Android Platform APIs

Testing App Permissions (MSTG-PLATFORM-1)

Overview

Android assigns a distinct system identity (Linux user ID and group ID) to every installed app. Because each Android app operates in a process sandbox, apps must explicitly request access to resources and data that are outside their sandbox. They request this access by declaring the permissions they need to use system data and features. Depending on how sensitive or critical the data or feature is, the Android system will grant the permission automatically or ask the user to approve the request.
Android permissions are classified into four different categories on the basis of the protection level they offer:
    Normal: This permission gives apps access to isolated application-level features with minimal risk to other apps, the user, and the system. For apps targeting Android 6.0 (API level 23) or higher, these permissions are granted automatically at installation time. For apps targeting a lower API level, the user needs to approve them at installation time. Example: android.permission.INTERNET.
    Dangerous: This permission usually gives the app control over user data or control over the device in a way that impacts the user. This type of permission may not be granted at installation time; whether the app should have the permission may be left for the user to decide. Example: android.permission.RECORD_AUDIO.
    Signature: This permission is granted only if the requesting app was signed with the same certificate used to sign the app that declared the permission. If the signature matches, the permission will be granted automatically. This permission is granted at installation time. Example: android.permission.ACCESS_MOCK_LOCATION.
    SystemOrSignature: This permission is granted only to applications embedded in the system image or signed with the same certificate used to sign the application that declared the permission. Example: android.permission.ACCESS_DOWNLOAD_MANAGER.
A list of all permissions can be found in the Android developer documentation as well as concrete steps on how to:

Android 8.0 (API level 26) Changes

The following changes affect all apps running on Android 8.0 (API level 26), even to those apps targeting lower API levels.
    Contacts provider usage stats change: when an app requests the READ_CONTACTS permission, queries for contact's usage data will return approximations rather than exact values (the auto-complete API is not affected by this change).
Apps targeting Android 8.0 (API level 26) or higher are affected by the following:
    Account access and discoverability improvements: Apps can no longer get access to user accounts only by having the GET_ACCOUNTS permission granted, unless the authenticator owns the accounts or the user grants that access.
    New telephony permissions: the following permissions (classified as dangerous) are now part of the PHONE permissions group:
      The ANSWER_PHONE_CALLS permission allows to answer incoming phone calls programmatically (via acceptRingingCall).
      The READ_PHONE_NUMBERS permission grants read access to the phone numbers stored in the device.
    Restrictions when granting dangerous permissions: Dangerous permissions are classified into permission groups (e.g. the STORAGE group contains READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE). Before Android 8.0 (API level 26), it was sufficient to request one permission of the group in order to get all permissions of that group also granted at the same time. This has changed starting at Android 8.0 (API level 26): whenever an app requests a permission at runtime, the system will grant exclusively that specific permission. However, note that all subsequent requests for permissions in that permission group will be automatically granted without showing the permissions dialog to the user. See this example from the Android developer documentation:
    Suppose an app lists both READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE in its manifest. The app requests READ_EXTERNAL_STORAGE and the user grants it. If the app targets API level 25 or lower, the system also grants WRITE_EXTERNAL_STORAGE at the same time, because it belongs to the same STORAGE permission group and is also registered in the manifest. If the app targets Android 8.0 (API level 26), the system grants only READ_EXTERNAL_STORAGE at that time; however, if the app later requests WRITE_EXTERNAL_STORAGE, the system immediately grants that privilege without prompting the user.
    You can see the list of permission groups in the Android developer documentation. To make this a bit more confusing, Google also warns that particular permissions might be moved from one group to another in future versions of the Android SDK and therefore, the logic of the app shouldn't rely on the structure of these permission groups. The best practice is to explicitly request every permission whenever it's needed.

Android 9 (API Level 28) Changes

The following changes affect all apps running on Android 9, even to those apps targeting API levels lower than 28.
    Restricted access to call logs: READ_CALL_LOG, WRITE_CALL_LOG, and PROCESS_OUTGOING_CALLS (dangerous) permissions are moved from PHONE to the new CALL_LOG permission group. This means that being able to make phone calls (e.g. by having the permissions of the PHONE group granted) is not sufficient to get access to the call logs.
    Restricted access to phone numbers: apps wanting to read the phone number require the READ_CALL_LOG permission when running on Android 9 (API level 28).
    Restricted access to Wi-Fi location and connection information: SSID and BSSID values cannot be retrieved (e.g. via WifiManager.getConnectionInfo unless all of the following is true:
      The ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION permission.
      The ACCESS_WIFI_STATE permission.
      Location services are enabled (under Settings -> Location).
Apps targeting Android 9 (API level 28) or higher are affected by the following:
    Build serial number deprecation: device's hardware serial number cannot be read (e.g. via Build.getSerial) unless the READ_PHONE_STATE (dangerous) permission is granted.

Android 10 Changes (Beta)

Android 10 Beta introduces several user privacy enhancements. The changes regarding permissions affect to all apps running on Android 10, including those targeting lower API levels.
    Restricted access to screen contents: READ_FRAME_BUFFER, CAPTURE_VIDEO_OUTPUT, and CAPTURE_SECURE_VIDEO_OUTPUT permissions are now signature-access only, which prevents silent access to the device's screen contents.
    User-facing permission check on legacy apps: when running an app targeting Android 5.1 (API level 22) or lower for the first time, users will be prompted with a permissions screen where they can revoke access to specific legacy permissions (which previously would be automatically granted at installation time).

Activity Permission Enforcement

Permissions are applied via android:permission attribute within the <activity> tag in the manifest. These permissions restrict which applications can start that Activity. The permission is checked during Context.startActivity and Activity.startActivityForResult. Not holding the required permission results in a SecurityException being thrown from the call.

Service Permission Enforcement

Permissions applied via android:permission attribute within the <service> tag in the manifest restrict who can start or bind to the associated Service. The permission is checked during Context.startService, Context.stopService and Context.bindService. Not holding the required permission results in a SecurityException being thrown from the call.

Broadcast Permission Enforcement

Permissions applied via android:permission attribute within the <receiver> tag restrict access to send broadcasts to the associated BroadcastReceiver. The held permissions are checked after Context.sendBroadcast returns, while trying to deliver the sent broadcast to the given receiver. Not holding the required permissions doesn't throw an exception, the result is an unsent broadcast.
A permission can be supplied to Context.registerReceiver to control who can broadcast to a programmatically registered receiver. Going the other way, a permission can be supplied when calling Context.sendBroadcast to restrict which broadcast receivers are allowed to receive the broadcast.
Note that both a receiver and a broadcaster can require a permission. When this happens, both permission checks must pass for the intent to be delivered to the associated target. For more information, please reference the section "Restricting broadcasts with permissions" in the Android Developers Documentation.

Content Provider Permission Enforcement

Permissions applied via android:permission attribute within the <provider> tag restrict access to data in a ContentProvider. Content providers have an important additional security facility called URI permissions which is described next. Unlike the other components, ContentProviders have two separate permission attributes that can be set, android:readPermission restricts who can read from the provider, and android:writePermission restricts who can write to it. If a ContentProvider is protected with both read and write permissions, holding only the write permission does not also grant read permissions.
Permissions are checked when you first retrieve a provider and as operations are performed using the ContentProvider. Using ContentResolver.query requires holding the read permission; using ContentResolver.insert, ContentResolver.update, ContentResolver.delete requires the write permission. A SecurityException will be thrown from the call if proper permissions are not held in all these cases.

Content Provider URI Permissions

The standard permission system is not sufficient when being used with content providers. For example a content provider may want to limit permissions to READ permissions in order to protect itself, while using custom URIs to retrieve information. An application should only have the permission for that specific URI.
The solution is per-URI permissions. When starting or returning a result from an activity, the method can set Intent.FLAG_GRANT_READ_URI_PERMISSION and/or Intent.FLAG_GRANT_WRITE_URI_PERMISSION. This grants permission to the activity for the specific URI regardless if it has permissions to access to data from the content provider.
This allows a common capability-style model where user interaction drives ad-hoc granting of fine-grained permission. This can be a key facility for reducing the permissions needed by apps to only those directly related to their behavior. Without this model in place malicious users may access other member's email attachments or harvest contact lists for future use via unprotected URIs. In the manifest the android:grantUriPermissions attribute or the node help restrict the URIs.

Documentation for URI Permissions

Custom Permissions

Android allows apps to expose their services/components to other apps. Custom permissions are required for app access to the exposed components. You can define custom permissions in AndroidManifest.xml by creating a permission tag with two mandatory attributes: android:name and android:protectionLevel.
It is crucial to create custom permissions that adhere to the Principle of Least Privilege: permission should be defined explicitly for its purpose, with a meaningful and accurate label and description.
Below is an example of a custom permission called START_MAIN_ACTIVITY, which is required when launching the TEST_ACTIVITY Activity.
The first code block defines the new permission, which is self-explanatory. The label tag is a summary of the permission, and the description is a more detailed version of the summary. You can set the protection level according to the types of permissions that will be granted. Once you've defined your permission, you can enforce it by adding it to the application's manifest. In our example, the second block represents the component that we are going to restrict with the permission we created. It can be enforced by adding the android:permission attributes.
1
<permission android:name="com.example.myapp.permission.START_MAIN_ACTIVITY"
2
android:label="Start Activity in myapp"
3
android:description="Allow the app to launch the activity of myapp app, any app you grant this permission will be able to launch main activity by myapp app."
4
android:protectionLevel="normal" />
5
6
<activity android:name="TEST_ACTIVITY"
7
android:permission="com.example.myapp.permission.START_MAIN_ACTIVITY">
8
<intent-filter>
9
<action android:name="android.intent.action.MAIN" />
10
<category android:name="android.intent.category.LAUNCHER" />
11
</intent-filter>
12
</activity>
Copied!
Once the permission START_MAIN_ACTIVITY has been created, apps can request it via the uses-permission tag in the AndroidManifest.xml file. Any application granted the custom permission START_MAIN_ACTIVITY can then launch the TEST_ACTIVITY. Please note <uses-permission android:name="myapp.permission.START_MAIN_ACTIVITY" /> must be declared before the <application> or an exception will occur at runtime. Please see the example below that is based on the permission overview and manifest-intro.
1
<manifest>
2
<uses-permission android:name="com.example.myapp.permission.START_MAIN_ACTIVITY" />
3
<application>
4
<activity>
5
</activity>
6
</application>
7
</manifest>
Copied!
We recommend using a reverse-domain annotation when registering a permission, as in the example above (e.g. com.domain.application.permission) in order to avoid collisions with other applications.

Static Analysis

Android Permissions

Check permissions to make sure that the app really needs them and remove unnecessary permissions. For example, the INTERNET permission in the AndroidManifest.xml file is necessary for an Activity to load a web page into a WebView. Because a user can revoke an application's right to use a dangerous permission, the developer should check whether the application has the appropriate permission each time an action is performed that would require that permission.
1
<uses-permission android:name="android.permission.INTERNET" />
Copied!
Go through the permissions with the developer to identify the purpose of every permission set and remove unnecessary permissions.
Besides going through the AndroidManifest.xml file manually, you can also use the Android Asset Packaging tool (aapt) to examine the permissions of an APK file.
aapt comes with the Android SDK within the build-tools folder. It requires an APK file as input. You may list the APKs in the device by running adb shell pm list packages -f | grep -i <keyword> as seen in "Listing Installed Apps".
1
$ aapt d permissions app-x86-debug.apk
2
package: sg.vp.owasp_mobile.omtg_android
3
uses-permission: name='android.permission.WRITE_EXTERNAL_STORAGE'
4
uses-permission: name='android.permission.INTERNET'
Copied!
Alternatively you may obtain a more detailed list of permissions via adb and the dumpsys tool:
1
$ adb shell dumpsys package sg.vp.owasp_mobile.omtg_android | grep permission
2
requested permissions:
3
android.permission.WRITE_EXTERNAL_STORAGE
4
android.permission.INTERNET
5
android.permission.READ_EXTERNAL_STORAGE
6
install permissions:
7
android.permission.INTERNET: granted=true
8
runtime permissions:
Copied!
Please reference this permissions overview for descriptions of the listed permissions that are considered dangerous.
1
READ_CALENDAR
2
WRITE_CALENDAR
3
READ_CALL_LOG
4
WRITE_CALL_LOG
5
PROCESS_OUTGOING_CALLS
6
CAMERA
7
READ_CONTACTS
8
WRITE_CONTACTS
9
GET_ACCOUNTS
10
ACCESS_FINE_LOCATION
11
ACCESS_COARSE_LOCATION
12
RECORD_AUDIO
13
READ_PHONE_STATE
14
READ_PHONE_NUMBERS
15
CALL_PHONE
16
ANSWER_PHONE_CALLS
17
ADD_VOICEMAIL
18
USE_SIP
19
BODY_SENSORS
20
SEND_SMS
21
RECEIVE_SMS
22
READ_SMS
23
RECEIVE_WAP_PUSH
24
RECEIVE_MMS
25
READ_EXTERNAL_STORAGE
26
WRITE_EXTERNAL_STORAGE
Copied!

Custom Permissions

Apart from enforcing custom permissions via the application manifest file, you can also check permissions programmatically. This is not recommended, however, because it is more error-prone and can be bypassed more easily with, e.g., runtime instrumentation. It is recommended that the ContextCompat.checkSelfPermission method is called to check if an activity has a specified permission. Whenever you see code like the following snippet, make sure that the same permissions are enforced in the manifest file.
1
private static final String TAG = "LOG";
2
int canProcess = checkCallingOrSelfPermission("com.example.perm.READ_INCOMING_MSG");
3
if (canProcess != PERMISSION_GRANTED)
4
throw new SecurityException();
Copied!
Or with ContextCompat.checkSelfPermission which compares it to the manifest file.
1
if (ContextCompat.checkSelfPermission(secureActivity.this, Manifest.READ_INCOMING_MSG)
2
!= PackageManager.PERMISSION_GRANTED) {
3
//!= stands for not equals PERMISSION_GRANTED
4
Log.v(TAG, "Permission denied");
5
}
Copied!

Requesting Permissions

If your application has permissions that need to be requested at runtime, the application must call the requestPermissions method in order to obtain them. The app passes the permissions needed and an integer request code you have specified to the user asynchronously, returning once the user chooses to accept or deny the request in the same thread. After the response is returned the same request code is passed to the app's callback method.
1
private static final String TAG = "LOG";
2
// We start by checking the permission of the current Activity
3
if (ContextCompat.checkSelfPermission(secureActivity.this,
4
Manifest.permission.WRITE_EXTERNAL_STORAGE)
5
!= PackageManager.PERMISSION_GRANTED) {
6
7
// Permission is not granted
8
// Should we show an explanation?
9
if (ActivityCompat.shouldShowRequestPermissionRationale(secureActivity.this,
10
//Gets whether you should show UI with rationale for requesting permission.
11
//You should do this only if you do not have permission and the permission requested rationale is not communicated clearly to the user.
12
Manifest.permission.WRITE_EXTERNAL_STORAGE)) {
13
// Asynchronous thread waits for the users response.
14
// After the user sees the explanation try requesting the permission again.
15
} else {
16
// Request a permission that doesn't need to be explained.
17
ActivityCompat.requestPermissions(secureActivity.this,
18
new String[]{Manifest.permission.WRITE_EXTERNAL_STORAGE},
19
MY_PERMISSIONS_REQUEST_WRITE_EXTERNAL_STORAGE);
20
// MY_PERMISSIONS_REQUEST_WRITE_EXTERNAL_STORAGE will be the app-defined int constant.
21
// The callback method gets the result of the request.
22
}
23
} else {
24
// Permission already granted debug message printed in terminal.
25
Log.v(TAG, "Permission already granted.");
26
}
Copied!
Please note that if you need to provide any information or explanation to the user it needs to be done before the call to requestPermissions, since the system dialog box can not be altered once called.

Handling Responses to Permission Requests

Now your app has to override the system method onRequestPermissionsResult to see if the permission was granted. This method receives the requestCode integer as input parameter (which is the same request code that was created in requestPermissions).
The following callback method may be used for WRITE_EXTERNAL_STORAGE.
1
@Override //Needed to override system method onRequestPermissionsResult()
2
public void onRequestPermissionsResult(int requestCode, //requestCode is what you specified in requestPermissions()
3
String permissions[], int[] permissionResults) {
4
switch (requestCode) {
5
case MY_PERMISSIONS_WRITE_EXTERNAL_STORAGE: {
6
if (grantResults.length > 0
7
&& permissionResults[0] == PackageManager.PERMISSION_GRANTED) {
8
// 0 is a canceled request, if int array equals requestCode permission is granted.
9
} else {
10
// permission denied code goes here.
11
Log.v(TAG, "Permission denied");
12
}
13
return;
14
}
15
// Other switch cases can be added here for multiple permission checks.
16
}
17
}
Copied!
Permissions should be explicitly requested for every needed permission, even if a similar permission from the same group has already been requested. For applications targeting Android 7.1 (API level 25) and older, Android will automatically give an application all the permissions from a permission group, if the user grants one of the requested permissions of that group. Starting with Android 8.0 (API level 26), permissions will still automatically be granted if a user has already granted a permission from the same permission group, but the application still needs to explicitly request the permission. In this case, the onRequestPermissionsResult handler will automatically be triggered without any user interaction.
For example if both READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE are listed in the Android Manifest but only permissions are granted for READ_EXTERNAL_STORAGE, then requesting WRITE_EXTERNAL_STORAGE will automatically have permissions without user interaction because they are in the same group and not explicitly requested.

Permission Analysis

Always check whether the application is requesting permissions it actually requires. Make sure that no permissions are requested which are not related to the goal of the app, especially DANGEROUS and SIGNATURE permissions, since they can affect both the user and the application if mishandled. For instance, it should be suspicious if a single-player game app requires access to android.permission.WRITE_SMS.
When analyzing permissions, you should investigate the concrete use case scenarios of the app and always check if there are replacement APIs for any DANGEROUS permissions in use. A good example is the SMS Retriever API which streamlines the usage of SMS permissions when performing SMS-based user verification. By using this API an application does not have to declare DANGEROUS permissions which is a benefit to both the user and developers of the application, who doesn't have to submit the Permissions Declaration Form.

Dynamic Analysis

Permissions for installed applications can be retrieved with Drozer. The following extract demonstrates how to examine the permissions used by an application and the custom permissions defined by the app:
1
dz> run app.package.info -a com.android.mms.service
2
Package: com.android.mms.service
3
Application Label: MmsService
4
Process Name: com.android.phone
5
Version: 6.0.1
6
Data Directory: /data/user/0/com.android.mms.service
7
APK Path: /system/priv-app/MmsService/MmsService.apk
8
UID: 1001
9
GID: [2001, 3002, 3003, 3001]
10
Shared Libraries: null
11
Shared User ID: android.uid.phone
12
Uses Permissions:
13
- android.permission.RECEIVE_BOOT_COMPLETED
14
- android.permission.READ_SMS
15
- android.permission.WRITE_SMS
16
- android.permission.BROADCAST_WAP_PUSH
17
- android.permission.BIND_CARRIER_SERVICES
18
- android.permission.BIND_CARRIER_MESSAGING_SERVICE
19
- android.permission.INTERACT_ACROSS_USERS
20
Defines Permissions:
21
- None
Copied!
When Android applications expose IPC components to other applications, they can define permissions to control which applications can access the components. For communication with a component protected by a normal or dangerous permission, Drozer can be rebuilt so that it includes the required permission:
1
$ drozer agent build --permission android.permission.REQUIRED_PERMISSION
Copied!
Note that this method can't be used for signature level permissions because Drozer would need to be signed by the certificate used to sign the target application.
When doing the dynamic analysis: validate whether the permission requested by the app is actually necessary for the app. For instance: a single-player game that requires access to android.permission.WRITE_SMS, might not be a good idea.

Testing for Injection Flaws (MSTG-PLATFORM-2)

Overview

Android apps can expose functionality through custom URL schemes (which are a part of Intents). They can expose functionality to
    other apps (via IPC mechanisms, such as Intents, Binders, Android Shared Memory (ASHMEM), or BroadcastReceivers),
    the user (via the user interface).
None of the input from these sources can be trusted; it must be validated and/or sanitized. Validation ensures processing of data that the app is expecting only. If validation is not enforced, any input can be sent to the app, which may allow an attacker or malicious app to exploit app functionality.
The following portions of the source code should be checked if any app functionality has been exposed:
    Custom URL schemes. Check the test case "Testing Custom URL Schemes" as well for further test scenarios.
    IPC Mechanisms (Intents, Binders, Android Shared Memory, or BroadcastReceivers). Check the test case "Testing Whether Sensitive Data Is Exposed via IPC Mechanisms" as well for further test scenarios.
    User interface
An example of a vulnerable IPC mechanism is shown below.
You can use ContentProviders to access database information, and you can probe services to see if they return data. If data is not validated properly, the content provider may be prone to SQL injection while other apps are interacting with it. See the following vulnerable implementation of a ContentProvider.
1
<provider
2
android:name=".OMTG_CODING_003_SQL_Injection_Content_Provider_Implementation"
3
android:authorities="sg.vp.owasp_mobile.provider.College">
4
</provider>
Copied!
The AndroidManifest.xml above defines a content provider that's exported and therefore available to all other apps. The query function in the OMTG_CODING_003_SQL_Injection_Content_Provider_Implementation.java class should be inspected.
1
@Override
2
public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) {
3
SQLiteQueryBuilder qb = new SQLiteQueryBuilder();
4
qb.setTables(STUDENTS_TABLE_NAME);
5
6
switch (uriMatcher.match(uri)) {
7
case STUDENTS:
8
qb.setProjectionMap(STUDENTS_PROJECTION_MAP);
9
break;
10
11
case STUDENT_ID:
12
// SQL Injection when providing an ID
13
qb.appendWhere( _ID + "=" + uri.getPathSegments().get(1));
14
Log.e("appendWhere",uri.getPathSegments().get(1).toString());
15
break;
16
17
default:
18
throw new IllegalArgumentException("Unknown URI " + uri);
19
}
20
21
if (sortOrder == null || sortOrder == ""){
22
/**
23
* By default sort on student names
24
*/
25
sortOrder = NAME;
26
}
27
Cursor c = qb.query(db, projection, selection, selectionArgs,null, null, sortOrder);
28
29
/**
30
* register to watch a content URI for changes
31
*/
32
c.setNotificationUri(getContext().getContentResolver(), uri);
33
return c;
34
}
Copied!
While the user is providing a STUDENT_ID at content://sg.vp.owasp_mobile.provider.College/students, the query statement is prone to SQL injection. Obviously prepared statements must be used to avoid SQL injection, but input validation should also be applied so that only input that the app is expecting is processed.
All app functions that process data coming in through the UI should implement input validation:
    For user interface input, Android Saripaar v2 can be used.
    For input from IPC or URL schemes, a validation function should be created. For example, the following determines whether the string is alphanumeric:
1
public boolean isAlphaNumeric(String s){
2
String pattern= "^[a-zA-Z0-9]*quot;;
3
return s.matches(pattern);
4
}
Copied!
An alternative to validation functions is type conversion, with, for example, Integer.parseInt if only integers are expected. The OWASP Input Validation Cheat Sheet contains more information about this topic.

Dynamic Analysis

The tester should manually test the input fields with strings like OR 1=1-- if, for example, a local SQL injection vulnerability has been identified.
On a rooted device, the command content can be used to query the data from a content provider. The following command queries the vulnerable function described above.
1
# content query --uri content://sg.vp.owasp_mobile.provider.College/students
Copied!
SQL injection can be exploited with the following command. Instead of getting the record for Bob only, the user can retrieve all data.
1
# content query --uri content://sg.vp.owasp_mobile.provider.College/students --where "name='Bob') OR 1=1--''"
Copied!
Drozer can also be used for dynamic testing.

Testing for Fragment Injection (MSTG-PLATFORM-2)

Overview

Android SDK offers developers a way to present a Preferences activity to users, allowing the developers to extend and adapt this abstract class.
This abstract class parses the extra data fields of an Intent, in particular, the PreferenceActivity.EXTRA_SHOW_FRAGMENT(:android:show_fragment) and Preference Activity.EXTRA_SHOW_FRAGMENT_ARGUMENTS(:android:show_fragment_arguments) fields.
The first field is expected to contain the Fragment class name, and the second one is expected to contain the input bundle passed to the Fragment.
Because the PreferenceActivity uses reflection to load the fragment, an arbitrary class may be loaded inside the package or the Android SDK. The loaded class runs in the context of the application that exports this activity.
With this vulnerability, an attacker can call fragments inside the target application or run the code present in other classes' constructors. Any class that's passed in the Intent and does not extend the Fragment class will cause a java.lang.CastException, but the empty constructor will be executed before the exception is thrown, allowing the code present in the class constructor run.
To prevent this vulnerability, a new method called isValidFragment was added in Android 4.4 (API level 19). It allows developers to override this method and define the fragments that may be used in this context.
The default implementation returns true on versions older than Android 4.4 (API level 19); it will throw an exception on later versions.

Static Analysis

Steps:
    Check if android:targetSdkVersion less than 19.
    Find exported Activities that extend the PreferenceActivity class.
    Determine whether the method isValidFragment has been overridden.
    If the app currently sets its android:targetSdkVersion in the manifest to a value less than 19 and the vulnerable class does not contain any implementation of isValidFragment then, the vulnerability is inherited from the PreferenceActivity.
    In order to fix, developers should either update the android:targetSdkVersion to 19 or higher. Alternatively, if the android:targetSdkVersion cannot be updated, then developers should implement isValidFragment as described.
The following example shows an Activity that extends this activity:
1
public class MyPreferences extends PreferenceActivity {
2
@Override
3
protected void onCreate(Bundle savedInstanceState) {
4
super.onCreate(savedInstanceState);
5
}
6
}
Copied!
The following examples show the isValidFragment method being overridden with an implementation that allows the loading of MyPreferenceFragment only:
1
@Override
2
protected boolean isValidFragment(String fragmentName)
3
{
4
return "com.fullpackage.MyPreferenceFragment".equals(fragmentName);
5
}
Copied!

Example of Vulnerable App and Exploitation

MainActivity.class
1
public class MainActivity extends PreferenceActivity {
2
protected void onCreate(Bundle savedInstanceState) {
3
super.onCreate(savedInstanceState);
4
}
5
}
Copied!
MyFragment.class
1
public class MyFragment extends Fragment {
2
public void onCreate (Bundle savedInstanceState) {
3
super.onCreate(savedInstanceState);
4
}
5
public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
6
View v = inflater.inflate(R.layout.fragmentLayout, null);
7
WebView myWebView = (WebView) wv.findViewById(R.id.webview);
8
myWebView.getSettings().setJavaScriptEnabled(true);
9
myWebView.loadUrl(this.getActivity().getIntent().getDataString());
10
return v;
11
}
12
}
Copied!
To exploit this vulnerable Activity, you can create an application with the following code:
1
Intent i = new Intent();
2
i.setFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
3
i.setClassName("pt.claudio.insecurefragment","pt.claudio.insecurefragment.MainActivity");
4
i.putExtra(":android:show_fragment","pt.claudio.insecurefragment.MyFragment");
5
i.setData(Uri.parse("https://security.claudio.pt"));
6
startActivity(i);
Copied!
The Vulnerable App and Exploit PoC App are available for downloading.

Testing for URL Loading in WebViews (MSTG-PLATFORM-2)

Overview

WebViews are Android's embedded components which allow your app to open web pages within your application. In addition to mobile apps related threats, WebViews may expose your app to common web threats (e.g. XSS, Open Redirect, etc.).
One of the most important things to do when testing WebViews is to make sure that only trusted content can be loaded in it. Any newly loaded page could be potentially malicious, try to exploit any WebView bindings or try to phish the user. Unless you're developing a browser app, usually you'd like to restrict the pages being loaded to the domain of your app. A good practice is to prevent the user from even having the chance to input any URLs inside WebViews (which is the default on Android) nor navigate outside the trusted domains. Even when navigating on trusted domains there's still the risk that the user might encounter and click on other links to untrustworthy content (e.g. if the page allows for other users to post comments). In addition, some developers might even override some default behavior which can be potentially dangerous for the user. See the Static Analysis section below for more details.

SafeBrowsing API

To provide a safer web browsing experience, Android 8.1 (API level 27) introduces the SafeBrowsing API, which allows your application to detect URLs that Google has classified as a known threat.
By default, WebViews show a warning to users about the security risk with the option to load the URL or stop the page from loading. With the SafeBrowsing API you can customize your application's behavior by either reporting the threat to SafeBrowsing or performing a particular action such as returning back to safety each time it encounters a known threat. Please check the Android Developers documentation for usage examples.
You can use the SafeBrowsing API independently from WebViews using the SafetyNet library, which implements a client for Safe Browsing Network Protocol v4. SafetyNet allows you to analyze all the URLs that your app is supposed load. You can check URLs with different schemes (e.g. http, file) since SafeBrowsing is agnostic to URL schemes, and against TYPE_POTENTIALLY_HARMFUL_APPLICATION and TYPE_SOCIAL_ENGINEERING threat types.

Virus Total API

Virus Total provides an API for analyzing URLs and local files for known threats. The API Reference is available on Virus Total developers page.
When sending URLs or files to be checked for known threats make sure they don't contain sensitive data which could compromise a user's privacy, or expose sensitive content from your application.

Static Analysis

As we mentioned before, handling page navigation should be analyzed carefully, especially when users might be able to navigate away from a trusted environment. The default and safest behavior on Android is to let the default web browser open any link that the user might click inside the WebView. However, this default logic can be modified by configuring a WebViewClient which allows navigation requests to be handled by the app itself. If this is the case, be sure to search for and inspect the following interception callback functions:
    shouldOverrideUrlLoading allows your application to either abort loading WebViews with suspicious content by returning true or allow the WebView to load the URL by returning false. Considerations:
      This method is not called for POST requests.
      This method is not called for XmlHttpRequests, iFrames, "src" attributes included in HTML or <script> tags. Instead, shouldInterceptRequest should take care of this.
    shouldInterceptRequest allows the application to return the data from resource requests. If the return value is null, the WebView will continue to load the resource as usual. Otherwise, the data returned by the shouldInterceptRequest method is used. Considerations:
      This callback is invoked for a variety of URL schemes (e.g., http(s):, data:, file:, etc.), not only those schemes which send requests over the network.
      This is not called for javascript: or blob: URLs, or for assets accessed via file:///android_asset/ or file:///android_res/ URLs.
      In the case of redirects, this is only called for the initial resource URL, not any subsequent redirect URLs.
      When Safe Browsing is enabled, these URLs still undergo Safe Browsing checks but the developer can allow the URL with setSafeBrowsingWhitelist or even ignore the warning via the onSafeBrowsingHit callback.
As you can see there are a lot of points to consider when testing the security of WebViews that have a WebViewClient configured, so be sure to carefully read and understand all of them by checking the WebViewClient Documentation.
While the default value of EnableSafeBrowsing is true, some applications might opt to disable it. To verify that SafeBrowsing is enabled, inspect the AndroidManifest.xml file and make sure that the configuration below is not present:
1
<manifest>
2
<application>
3
<meta-data android:name="android.webkit.WebView.EnableSafeBrowsing"
4
android:value="false" />
5
...
6
</application>
7
</manifest>
Copied!

Dynamic Analysis

A convenient way to dynamically test deep linking is to use Frida or frida-trace and hook the shouldOverrideUrlLoading, shouldInterceptRequest methods while using the app and clicking on links within the WebView. Be sure to also hook other related Uri methods such as getHost, getScheme or getPath which are typically used to inspect the requests and match known patterns or deny lists.

Testing Custom URL Schemes (MSTG-PLATFORM-3)

Overview

Android allows you to create two different types of links for your apps: deep links and Android App Links. According to the Android Developer Documentation, deep links are URLs that take users directly to specific content in your app. You can set up deep links by adding intent filters and extracting data from incoming intents to drive users to the right activity. You can even use any custom scheme prefix such as myapp, which will result in the URI prefix "myapp://". These kind of deep links are also referred to as "Custom URL Schemes" and are typically used as a form of inter-app communication where an app can define certain actions (including the corresponding parameters) that can be triggered by other apps.
This method of defining deep links via intent filters has an important issue: any other apps installed on a user's device can declare and try to handle the same intent (typically a custom URL scheme). This is known as deep link collision where any arbitrary application can declare control over the exact same URL custom scheme belonging to another application. In recent versions of Android this results in a so-called disambiguation dialog being shown to the user and asking them to select the application that should handle the link. The user could make the mistake of choosing a malicious application instead of the legitimate one.
Consider the following example of a deep link to an email application:
1
emailapp://composeEmail/[email protected]&message=SEND%20MONEY%20TO%20HERE!&sendImmediately=true
Copied!
When a victim clicks such a link on a mobile device, a potentially vulnerable application might send an email from the user's original address containing attacker-crafted content. This could lead to financial loss, information disclosure, social damage of the victim, to name a few.
Another application specific example of deep linking is shown below:
1
myapp://mybeautifulapp/endpoint?Whatismyname=MyNameIs<svg onload=alert(1)>&MyAgeIs=100
Copied!
This deep link could be used in order to abuse some known vulnerabilities already identified within an application (e.g. via reverse engineering). For instance, consider an application running a WebView with JavaScript enabled and rendering the Whatismyname parameter. In this concrete case, the deep link payload would trigger reflected cross site scripting within the context of the WebView.
Since Android 6.0 (API Level 23) a developer can opt to define Android App Links, which are verified deep links based on a website URL explicitly registered by the developer. Clicking on an App Link will immediately open the app if it's installed and most importantly, the disambiguation dialog won't be prompted and therefore collisions are not possible anymore.
There are some key differences from regular deep links to consider:
    App Links only use http:// and https:// schemes, any other custom URL schemes are not allowed.
    App Links require a live domain to serve a Digital Asset Links file via HTTPS.
    App links do not suffer from deep link collision since they don't show a disambiguation dialog when a user opens them.
For every application, all existing deep links (including App Links) can potentially increase the app attack surface. All deep links must be enumerated and the actions they perform must be well tested, especially all input data which should be deemed to be untrustworthy and thus should be always validated. In addition, also consider the following:
    When using reflection-based persistence type of data processing, check the section "Testing Object Persistence" for Android.
    Using the data for queries? Make sure you make parameterized queries.
    Using the data to do authenticated actions? Make sure that the user is in an authenticated state before the data is processed.
    If tampering of the data will influence the result of the calculations: add an HMAC to the data.

Static Analysis

You can easily determine whether deep links (with or without custom URL schemes) are defined just by inspecting the Android Manifest file and looking for <intent-filter> elements.
The following example specifies a new deep link with a custom URL scheme called myapp://. You should pay special attention to the attributes as they give you clues about how the deep link is used. For example, the category BROWSABLE will allow the deep link to be opened within a browser.
1
<activity android:name=".MyUriActivity">
2
<intent-filter>
3
<action android:name="android.intent.action.VIEW" />
4
<category android:name="android.intent.category.DEFAULT" />
5
<category android:name="android.intent.category.BROWSABLE" />
6
<data android:scheme="myapp" android:host="path" />
7
</intent-filter>
8
</activity>
Copied!
The following example specifies a new App Link using both the http:// and https:// schemes, along with the host and path which will activate it (in this case, the full URL would be https://www.myapp.com/my/app/path):
1
<activity android:name=".MyUriActivity">
2
<intent-filter android:autoVerify="true">
3
<action android:name="android.intent.action.VIEW" />
4
<category android:name="android.intent.category.DEFAULT" />
5
<category android:name="android.intent.category.BROWSABLE" />
6
<data android:scheme="http" android:host="www.myapp.com" android:path="/my/app/path" />
7
<data android:scheme="https" android:host="www.myapp.com" android:path="/my/app/path" />
8
</intent-filter>
9
</activity>
Copied!
In this example, the <intent-filter> includes the flag android:autoVerify="true", which makes it an App Link and causes the Android system to reach out to the declared android:host in an attempt to access the Digital Asset Links file in order to verify the App Links.
You must pay special attention to deep links being used to transmit data (which is controlled externally, e.g. by the user or any other app). For example, the following URI could be used to transmit two values valueOne and valueTwo: myapp://path/to/what/i/want?keyOne=valueOne&keyTwo=valueTwo. In order to retrieve the input data and potentially process it, the receiving app could implement a code block similar to the following acting as a data handler method. The way to handle data is the same for both deep links and App Links:
1
Intent intent = getIntent();
2
if (Intent.ACTION_VIEW.equals(intent.getAction())) {
3
Uri uri = intent.getData();
4
String valueOne = uri.getQueryParameter("keyOne");
5
String valueTwo = uri.getQueryParameter("keyTwo");
6
}
Copied!
The usage of the [getIntent](https://developer.android.com/reference/android/content/Intent#getIntent(java.lang.String) "getIntent()") and getData should be verified in order to understand how the application handles deep link input data, and if it could be subject to any kind of abuse. This general approach of locating these methods can be used across most applications when performing reverse engineering and is key when trying to understand how the application uses deep links and handles any externally provided input data.

Dynamic Analysis

When testing deep links it's very useful to first build a list of all <intent-filter> elements from the AndroidManifest.xml and any custom URL schemes that they might define. For each of those deep links you should be able to determine which data they receive, if any. Remember that you might need to perform some reverse engineering first to find out if there are any input parameters that you might apply to the deep link. Sometimes you can even take advantage of other applications which you know that interact with your target app. You can reverse engineer them or use them as triggers, while hooking the data handler methods on the target app side. This way you can discover which ones are triggered and inspect valid or legitimate input parameters.
Depending on the situation, the length of the link and the provided data you can use several methods call deep links. For very short deep links, probably the easiest method is to simply open your mobile browser and type it in the search bar. Another convenient method is to use the Activity Manager (am) tool to send intents within the Android device.
1
$ adb shell am start
2
-W -a android.intent.action.VIEW
3
-d "emailapp://composeEmail/[email protected]&message=SEND%20MONEY%20TO%20HERE!&sendImmediately=true" com.emailapp.android
Copied!
1
$ adb shell am start
2
-W -a android.intent.action.VIEW
3
-d "https://www.myapp.com/my/app/path?dataparam=0" com.myapp.android
Copied!
Alternatively you can use Drozer's scanner.activity.browsable module in order to automatically pull invocable URIs from the AndroidManifest.xml file:
1
dz> run scanner.activity.browsable -a com.google.android.apps.messaging
2
Package: com.google.android.apps.messaging
3
Invocable URIs:
4
sms://
5
mms://
6
Classes:
7
com.google.android.apps.messaging.ui.conversation.LaunchConversationActivity
Copied!
Furthermore, Drozer can then be used to call deep links using the app.activity.start module:
1
dz> run app.activity.start --action android.intent.action.VIEW --data-uri "sms://0123456789"
Copied!

Testing for Insecure Configuration of Instant Apps (MSTG-ARCH-1, MSTG-ARCH-7)

Overview

With Google Play Instant you can now create Instant apps. An instant apps can be instantly launched from a browser or the "try now" button from the app store from Android 5.0 (API level 21) onward. They do not require any form of installation. There are a few challenges with an instant app:
    There is a limited amount of size you can have with an instant app.
    Only a reduced number of permissions can be used, which are documented at Android Instant app documentation.
The combination of these can lead to insecure decisions, such as: stripping too much of the authorization/authentication/confidentiality logic from an app, which allows for information leakage.
Note: Instant apps require an App Bundle. App Bundles are described in the "App Bundles" section of the "Android Platform Overview" chapter.

Static Analysis

Static analysis can be either done after reverse engineering a downloaded instant app, or by analyzing the App Bundle. When you analyze the App Bundle, check the Android Manifest to see whether dist:module dist:instant="true" is set for a given module (either the base or a specific module with dist:module set). Next, check for the various entry points, which entry points are set (by means of <data android:path="</PATH/HERE>" />).
Now follow the entry points, like you would do for any Activity and check:
    Is there any data retrieved by the app which should require privacy protection of that data? If so, are all required controls in place?
    Are all communications secured?
    When you need more functionalities, are the right security controls downloaded as well?

Dynamic Analysis

There are multiple ways to start the dynamic analysis of your instant app. In all cases, you will first have to install the support for instant apps and add the ia executable to your $PATH.
The installation of instant app support is taken care off through the following command:
1
$ cd path/to/android/sdk/tools/bin && ./sdkmanager 'extras;google;instantapps'
Copied!
Next, you have to add path/to/android/sdk/extras/google/instantapps/ia to your $PATH.
After the preparation, you can test instant apps locally on a device running Android 8.1 (API level 27) or later. The app can be tested in different ways:
    Test the app locally: Deploy the app via Android Studio (and enable the Deploy as instant app checkbox in the Run/Configuration dialog) or deploy the app using the following command:
    1
    $ ia run output-from-build-command <app-artifact>
    Copied!
    Test the app using the Play Console: 1. Upload your App Bundle to the Google Play Console 2. Prepare the uploaded bundle for a release to the internal test track. 3. Sign into an internal tester account on a device, then launch your instant experience from either an external prepared link or via the try now button in the App store from the testers account.
Now that you can test the app, check whether:
    There are any data which require privacy controls and whether these controls are in place.
    All communications are sufficiently secured.
    When you need more functionalities, are the right security controls downloaded as well for these functionalities?

Testing for Sensitive Functionality Exposure Through IPC (MSTG-PLATFORM-4)

Overview

During implementation of a mobile application, developers may apply traditional techniques for IPC (such as using shared files or network sockets). The IPC system functionality offered by mobile application platforms should be used because it is much more mature than traditional techniques. Using IPC mechanisms with no security in mind may cause the application to leak or expose sensitive data.
The following is a list of Android IPC Mechanisms that may expose sensitive data:

Static Analysis

We start by looking at the AndroidManifest.xml, where all activities, services, and content providers included in the source code must be declared (otherwise the system won't recognize them and they won't run). Broadcast receivers can be declared in the manifest or created dynamically. You will want to identify elements such as
An "exported" activity, service, or content can be accessed by other apps. There are two common ways to designate a component as exported. The obvious one is setting the export tag to true android:exported="true". The second way involves defining an <intent-filter> within the component element (<activity>, <service>, <receiver>). When this is done, the export tag is automatically set to "true". To prevent all other Android apps from interacting with the IPC component element, be sure that the android:exported="true" value and an <intent-filter> aren't in their AndroidManifest.xml files unless this is necessary.
Remember that using the permission tag (android:permission) will also limit other applications' access to a component. If your IPC is intended to be accessible to other applications, you can apply a security policy with the <permission> element and set a proper android:protectionLevel. When android:permission is used in a service declaration, other applications must declare a corresponding <uses-permission> element in their own manifest to start, stop, or bind to the service.
For more information about the content providers, please refer to the test case "Testing Whether Stored Sensitive Data Is Exposed via IPC Mechanisms" in chapter "Testing Data Storage".
Once you identify a list of IPC mechanisms, review the source code to see whether sensitive data is leaked when the mechanisms are used. For example, content providers can be used to access database information, and services can be probed to see if they return data. Broadcast receivers can leak sensitive information if probed or sniffed.
In the following, we use two example apps and give examples of identifying vulnerable IPC components:

Activities

Inspect the AndroidManifest

In the "Sieve" app, we find three exported activities, identified by <activity>:
1
<activity android:excludeFromRecents="true" android:label="@string/app_name" android:launchMode="singleTask" android:name=".MainLoginActivity" android:windowSoftInputMode="adjustResize|stateVisible">
2
<intent-filter>
3
<action android:name="android.intent.action.MAIN" />
4
<category android:name="android.intent.category.LAUNCHER" />
5
</intent-filter>
6
</activity>
7
<activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:exported="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_file_select" android:name=".FileSelectActivity" />
8
<activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:exported="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_pwlist" android:name=".PWList" />
Copied!

Inspect the source code

By inspecting the PWList.java activity, we see that it offers options to list all keys, add, delete, etc. If we invoke it directly, we will be able to bypass the LoginActivity. More on this can be found in the dynamic analysis below.

Services

Inspect the AndroidManifest

In the "Sieve" app, we find two exported services, identified by <service>:
1
<service android:exported="true" android:name=".AuthService" android:process=":remote" />
2
<service android:exported="true" android:name=".CryptoService" android:process=":remote" />
Copied!

Inspect the source code

Check the source code for the class android.app.Service:
By reversing the target application, we can see that the service AuthService provides functionality for changing the password and PIN-protecting the target app.
1
public void handleMessage(Message msg) {
2
AuthService.this.responseHandler = msg.replyTo;
3
Bundle returnBundle = msg.obj;
4
int responseCode;
5
int returnVal;
6
switch (msg.what) {
7
...
8
case AuthService.MSG_SET /*6345*/:
9
if (msg.arg1 == AuthService.TYPE_KEY) /*7452*/ {
10
responseCode = 42;
11
if (AuthService.this.setKey(returnBundle.getString("com.mwr.example.sieve.PASSWORD"))) {
12
returnVal = 0;
13
} else {
14
returnVal = 1;
15
}
16
} else if (msg.arg1 == AuthService.TYPE_PIN) {
17
responseCode = 41;
18
if (AuthService.this.setPin(returnBundle.getString("com.mwr.example.sieve.PIN"))) {
19
returnVal = 0;
20
} else {
21
returnVal = 1;
22
}
23
} else {
24
sendUnrecognisedMessage();
25
return;
26
}
27
}
28
}
Copied!

Broadcast Receivers

Inspect the AndroidManifest

In the "Android Insecure Bank" app, we find a broadcast receiver in the manifest, identified by <receiver>:
1
<receiver android:exported="true" android:name="com.android.insecurebankv2.MyBroadCastReceiver">
2
<intent-filter>
3
<action android:name="theBroadcast" />
4
</intent-filter>
5
</receiver>
Copied!

Inspect the source code

Search the source code for strings like sendBroadcast, sendOrderedBroadcast, and sendStickyBroadcast. Make sure that the application doesn't send any sensitive data.
If an Intent is broadcasted and received within the application only, LocalBroadcastManager can be used to prevent other apps from receiving the broadcast message. This reduces the risk of leaking sensitive information.
To understand more about what the receiver is intended to do, we have to go deeper in our static analysis and search for usage of the class android.content.BroadcastReceiver and the Context.registerReceiver method, which is used to dynamically create receivers.
The following extract of the target application's source code shows that the broadcast receiver triggers transmission of an SMS message containing the user's decrypted password.
1
public class MyBroadCastReceiver extends BroadcastReceiver {
2
String usernameBase64ByteString;
3
public static final String MYPREFS = "mySharedPreferences";
4
5
@Override
6
public void onReceive(Context context, Intent intent) {
7
// TODO Auto-generated method stub
8
9
String phn = intent.getStringExtra("phonenumber");
10
String newpass = intent.getStringExtra("newpass");
11
12
if (phn != null) {
13
try {
14
SharedPreferences settings = context.getSharedPreferences(MYPREFS, Context.MODE_WORLD_READABLE);
15
final String username = settings.getString("EncryptedUsername", null);
16
byte[] usernameBase64Byte = Base64.decode(username, Base64.DEFAULT);
17
usernameBase64ByteString = new String(usernameBase64Byte, "UTF-8");
18
final String password = settings.getString("superSecurePassword", null);
19
CryptoClass crypt = new CryptoClass();
20
String decryptedPassword = crypt.aesDeccryptedString(password);
21
String textPhoneno = phn.toString();
22
String textMessage = "Updated Password from: "+decryptedPassword+" to: "+newpass;
23
SmsManager smsManager = SmsManager.getDefault();
24
System.out.println("For the changepassword - phonenumber: "+textPhoneno+" password is: "+textMessage);
25
smsManager.sendTextMessage(textPhoneno, null, textMessage, null, null);
26
}
27
}
28
}
29
}
Copied!
BroadcastReceivers should use the android:permission attribute; otherwise, other applications can invoke them. You can use Context.sendBroadcast(intent, receiverPermission); to specify permissions a receiver must have to read the broadcast. You can also set an explicit application package name that limits the components this Intent will resolve to. If left as the default value (null), all components in all applications will be considered. If non-null, the Intent can match only the components in the given application package.

Dynamic Analysis

You can enu