mechanism of intent for chrome is not safe and easy to be fished
Reported by
cruise1...@gmail.com,
Jul 20 2016
|
||||
Issue descriptionSteps to reproduce the problem: 1. set the switch in Settings - Security Unknown sources true; 2. build and make an unsafe Android app which has the same packageName as the official app(Obviously this fake app's signature is different from the official one); 3. Common user installs the fake app instead of the official app; 4. Through the intent for chrome, chrome jumps to the fake app What is the expected behavior? if the app is not official , then chrome shouldn't jump to it through the intent in the website; What went wrong? At present , Chrome only supports verifying with the packageName in intent , rather than the signature of the app, this step is not safe. Obviously , chrome should and also is willing to make itself safe, such as App link introduced in Android 6.0 system, which is only supporting the https condition. Did this work before? Yes es In China Android market, since Android 4.x, this trick is popular, it happens all the time. Chrome version: 51.0.2704.103 Channel: n/a OS Version: 6.0 Flash Version: Shockwave Flash 22.0 r0 In China, most users couldn't access the service of Google Play Store, so they can only get and install app via USB or downloading from internet, which can't verify the app safe and official.I think this issue may occur in other countries .
,
Jul 22 2016
What is step 4? Can you give an example? Chrome doesn't verify the app. Whether there is an app handling the url is managed by the framework api.
,
Jul 24 2016
Ok. For question one, for example, a user downloaded a third-party modified app or non official fake app(named "A") instead of official app, then installed A on the Android device. When he uses Chrome and one webpage contains a scheme intent for A, then Chrome may start an Activity of A , but A may be evil and do bad things for user such as logging user's password or stealing user's money. For second, the intent Chrome handles is a app defined scheme. Chrome or other browser convert a scheme url string to intent and handle the intent, I think this process might be utilized by bad guys. e.g. install Alipay on device, and url is: "alipays://platformapi/startApp?appId=20000125&orderSuffix=h5_route_token%3D"7ba1e0db31688bf824b70ac60fd4665a"%26is_h5_route%3D"true"#Intent;scheme=alipays;sha256=389B49F7832F53E9017923220AA85E14DFAA4886ECD7428818BF339543CF498A;package=com.eg.android.AlipayGphone;end"
,
Jul 24 2017
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 17 2018
I have a proposal which would address this use case: https://docs.google.com/document/d/1FWZNMd-YjYhL4d1kElpGB75Qrj34v8RgYS-PtixBq_Q/edit#
,
May 22 2018
Another interesting bug related to chrome's external intent dispatch
,
May 23 2018
palmer@: I just started a thread with chrome-security to review the proposal. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ppolise...@chromium.org
, Jul 22 2016Status: Available (was: Unconfirmed)