Recently, an application with Implicit PendingIntent vulnerability failed to be approved on Google Play.

The app is scanned through an internal pre-approval tool platform before it hits the shelves, and everything is fine.

The Google Play policy update has not been updated. The policy is still in effect on May 5th, and the app can still be reviewed normally before.

PendingIntent is an Intent that allows users to set actions, Data, and categories as Implicit as they specify which component to launch. Let the system screen out the appropriate components.

Here is the solution you see after verifying it with a Google search

The general idea is:

  • Be sure to set the Action, package, and Component fields of the Intent
  • Ensure that PendingIntent is delivered only to trusted components;
  • Create a PendingIntent using FLAG_IMMUTABLE (added in SDK 23). This prevents applications that receive PendingIntent from filling the unfilled property.

What is the

We have a solution, but we still need to understand the impact of this bug.

PendingIntent’s use of implicit intents is a security vulnerability that can lead to denial of service, private data theft, and privilege escalation, according to official documentation.

I’m familiar with denial of service, which I studied in my security clearance. This can be detected using the Intent Fuzzer tool.

Android App local denial of Service vulnerability mainly refers to the fact that the App does not capture intent.getxxxExtra () for an exception. As a result, an attacker may send empty data or abnormal data to cause the App to Crash.

Android: Exported components with the true attribute can be attacked. The usual treatment scheme is:

  • Set unnecessary exported components not to export, that is, android: Exported property to false

  • The intent handles data with an exception:

    • Null pointer exception;
    • Type conversion exception;
    • Array out-of-bounds access exception;
    • Class undefined exception;
    • Other exceptions;

In the official PendingIntent example that wraps an implicit intent:

// Create an implicit base Intent and wrap it in a PendingIntent

Intent base = new Intent("ACTION_FOO");

base.setPackage("some_package");

PendingIntent pi = PendingIntent.getService(this.0, base, 0);
Copy the code

If the Intent is specified, Android :exported will default to true. If the Intent is specified, android:exported will default to true. If the Intent is specified, Android :exported will default to true.

Prior to Android 12, components with intent-filter attributes (only activities, Services, and BroadcastReceivers) are automatically set to exported by default.

If the target version is Android 12, the system will prevent this setting and mandate the Android: Exported attribute. Because you do not want to expose your Activity to the outside world, you can set Android :export=false to ensure the security of your application.

How to solve

The solution taken is to catch exceptions when the Intent handles data + set ComponentName

Intent a = new Intent(packageContext,targetClass);
Copy the code
Intent b= new Intent();
b.setClassName(packageName,className);
Copy the code
Intent c = new Intent();
ComponentName componentName = new ComponentName(packageContext,targetClass);
c.setComponent(componentName)
Copy the code

All three are essentially assigned to the mComponent(ComponentName) variable in the Intent.

detection

The third party SDK pushSDK has the highest probability of this vulnerability, so far only HMS has been looked at.

In the latest Huawei push 5.3.0.304, this problem has been fixed

Pendingintent.getxxx (” ComponentName “); pendingIntent.getxxx (” ComponentName “); Or write scripts and use apkTool to decompress and traverse smali files to search for relevant feature codes for automatic retrieval.

reference

Remediation for Implicit PendingIntent Vulnerability