Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security of sending sensitive intent extras within my own app?

I have an activity which asks for a username and password, then starts another activity in my app to complete a user signup. I want to send the username+password as intent extras to the second activity. Something like:

Intent intent = new Intent(activity, SecondActivity.class);
intent.putExtra("u", username);
intent.putExtra("p", password);
startActivity(intent);

and my manifest defines SecondActivity like:

<activity
   android:name="com.me.SecondActivity"
   android:label="">
   <meta-data
      android:name="android.support.PARENT_ACTIVITY"
      android:value="com.me.FirstActivity" />
</activity>

and now I'm having doubts about the security of sending the username+password as intent extras like this - is it possible for another app to intercept the invocation of SecondActivity with a spoofed intent filter? Besides that, I wonder what happens with the intent extras, are they ever persisted to disk by the OS? Someone might be able to look at them there if so.

Thanks

like image 831
user3203425 Avatar asked Jun 10 '14 12:06

user3203425


People also ask

What is an extra intent in an app?

The extra Intent is bundled within another one that targets the vulnerable com.myapp.TargetProxyActivity proxy activity. It will get extracted and launched by the app’s own activity, which has the privilege to set these, thus granting the attacker’s app previously unavailable permissions.

How do I send an intent to the system?

Once you have created your Intent and set the extra info, call startActivity () to send it to the system: Although many intents are successfully handled by another app that's installed on the device—such as a phone, email, or calendar app—your app should prepare for the situation where no activity can handle your app's intent.

What is the intent redirection vulnerability on Android?

The Android security model restricts an app’s ability to grant permissions on another app’s parts and here’s where the intent redirection vulnerability kicks into play. The extra Intent is bundled within another one that targets the vulnerable com.myapp.TargetProxyActivity proxy activity.

How do I add extra data to an implicit intent?

Other kinds of implicit intents require "extra" data that provide different data types, such as a string. You can add one or more pieces of extra data using the various putExtra () methods. By default, the system determines the appropriate MIME type required by an intent based on the Uri data that's included.


Video Answer


2 Answers

The key here is the distinction between Implicit Intents and Explicit Intents. Your example uses an Explicit Intent as your are specifying the exact class your want to run. This is fine, because Explicit Intents cannot be intercepted and will stay within your application.

Implicit Intents however, open up several possible attack vectors. This article talks about it in more detail. I would very much recommend against using Implicit Intents to pass any kind of sensitive information.

From the Android Docs:

Explicit Intents have specified a component (via setComponent(ComponentName) or setClass(Context, Class)), which provides the exact class to be run.

Implicit Intents have not specified a component; instead, they must include enough information for the system to determine which of the available components is best to run for that intent.

As I stated, for your example in the question, passing the password via Intent is relatively secure in that no other application can intercept it at runtime. But it is important to note that this is not always the case, and using implicit Intents could theoretically allow Intent Interception and expose the sensitive information.

Edit:

As for persisting the Intent Extras to the disk, yes this is a risk. Keep in mind however, that if someone has root access on the device and is using it to try to search the disk for this persisted intent information, there may be easier ways for them to get the same information. No matter what you do, someone with root access to the physical device will probably be able to get that password off unless you do some very excellent encryption.

My recommendation on a overall security perspective is to try not to deal with passwords directly in any kind of long term or persistent context. Passwords should only be used during a log in process and discarded immediately afterwards (assuming you are authenticating with a server). Therefore, with the normal use of the application (a legitimate user with a real password), you don't have to worry about a malicious actor inspecting the device memory, because by the time the malicious actor gets a hold of the device, the password has long sense been removed from memory.

like image 54
jacobhyphenated Avatar answered Oct 25 '22 10:10

jacobhyphenated


It is possible for third-party apps to intercept system-wide intents. I suggest encrypting your data before sending it to the next intent, and then decrypting it once it has been received.

like image 28
Muntaser Ahmed Avatar answered Oct 25 '22 12:10

Muntaser Ahmed