Learning Objectives
To understand the fundamental concepts of activities and intents in Android programming.
To understand the dangers of unauthorized intent interception and intent spoofing.
To understand the basic defensive practice skills against unauthorized intent interception and intent spoofing that may provide avenues of attack for malicious attacks in mobile software development.
Reducing Attack Surfaces for Intra-Application Communication in Android David Kantola, Erika Chin, Warren He, and David Wagner University of California, Berkeley {dkantola,emc,-w,daw}@berkeley.edu
Android supports many components. An Activity component has GUI. A Broadcast Receiver component listens to special messages being broadcast by the system or individual app. A broadcast can be received by multiple components. A dynamic Receiver is created at runtime as an exported component. The service component runs a long-running background task. The exported component can receive external Intents from other apps.
Intent object is an Android messaging object (instance of the android.content.Intent class) which is used to signal/activate other components such as activities, services, and broadcast receivers. E.g., activity B can register with intent A’s intent so that the bound activity B will be notified and activated when the event fires.
The intent can be used for intra-app (components within the same app) and inter-app notification and data passing as well. However, it may result in security vulnerabilities such as stolen messages or malicious data injection if developers use the intent without caution.
An Intent has parameters of action, data, and category about the message receiver. A Intent can also specify its explicit desired recipient component. Intent can be implicit that the system will search for bet fit recipient components based on the intent filter (in terms of the component type such as activity, service, broadcast and others) in some apps. An explicit intent specifies the recipient.
Intent Filters declare its action, data, and category for receiving matched implicit intents. A component can declare multiple Intent Filters, and if an Intent matches any Intent Filter, the component will receive and accept the incoming intent. A broadcast Intent is sent to all matching Receivers. A Service Intent is sent at to one of the matching Services the system will send it to a default Activity or asks the user to select a recipient if there are multiple matching activities.
A component receives implicit Intents from other apps if it is exported itself in the manifest XML otherwise it can only get intent from other components within the same app. The implicit intent may cause a security risk.
Many intent vulnerability comes from the unnecessary explosion for implicit Intents.
1. Unauthorized Intent Interception
An Intent may be exposed to other apps when a component uses implicit intent to communicate with other components in its own app. Any component with matched type and Intent Filter can intercept and eavesdrop such Intent a component with high priority may prevent other components from receiving such intent in an ordered broadcast where the intent is delivered to matched receivers in priority order or inject malicious data before passing on to next receiver.
An Activity attacker may also activate a false malicious activity or service to hack the data or return malicious data to the sender component.
2. Intent Spoofing
If a developer makes a component exposed to other apps without caution then a malicious app may easily spoof this component via implicit intent. A malicious component may broadcast to exported Broadcast Receiver with injected malicious data but the receiver thought the message comes from an expected component. A spoofed activity or service may be started by malicious activity or bond to a malicious component such that the spoofed activity or service may send sensitive data to the hackers.
David Kantola, Erika Chin, Warren He, and David Wagner, Analyzing inter-application communication in Android, MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
Pages 239-252
https://www.sigmobile.org/mobisys/2011/slides/interapp.pdf