Android Intent manipulation issue

Question

In my Android application i have used an intent to start a new activity as shown below:

private void beginVideoChat()
    {
        Intent intent = new Intent(ProviderDetailsActivity.this, FragmentContainerActivity.class);
        intent.putExtra("CommunicationEnum", Communications.Video);
        intent.putExtra("provderId", provider.getProviderId());

        this.startActivity(intent);
    }

Like beginVideoChat(), i have several other methods in which, while defining the intent i have explicitly specified the class name.

When my application was subjected to security testing by the client, I got a security issue known as Intent Manipulation. And the description of the same is given below:

Severity Rating:
Medium

Description:
Allowing user input to control Intent parameters could enable an attacker to control the behavior of the subsequent activity.

Risk:
An intent manipulation issue occurs when the following two conditions are met:
•   An attacker is able to specify the action, classname, or component of an Android Intent.
For example, an attacker may be able to specify the classname or the component to handle the intent.
•   By specifying the action, classname, or component, the attacker gains a capability that would not otherwise be permitted.
For example, the program may give the attacker the ability to transmit sensitive information to a third-party software on the device.

And the proposed fix generated with the report is:

Do not rely on Intent Filters as a security mechanism. It is too easy to bypass this mechanism by creating specially designed Intents or using explicit Intents.

Remediation:

Do not rely on Intent Filters as a security mechanism. It is too easy to bypass this mechanism by creating specially designed Intents or using explicit Intents.
If private or personal data must be sent, always encrypt it using an industry standard encryption algorithm.
Verify that all Activities have a legitimate need to be publicly exported. If not, remove any Intent Filters from the Activity and make sure the android:explicit attribute is set to false.
The best way to secure an Activity is to rely on permission checks. If it is possible, specify a permission on the receiving Activity that will be used to prevent Intents from being received and handled that do not have that specific permission.

As suggested in the remediation:

If private or personal data must be sent, always encrypt it using an industry standard encryption algorithm => This i would do using and standard encryption algorithm.

My query is how to start any activity without specifying the class name in the intent?

Another query is: How to have some permission check on the receiving activity? =>Inorder to resolve this i would be using Custom Permissions. Is this correct way to handle this?

Thanks in advance.

"My query is how to start any activity without specifying the class name in the intent?" -- that runs completely counter to what the recommendations are. Do you have an `` on the `` element for `FragmentContainerActivity` in the manifest? Also, ask your client what they used for this test, as the test itself has bugs (e.g., there is no `android:explicit` attribute in Android). "How to have some permission check on the receiving activity?" -- that is not necessary if the activity is not exported (e.g., has an ``). — CommonsWare, Nov 22 '16 at 14:42
@CommonsWare: Yes there is an intent-filter on the FragmentContainerActivity in the manifest file. However, the report suggests that, the intent-filter mechanism can be easily bypassed. Hence, they have suggested to use permissions as an extra check along with the tag in the .They have suggested to set android:explicit property of the activity to false if the activity doesn't have an intent-filter. — Zax, Nov 22 '16 at 15:55
"Yes there is an intent-filter on the FragmentContainerActivity in the manifest file" -- get rid of the ``. "they have suggested to use permissions as an extra check along with the tag in the " -- or, you could get rid of the ``. "They have suggested to set android:explicit property of the activity to false if the activity doesn't have an intent-filter" -- there is no `android:explicit` in the Android SDK. So, why do you have an `` on this activity? — CommonsWare, Nov 22 '16 at 16:23

k3b · Answer 1 · 2016-11-22T15:40:44.953

1

The way you start the activity in beginVideoChat() is ok and not the issue in the security warning:

... could enable an attacker to control the behavior of the subsequent activity.

The issue here is that every other app can start a "video chat" through "FragmentContainerActivity" with any possible provderId.

"FragmentContainerActivity" intent-api is not protected from abusive calls.

If this is really a security issue or not depends on how sensitive the activity and it-s control parameters is.

Example: If you have a main activity that first calls the login-activity and then video-chat-activity then it is possible to open video-chat-activity without login.

edited Nov 22 '16 at 15:40

answered Nov 22 '16 at 15:24

k3b

14,517
7
53
85

Thanks for the reply. Can you please suggest some mechanism for encoding the data that we send to another activity using putExtra() method? – Zax Nov 22 '16 at 15:48
1

Do you really have a security problem when some other app calls "video chat"? if you want to prevent "video chat" from beeing called without login you can put the userid and a password-hash as additional parameter that can be verified by the subsequent activity. – k3b Nov 22 '16 at 15:59

Android Intent manipulation issue

1 Answers1