Checker Intents   as of Julia version 2.4 (built on 23 Oct 2017)

belongs to group Advanced

Identify potential dangerous flows of information through Android intents


Intents

The Intents checker is dedicated to the analysis of Android applications. Most of the work done by the checker rely on the Injection checker and its Flow Analysis. The Injection checker is able to produce a warning when sensitive data are loaded into an Intent.
An Intent is a message with the goal of activate the receiver of the communication. This message can be filled with additional information called extras. When sensitive or secret information are matched, the Injection checker issues a warning.
Once the message leaves the sender, the OS redirects it to the correct destination. The OS stops some analysis performed by Julia, in particular the Flow Analysis. The result is that once the message reaches the destination, the extra field is no more considered as sensitive information, due to the detachment between the sender and the receiver.
In this scenario we introduced the Intent analysis, that tracks and memorizes sensitive information before they leave the sender. In this way we are able to identify dangerous and secret data when the receiver extracts data from the Intent. Once the intent analysis identifies sensitive information it introduces the secret into the Flow Analysis. Now the flow may propagate again.

Specification of source locations

The Intent checker inherit the set of source annotations adopted for the Injection checker. Since it is dedicated to the Android OS, we introduced a specific annotation that is @UntrustedDevice. All the sensitive information strictly releted the device (ex. IMEI code), to the SIM card (ex. SIM number, Network Operator) or to the device's user experience (ex. GPS location) are marked with the new @UntrustedDevice annotation. It works as any other untrusted annotation. It means that any time a method returns a value marked as @UntrustedDevice, and it flows into any dangerous method marked with any @Trusted annotation, the results is that a warning is raised.


Specification of sink locations

In addition to the sink annotations inherited from the Injection checker, there are two new annotations:
  • @BoundaryTrusted it marks all the locations where sensitive data should not flow in. In particular, it is applied to all the methods adopted to fill an Intent or a Bundle. An Intent is a message with the goal of activating the receiver of the communication. This message can be filled with additional information called extras. A Bundle is a map between String and Object. It can be filled with desired information and then added to the Intent.
  • @MessageTrusted it marks all the methods allowing data to flow out with a message (ex.SMS see SMSManager).


    Examples


    Intents Consider the following program:
    public class SenderActivity extends AppCompatActivity {
    
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
            setContentView(R.layout.activity_main);
            Intent i=new Intent();
            i.setClass(getApplicationContext(),ReceiverActivity.class);
            TelephonyManager tm=(TelephonyManager)getSystemService(Context.TELEPHONY_SERVICE);
            String simSerialNumber=tm.getSimSerialNumber();
            i.putExtra("simSerialNumber",simSerialNumber);
            startActivity(i);
        }
    }
    
    public class ReceiverActivity extends AppCompatActivity {
    
        @Override
        protected void onCreate(Bundle savedInstanceState) {
            super.onCreate(savedInstanceState);
            setContentView(R.layout.activity_main);
            Intent i=getIntent();
            String secretSim=i.getExtra("simSerialNumber");
            SmsManager smsManager = SmsManager.getDefault();
            smsManager.sendTextMessage("","",secretSim,null,null);
        }
    }
    

    This checker issues the following warnings:

    SenderActivity.java:19: [ Intents: TrustBoundaryViolationWarning - CWE501 ] possible trust-boundary violation through the 1st actual parameter of putExtra
    ReceiverActivity.java:17: [ Intents: MessageInjectionWarning - CWE319 ] sensitive data seems sent through the 2nd actual parameter of sendTextMessage

    The meaning of the warnings is pretty easy:

    In the SenderActivity is performed a call to the method TelephonyManager.getSimSerialNumber().
    This method returns the serial number of the SIM and, as many methods of that class, is annotated as @UntrustedDevice. Thanks to the Flow Analysis, Julia is able to raise a warning when taint data is flowing into a dangerous method like Intent.putExtra(String key,String value). With the call to the putExtra method, the intent is loaded with sensitive data.
    The intent reported in the example belongs to the explicit set. It means that the destination of the intent is well known at compile time. Infact, it is easy to deduct the destination of the intent thanks to the call to the method Intent.setClass(Context packageContext, Class<?> cls).
    The receiver ReceiverActivity performs a call to the method Activity.getIntent(): in this way the analysis found a match between the two parts. The method Intent.getExtra(String s) returns the sensitive value in relation to the key String s contained into the intent.
    The method SmsManager.sendTextMessage(..,String bodyText,..) is used to send an SMS message. The 2nd parameter is the body text of the message, and it is annotated as @MessageTrusted.
    In this way when the String secretSim flows into the body text of the message the second warning is generated.