Ali Mobile Security · 2016/04/22 18:05

Author: Yi Qiao, Silly Fox,[email protected]

0x00 Webpage opens APP introduction

Android has a feature that you can click a link in a web page to open an APP, or click a link in other apps to open another APP (AppLink). Some apps with a large number of users have released their AppLink SDK, and developers need to apply for corresponding qualifications. Configure related content to use. These are implemented through user-defined URI schemes, but behind the Intent mechanism of Android. Android Intents with Chrome introduces two ways to open an APP from a web page in The Android Chrome browser. One is a Custom URI scheme (Custom URI Scheme). The other is the intent: syntax (intent-based URI).

The first user-defined URI scheme is as follows:

The syntax for the second intent-based URI is as follows:

Since the second form is generally a special case of the first, many articles refer to the second form as the Intent Scheme URL, but the official Google documentation does not say so.

Note: The Custom URI scheme is used to deliver data to the APP only with parameters. Scheme ://host#intent; Parameters; Constructs the intent data to the APP in the form of end. See section 3.1 for details.

In addition, relevant options must be configured in the APP’s Androidmanifest file to create the effect of opening the APP from a web page, as described below.

0x01 Custom Scheme URI Opens APP

1.1 Basic Usage

Requirements: Open an APP using a web page and pass some data to the APP via the URL parameters.

For example, the user-defined Scheme is:

Note: URIs are encoded in UTF-8 and URI.

The webpage side is written as follows:

When receiving an Activity from a web page, the APP should declare the corresponding action, category and data scheme in the intent-filter of the Activity in the androidmanifest.xml file.

If MainActivity receives information from a web page, its contents in androidmanifest.xml are as follows:

The code that receives the intent and gets its parameters in the MainActivity:

There are also the following apis to obtain relevant information:

#! bash getIntent().getScheme(); // Get the Scheme name getIntent().getDataString(); GetIntent ().gethost (); / / get the hostCopy the code

1.2 Risk Example

A common usage is for an APP to retrieve data from a web page, then generate an Intent and send it to another component to use the data. For example, use a webview-related Activity to load a url from a web page if the url comes from a parameter in the url scheme, such as jaq://jaq.alibaba.com? Load_url =http://www.taobao.com.

If the value of load_URL obtained is not checked in the APP, the attacker can construct a phishing website and induce users to click load to steal user information.

Following the example in 2.1, create a new WebviewActivity component, get the load_URL from the Intent, and load the URL with the Webview:

Change the MainActivity component to get the load_URL value from the URL of the web page, generate a new intent, and pass it to the WebviewActivity:

Web side:

Phishing page:

Click “Open phishing website” to enter the APP, and the APP loads the phishing website:

In this example, you are advised to use the whitelist mechanism to filter data sent from the web page when the Webview loads the load_URL based on the APP’s own services. The blacklist is easily bypassed.

1.3 Aliju security suggestions to developers

Any place in the APP that receives external input data is a potential attack point, and filtering checks parameters from web pages.
Do not transmit sensitive information through web pages. In order to guide users who have logged in to the APP, some websites will use scripts to dynamically generate URL Scheme parameters, including sensitive information such as user name, password or login token, so that users can open the APP and log in directly. Malicious applications can also register the same URL Sechme to intercept sensitive information. The Android system lets users choose which app to open the link, but if they are not careful, they can open the link using a malicious app, leading to the disclosure of sensitive information and other risks.

0x02 Intent-based URI Starts the APP

2.1 Basic Usage

Intent-based URI syntax:

Note: The first letter of the second Intent must be capitalized; otherwise, the APP will not be successfully called.

How to construct web Side IntEnts correctly and quickly?

You can create an Android demo app and use the Intent toUri() method to create an Intent that you want to open. The Intent’s Uri is encoded in UTF-8 and Uri. Just copy it to a web page, with “Intent:” in front of it.

Such as:

Results:

S. _url follows the data in the intent’s putExtra() method. Other types of data can be tried one by one.

If the Intent object in the demo cannot be passed to the Activity or other component of the target APP, then the APP cannot be opened in the form of a Uri on the web.

The declaration of Androidmanifest.xml in the APP side is exactly the same as in Section 2.1. The parseUri() method of the received intent is generally used to parse and generate new intent objects. If the intent is not properly handled, an intent Scheme URL attack will occur.

Scheme ://host#intent; Parameters; Construct the intent data to the APP as end. Okay?

This form of intent is not properly interpreted by Android as an intent; the entire Scheme string data is retrieved using the Intent’s getDataSting() method.

As for:

Get data in APP:

The result is:

The Android system automatically adds a default intent to the Custom URI scheme.

The Intent’s parseUri() method is used to parse the data obtained by getDataString(). For example:

2.2 Risk Example

Android Intent Scheme URLs attack and Intent Scheme URL Attack are two good articles about the risks of intent-based URIs. They basically cover everything that needs to be said.

2.3 Aliju security suggests to developers

The above two articles provide a way to safely use Intent Scheme urls:

In addition to the above, do not trust any intent from the web. For security purposes, you should still filter and check for incoming intent from the web.

0 x03 reference

Android Intents with Chrome
Intent scheme URL attack
Android Appliaction Secure Design/Secure Coding Guidebook
Handling App Links
Android M App Links: Implementation, Bugs and fixes
Android Intent Scheme URLs attack

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Android Application security Development: A brief introduction to web opening APP

0x00 Webpage opens APP introduction