隐式 intent 盗用
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
OWASP 类别:
MASVS-PLATFORM:平台互动
概览
如果应用在调用 intent 时未指定完全限定的组件类名称或软件包,便会出现隐式 intent 盗用漏洞。这会让恶意应用取代预期的应用,通过注册 intent 过滤器来拦截 intent。
根据 intent 内容,攻击者可能会读取敏感信息或与可变对象互动,例如可变
PendingIntent或 Binder。
影响
通过盗用隐式 intent,攻击者可以读取或修改 intent 的内容,并拦截 intent 以执行操作。这会导致敏感信息/数据泄露或启用由攻击者控制的组件。
缓解措施
通过调用 setPackage()
,将 intent 设为显式 intent,如以下代码段所示:
Kotlin
val intent = Intent("android.intent.action.CREATE_DOCUMENT").apply {
addCategory("android.intent.category.OPENABLE")
setPackage("com.some.packagename")
setType("*/*")
putExtra("android.intent.extra.LOCAL_ONLY", true)
putExtra("android.intent.extra.TITLE", "Some Title")
}
startActivity(intent)
Java
Intent intent = new Intent("android.intent.action.CREATE_DOCUMENT");
intent.addCategory("android.intent.category.OPENABLE");
intent.setPackage("com.some.packagename");
intent.setType("*/*");
intent.putExtra("android.intent.extra.LOCAL_ONLY", true);
intent.putExtra("android.intent.extra.TITLE", "Some Title");
startActivity(intent);
如果您需要使用隐式 intent,请忽略您不想公开的任何敏感信息或可变对象。当应用无法确切了解哪个应用将执行操作(例如,撰写电子邮件、拍照等)时,可能需要使用隐式 intent。
资源
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2023-12-13。
[null,null,["最后更新时间 (UTC):2023-12-13。"],[],[],null,["# Implicit intent hijacking\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-PLATFORM: Platform Interaction](https://mas.owasp.org/MASVS/09-MASVS-PLATFORM)\n\nOverview\n--------\n\nThe [implicit intent](/guide/components/intents-filters#Types) hijacking vulnerability occurs when an application does\nnot specify a fully-qualified component class name or package when invoking an\nintent. This allows a malicious application to register an intent filter to\nintercept the intent instead of the intended application.\n\nDepending on the intent content, attackers could read or modify sensitive\ninformation or interact with mutable objects, such as [mutable](/reference/android/app/PendingIntent#FLAG_MUTABLE)\n[PendingIntents](/reference/android/app/PendingIntent) or [Binders](/reference/android/os/Binder).\n\nHijacking an implicit intent can also allow an attacker to perform arbitrary\nactions such as launching attacker-controlled components.\n\nImpact\n------\n\nIf an implicit intent handling sensitive data passes a session token within an\nextra URL string to open a WebView, any application specifying the proper intent\nfilters can read this token. This can allow any properly-configured application\non the device to intercept the intent and read the sensitive data within,\nallowing attackers to exfiltrate data such as PII or session tokens.\n\nMitigations\n-----------\n\nUnless the application requires it, make intents explicit by calling\n`setPackage()`. This allows the intent to be interpreted only by a specific\ncomponent (either in-app or from other applications), preventing untrusted\napplications from intercepting the data sent along with the intent. The\nfollowing snippet shows how to make an intent explicit: \n\n### Kotlin\n\n val intent = Intent(\"android.intent.action.CREATE_DOCUMENT\").apply {\n addCategory(\"android.intent.category.OPENABLE\")\n setPackage(\"com.some.packagename\")\n setType(\"*/*\")\n putExtra(\"android.intent.extra.LOCAL_ONLY\", true)\n putExtra(\"android.intent.extra.TITLE\", \"Some Title\")\n }\n startActivity(intent)\n\n### Java\n\n Intent intent = new Intent(\"android.intent.action.CREATE_DOCUMENT\");\n intent.addCategory(\"android.intent.category.OPENABLE\");\n intent.setPackage(\"com.some.packagename\");\n intent.setType(\"*/*\");\n intent.putExtra(\"android.intent.extra.LOCAL_ONLY\", true);\n intent.putExtra(\"android.intent.extra.TITLE\", \"Some Title\");\n startActivity(intent);\n\nIf you need to use implicit intents, omit any sensitive information or mutable\nobjects that you don't want to expose. Implicit intents may need to be used when\nan app does not have exact knowledge about which app will resolve the action\n(e.g. composing an email, taking a picture, etc.).\n\nResources\n---------\n\n- [Manifest intent-filter element](/guide/topics/manifest/intent-filter-element)\n- [Privileged Permission Allowlisting](https://source.android.com/devices/tech/config/perms-allowlist)\n- [Intents and Intent filters](/guide/components/intents-filters)\n- [Forcing chooser for implicit intents](/guide/components/intents-filters#ForceChooser)\n- [Common implicit intents](/guide/components/intents-common)"]]