

Low

Trust Level

Medium

Android supports Intents as the messages between components such as activities, services and broadcast receivers. An application can broadcast any messages through Intents to more than one application by using Context.sendBroadcast() API such as below;

            
Intent intent = new Intent();
intent.setAction("com.bankapp.ShowCCInfo");
intent.putExtra("CreditCard", creditcard);
sendBroadcast(intent);
                
            

Any other application that registers for receiving broadcasts, either in manifest file or in code, can intercept the sent credit card information.

It is wise to require READ and WRITE permissions for custom Content Providers for secure consumption. Here's an example;

                 
<provider android:authorities="com.bankapp.contentprovider.MyContentProvider"
android:exported="true"
android:grantUriPermissions="true"
android:name="com.bankapp.contentprovider.MyContentProvider"
android:readPermission="android.permission.permRead"
android:writePermission="android.permission.permWrite">
</provider>  
              
          

Also, data stored in a custom content provider, such as produced mail attachments, can be referenced by URIs included in Intents. When the recipient of these Intents, such as a mail client application for sending the attachment, doesn't contain the required privilege, the sender of the Intent can send temporary permissions to the target applications through Intent flags such as below;

                
Intent attachment = new Intent(Intent.ACTION_SEND);
attachment.setType(type);
attachment.setData(uri)
attachment.putExtra(Intent.EXTRA_STREAM, uri);
attachment.putExtra(Intent.EXTRA_SUBJECT, title);
attachment.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
sendBroadcast(attachment);
                 
           

If this Intent is broadcasted any malicious application registered to receive this Intent, will be able to see the sensitive attachment.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!