Create rule S7206: Implicit PendingIntents should be immutable (SONARKT-581) (#4710)
* Create rule S7206 * Initial commit * Fix code tags * Fix typo --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
This commit is contained in:
github-actions[bot]
GitHub
parent
1f6f5da0e3
commit
b34a35ee48
44
rules/S7206/kotlin/metadata.json
Normal file
44
rules/S7206/kotlin/metadata.json
Normal file
@ -0,0 +1,44 @@
|
||||
{
|
||||
"title": "Implicit PendingIntents should be immutable",
|
||||
"type": "VULNERABILITY",
|
||||
"status": "ready",
|
||||
"remediation": {
|
||||
"func": "Constant\/Issue",
|
||||
"constantCost": "5min"
|
||||
},
|
||||
"tags": [
|
||||
"cwe",
|
||||
"android"
|
||||
],
|
||||
"defaultSeverity": "Major",
|
||||
"ruleSpecification": "RSPEC-7206",
|
||||
"sqKey": "S7206",
|
||||
"scope": "All",
|
||||
"defaultQualityProfiles": [
|
||||
"Sonar way"
|
||||
],
|
||||
"securityStandards": {
|
||||
"OWASP Mobile": [
|
||||
"M1"
|
||||
],
|
||||
"OWASP Mobile Top 10 2024": [
|
||||
"M4",
|
||||
"M8"
|
||||
],
|
||||
"MASVS": [
|
||||
"MSTG-PLATFORM-4"
|
||||
],
|
||||
"CWE": [
|
||||
927
|
||||
]
|
||||
},
|
||||
"quickfix": "unknown",
|
||||
"code": {
|
||||
"impacts": {
|
||||
"MAINTAINABILITY": "HIGH",
|
||||
"RELIABILITY": "MEDIUM",
|
||||
"SECURITY": "LOW"
|
||||
},
|
||||
"attribute": "CONVENTIONAL"
|
||||
}
|
||||
}
|
||||
107
rules/S7206/kotlin/rule.adoc
Normal file
107
rules/S7206/kotlin/rule.adoc
Normal file
@ -0,0 +1,107 @@
|
||||
Mutable implicit ``PendingIntent``s should be avoided, as they allow malicious applications to modify the underlying intent and redirect
|
||||
it to their own components, potentially gaining unauthorized access to the sender app's permissions. This vulnerability enables
|
||||
privilege escalation attacks, where an attacker can perform operations using the victim app's identity.
|
||||
|
||||
== Why is this an issue?
|
||||
|
||||
Mutable implicit ``PendingIntent``s create a serious security vulnerability by essentially lending the Android app's identity and permissions
|
||||
to other applications. Because such a ``PendingIntent`` does not have an exact component specified to receive it (implicit) and can be altered,
|
||||
other apps that are able to receive this ``PendingIntent`` can modify its destination and contents. Since ``PendingIntent``s lend permissions to
|
||||
other apps, an attacker could abuse this to execute actions the user never gave permission for.
|
||||
|
||||
The real-world impact for users can be severe. An attacker exploiting this vulnerability could access sensitive data that the app has permission
|
||||
to use (contacts, location, photos, etc.) For example, if the app has the ``READ_CONTACTS`` permission and creates a mutable implicit ``PendingIntent``,
|
||||
a malicious app could redirect that intent to steal all the user's contacts. This completely bypasses Android's permission system and violates user
|
||||
trust, potentially leading to privacy breaches, data theft, or even financial fraud depending on what permissions the app holds.
|
||||
|
||||
== How to fix it
|
||||
|
||||
=== Code examples
|
||||
|
||||
==== Noncompliant code example
|
||||
|
||||
On Android 12 and higher, ``PendingIntent``s are only mutable if ``PendingIntent.FLAG_MUTABLE`` is set.
|
||||
|
||||
[source,kotlin,diff-id=1,diff-type=noncompliant]
|
||||
----
|
||||
val intent = Intent("com.example.ACTION_VIEW")
|
||||
val pendingIntent = PendingIntent.getActivity(
|
||||
context,
|
||||
0,
|
||||
intent,
|
||||
PendingIntent.FLAG_MUTABLE // Noncompliant
|
||||
)
|
||||
----
|
||||
|
||||
On Android versions 11 and below, ``PendingIntent``s are mutable by default. So even if ``PendingIntent.FLAG_MUTABLE`` is not set,
|
||||
the Android app might be using mutable ``PendingIntent``s on some end user devices.
|
||||
|
||||
[source,kotlin,diff-id=2,diff-type=noncompliant]
|
||||
----
|
||||
val intent = Intent("com.example.ACTION_VIEW")
|
||||
val pendingIntent = PendingIntent.getActivity(
|
||||
context,
|
||||
0,
|
||||
intent,
|
||||
PendingIntent.FLAG_UPDATE_CURRENT // Noncompliant
|
||||
)
|
||||
----
|
||||
|
||||
==== Compliant solution
|
||||
|
||||
Explicitly marking the ``PendingIntent`` using ``PendingIntent.FLAG_IMMUTABLE`` resolves this issue.
|
||||
|
||||
[source,kotlin,diff-id=1,diff-type=compliant]
|
||||
----
|
||||
val intent = Intent("com.example.ACTION_VIEW")
|
||||
val pendingIntent = PendingIntent.getActivity(
|
||||
context,
|
||||
0,
|
||||
intent,
|
||||
PendingIntent.FLAG_IMMUTABLE
|
||||
)
|
||||
----
|
||||
|
||||
In addition, it is recommended for the ``Intent`` within to be explicit instead of implicit.
|
||||
|
||||
[source,kotlin,diff-id=2,diff-type=compliant]
|
||||
----
|
||||
val intent = Intent("com.example.ACTION_VIEW")
|
||||
intent.setClass(context, MyActivity::class.java)
|
||||
val pendingIntent = PendingIntent.getActivity(
|
||||
context,
|
||||
0,
|
||||
intent,
|
||||
PendingIntent.FLAG_IMMUTABLE
|
||||
)
|
||||
----
|
||||
|
||||
=== How does this work?
|
||||
|
||||
There are two ways to prevent mutable implicit ``PendingIntent``s from being abused: making the ``PendingIntent`` immutable and making the ``Intent`` explicit.
|
||||
|
||||
By making the ``PendingIntent`` immutable, an attacker is not able to alter it to redirect to their own components. This is done by setting the ``PendingIntent.FLAG_IMMUTABLE``
|
||||
flag when creating the ``PendingIntent``. This flag is available on Android 6.0 and higher. If a lower version of Android is targeted, it is recommended to make the wrapped
|
||||
``Intent`` explicit.
|
||||
|
||||
An ``Intent`` can be made explicit by setting the component that should receive the ``Intent``. This way, the ``Intent`` can only be received by the specified component and
|
||||
cannot be received by an attacker. This is done by calling ``Intent.setClass()`` or ``Intent.setComponent()`` with the target component.
|
||||
|
||||
Note that mutable implicit ``PendingIntent``s are explicitly blocked when an application is targeting Android 14 or higher.
|
||||
|
||||
== Resources
|
||||
=== Documentation
|
||||
|
||||
* Android Documentation - https://developer.android.com/privacy-and-security/risks/implicit-intent-hijacking[Implicit intent hijacking]
|
||||
* Android Documentation - https://developer.android.com/reference/android/app/PendingIntent[``PendingIntent`` API reference]
|
||||
|
||||
=== Articles & blog posts
|
||||
|
||||
* Google - https://support.google.com/faqs/answer/10437428[Remediation for Implicit PendingIntent Vulnerability]
|
||||
* Dimitrios Valsamaras - https://valsamaras.medium.com/pending-intents-a-pentesters-view-92f305960f03[PendingIntents: A Pentester's View]
|
||||
|
||||
=== Standards
|
||||
|
||||
* OWASP Mobile Application Security Testing Guide - https://mas.owasp.org/MASTG/0x05h-Testing-Platform-Interaction/#pending-intents[Android Platform APIs]
|
||||
* OWASP Mobile Application Security Testing Guide - https://mas.owasp.org/MASTG/tests/android/MASVS-PLATFORM/MASTG-TEST-0030/[MASTG-TEST-0030: Testing for Vulnerable Implementation of PendingIntent]
|
||||
* CWE - https://cwe.mitre.org/data/definitions/927[CWE-927 - Use of Implicit Intent for Sensitive Communication]
|
||||
1
rules/S7206/metadata.json
Normal file
1
rules/S7206/metadata.json
Normal file
@ -0,0 +1 @@
|
||||
{}
|
||||
Loading…
x
Reference in New Issue
Block a user