当前位置：网站首页>Android 13 re upgrade for intent filters security

Android 13 re upgrade for intent filters security

2022-06-10 16:02:00 【Sharp surge】

Before looking at this change , We need to remember Android 12 A security change for , That is to say <intent-filter> Of Activity、BroadcastReceiver、Service You must declare android:exported, Otherwise, it will not be started .

Android 12 This change is to prevent developers from unknowingly , Declared a intent-filter Will make these components public , To some extent, it strengthens the security .

But the display is missing Intent Start up and Broadcast Receiver Dynamic registration , It's in 13 Two changes have been introduced to strengthen .

1. Intent filters block non- -matching intents

2. Safer exporting of context- -registered receivers

1 Intent filters block non-matching intents

Android 13 Start Intent The filter will mask mismatched intent, Even if you specify Component The display of starts .

stay 13 before ：

1. Developers want to give Component add to Support .

2. This It needs to be disclosed to the outside App Use , Then set Component exported by true.

3. It's time to Component There is a security vulnerability ： external App Use is different from Declarative Action, even to the extent that mimeType If it doesn't match, you can start it .

Maybe you don't think it's anything , But if App Only aim at Over here Route Did a safety check , This leads to an omission in the verification .

Specific changes

If we provide Activity Declare as follows ：

<activity
    android:name=".MainActivity"
    android:exported="true">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
    <intent-filter>
        <action android:name="android.intent.action.TEST" />
        <data android:mimeType="vnd.android.cursor.dir/event"/>
    </intent-filter>
</activity>

stay 13 Before , other App Display startup is adopted , Even if it's wrong ACTION It can start us normally Activity.

private fun testIntentFilters() {
    Intent().setComponent(
        ComponentName("com.example.demoapplication",
            "com.example.demoapplication.MainActivity")
    ).apply {
        action = "android.intent.action.TEST_A"
        startActivity(this)
    }
}

And running in 13 What I said , Will fail to start and the following error will occur ：

PackageManager: Intent does not match component's intent filter: Intent { act=android.intent.action.TEST_A cmp=com.example.demoapplication/.MainActivity }
PackageManager: Access blocked: ComponentInfo{com.example.demoapplication/com.example.demoapplication.MainActivity}

except ACTION Except for correct modification ,data Also be satisfied, that is Intent-filter It can be started only after it is fully qualified .

private fun testIntentFilters() {
    Intent().setComponent(
        ComponentName("com.example.demoapplication",
            "com.example.demoapplication.MainActivity")
    ).apply {
        action = "android.intent.action.TEST"
        data = CalendarContract.Events.CONTENT_URI
        startActivity(this)
    }
}

Immunity

The following scenarios Intent Not within the scope of this change ：

1. The goal is Component No statement <intent-filter>.

2. The same App From the inside Intent.

3. From the system Intent, Include SystemServer、 use System UID The system of App.

4. Root Issued by the process Intent.

Adaptation method

If the target is running a version based on Android 13, And is not the subject of the above exemption , Some checks and necessary modifications need to be made .

Discuss the adaptation methods according to the two situations of the initiator and the target ：

1. As the initiator ：

• Whether there is a display Intent Other ways to start App Or send a broadcast ：startActivity()、startActivityForResult() as well as sendBroadcast().

• The Component Have you declared <intent-filter>.

• Prevent it Target Upgrade to Android 13 Unable to start properly , We need to pay attention to Intent Of action、data Whether the information is accurate .

2. As the target ：

• Target Need to upgrade to Android 13.

• Whether it has provided Component And declared <intent-filter>.

• Prevent it from being started normally , The initiator needs to be informed <intent-filter> Information about .

Residual

13 It is found that Service The component starts under the display , Even if it's wrong ACTION, It can still be started normally . Is this intentional or Beta Version vulnerability , The source code is not yet public , Unknown cause .

• startService()

• startForegroundService()

• bindService()

2 Safer exporting of context-registered receivers

To help improve the security of the runtime receiver ,Android 13 Allows you to specify whether a specific broadcast receiver in your application should be exported and visible to other applications on the device .

If the broadcast receiver is exported , Other apps will be able to send unprotected broadcasts to your app . This export is configured in Android 13 Or later is available in the application of the target platform , Help prevent a major source of application vulnerabilities .

Specific changes

TargetSDK Upgrade to Android13 Of App Register dynamically Receiver Don't indicate when you should flag, Then you will receive the following crash：

java.lang.SecurityException: com.example.demoapplication: One of RECEIVER_EXPORTED or RECEIVER_NOT_EXPORTED should be specified when a receiver isn't being registered exclusively for system broadcasts

At present, the above restrictions do not take effect by default , The following compatibility changes need to be enabled ：

• Developer options > App Compatibility Changes > <Your App> > DYNAMIC_RECEIVER_EXPLICIT_EXPORT_REQUIRED

in addition , When your Receiver The statement RECEIVER_NOT_EXPORTED Words , other App Sending a broadcast to it will fail , And print the following log to remind you Receiver It needs to be made public ：

BroadcastQueue: Exported Denial: sending Intent { act=com.example.demoapplication.RECEIVER flg=0x10 }, action: com.example.demoapplication.RECEIVER from com.example.tiramisu_demo (uid=10161)
due to receiver ProcessRecord{8e5f11c 16942:com.example.demoapplication/u0a158} (uid 10158) not specifying RECEIVER_EXPORTED

Immunity

One thing to keep in mind is that , System level broadcasts are protected , Ordinary App No permission to send .

So the radio monitoring system is just , Dynamically registered Receiver It is not necessary to specify the above flag. Even if you specify RECEIVER_NOT_EXPORTED, Consistent with the static registration method, it can also receive 、 Unaffected .

Adaptation method

Find all dynamic registrations Broadcast Receiver Code for . If the monitored contains non system broadcasts , Please decide whether to make it public to others App Need to use to add flag Statement of .

• RECEIVER_EXPORTED

• RECEIVER_NOT_EXPORTED

context.registerReceiver(sharedBroadcastReceiver, intentFilter,
    RECEIVER_EXPORTED)

context.registerReceiver(privateBroadcastReceiver, intentFilter,
    RECEIVER_NOT_EXPORTED)

3 Conclusion

Whether it's for Intent Fitler The matching requirements are upgraded or dynamically registered Receiver Flag, All to enhance component security . I hope that when developers deal with the three components they are used to , Think more 、 Avoid loopholes .