We were having security related discussions on a project, and there was a point raised saying that passing unencrypted data via Intents might potentially be dangerous.
I wrote a few samples, and have listed my findings below.
Implicit Intents - It is dangerous to send sensitive data across Implicit Intents, since someone else can use the same Intent Filter that you have and intercept your data.
Explicit Intents within the Application - It is safe to send data via Intents. I wrote an Intent Sniffer based on what Mark Murphy lists here, but was unable to intercept intra-application Intents. Using 'New Task' and 'Single Task' flags did not change anything.
Explicit Intents to other Applications - I was able to sniff Intents when I launched the other app using the 'New Task' flag.
Please let me know if it looks okay, or if anyone else has alternate opinions. Is there any other scenario I should be testing ? Have I missed out on something ?
Related
Suppose there are two apps on my device, GoodApp and EvilApp. I didn't write either of them. Both apps can use an ACTION_SEND Intent to start an exported activity in my app, passing data in. They both call startActivity, not startActivityForResult.
I want to trust the data I receive from GoodApp, but distrust and ignore the data I receive from EvilApp.
How can my Activity tell which app started it? Activity.getCallingActivity() returns null, because it wasn't started for-result. I can't send a message back to the apps asking "was it you who sent me this?" because they aren't written to respond to that, and their code is out of my control. Is there any way I can tell the difference?
Require apps use startActivityForResult in order for you to handle their request? (:
ActivityManager.getRunningTasks might give you a hint, but its documentation says not to use it for things like what you are asking.
I know that public (named) intents that are registered with the system and can be called from any application and private (anonymous) intents that are used within a single
application. please can anyone give me an example for better understanding.
Thanks in advance
Sorry no time to write a full answer, but you can create custom permissions in order to sign your Intents & BroadcastReceivers.
When you use these custom permissions, only apps that have been signed with the same signing key, and include that custom permission, can see these Intents.
This question might help you:
How to use custom permissions in Android?
#Commonsware explains the issue really well in a recent blog post:
Don't have an Accidental API - The CommonsBlog
The Android documentation does probably the best job of explaining it, here is a relevant snippet:
There are two primary forms of intents you will use.
Explicit Intents have specified a component (via
setComponent(ComponentName) or setClass(Context, Class)), which
provides the exact class to be run. Often these will not include any
other information, simply being a way for an application to launch
various internal activities it has as the user interacts with the
application.
Implicit Intents have not specified a component; instead,
they must include enough information for the system to determine which
of the available components is best to run for that intent. When using
implicit intents, given such an arbitrary intent we need to know what
to do with it.
This is handled by the process of Intent resolution,
which maps an Intent to an Activity, BroadcastReceiver, or Service (or
sometimes two or more activities/receivers) that can handle it.
Explicit intents you use in your activity to start internal activities.
While implicit intents are used often used to launch other activities like when you want to share a link or email something, you send out an implicit intent and let the user decide the email client to use to send the email or to share the link.
There are some instances where you might want to use an implicit intent to run an internal component of your app, because it seems to be more stable.
Android documentation tells us that an implicit intent might be received by multiple components (as all of them would have registered with the specific intent filter), and the system pops up a dialog asking which component to use to handle the intent.
However, I was wondering if this mechanism of popping the dialog, to asking which component should handle the intent, be over-ridden, s.t. 2 (or more) components get a chance to handle the intent ? A classic example for this, in my mind would be a "Cyber Nanny" type application, which gets the ACTION_VIEW type intent, checks the URI to be say "child safe", and then permit it to invoke the Browser. Similarly, for making / receiving calls from / to specific parties -- as in black-list or white-list of numbers. If the user sees the dialog, then they might circumvent the system, which is what I do not want. If the effect cannot be achieved using some mechanism around the Intents, is there an alternative way ?
Edit:
After posting my question I found a related question here, but it is not exactly same, because in my case, I am looking at ways to avoid that pop-up dialog. Hopefully, there's a method, that does not require rooting the device.
I am working on the security aspects of my android application.
I would like to know about the ways to secure the Intent data and extras while sending it from one application to another so that no other application other than these two can snoop it.
One of the brute-force approaches would be to use android's encryption-decryption to encode intent data, is there a better way to achieve the same ??
Thanks in advance.
As pointed in the other answers, although you can send an intent to a fully qualified activity, nothing prevents someone from creating an application with the same package.
You might want to add an additional security step to this scheme:
First send a 'Challenge' intent to the remote activity (it should, for example, encrypt a random string you provided using a shared passphrase and send it back to you).
If that first security step is ok, you may freely send unencrypted messages to this remote app by using its fully qualified activity.
This is rather lame security, but perhaps it's sufficient for your needs.
Please take a look at CommonsWare's comment below.
A more secure way might be to code your activity as a Bound Service, keeping the Challenge step, but by means of more private communication.
My guess is that if you use an explicit intent, i.e. specifying the class to which the intent is to be sent to, then no other class can intercept that intent and look at its data.
This method however, may fail if the class name in the application that you're trying to send the information to changes.
If an intent specifies the the target, which is part of the sender application's package, then other applications won't have the chance to capture it - it will be delivered to the intended receiver.
On the other hand, if you send an intent to another application, there is no guarantee that the receiver of the intent will have the implementation you expect: if you send your intent to com.mycompany.security.SecureReceiver, but instead of your application, another application is installed with the given class description, than you will send your intent to that application.
Also, Android is an open system. If someone compiles his own application framework, than he can manipulate the Intent delivery system.
Do you want to protect your data from the user, or from malicious applications?
What's the proper way for other people to reuse my Activities? Should they hard code the intent actions in their app or is it customary to provide them with a jar file enumerating my app's intent actions? Is there a less tightly-coupled way to lookup the intent actions?
First of all, take a look at openintents.org and see if there's any match to what your activity does.
Secondly, documentation is always a good idea.
Having the intent details hardcoded in their applications should work just fine. After all, the intents are part of your public interface and shouldn't change.
Your applications manifest should announce what sorts of things your activity can handle, via intent-filters. Outside users can read the manifest to determine what actions you support, and invoke them via action intents.
See intents and intent filters for more details.