Dueling Banjos: Inter-app Communication

2,751 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,751
On SlideShare
0
From Embeds
0
Number of Embeds
491
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Dueling Banjos: Inter-app Communication

  1. 1. Dueling Banjos (Inter-App Communication) Michael Dorin Dan RatcliffWednesday, March 20, 13 1
  2. 2. Agenda • Introduction • That was my Intent! o Android Inter-App Communication o Bound and Determined • UR’all that… and more! o iOS Inter-App Communication • Android Security • IoS SecurityWednesday, March 20, 13 2
  3. 3. Introduction • Inter-application communication promotes development of feature rich applications • Developers leverage existing services to create rich, ‘seamless’ applicationsWednesday, March 20, 13 3
  4. 4. Introduction • Android and iOS provide messaging systems for communications within and between applications • These message systems also facilitate attacksWednesday, March 20, 13 4
  5. 5. Android Vocabulary • Applications are...Built upon components • Components o Activity o Service o Broadcast Receiver o Content Provider • Inter-app communicationsWednesday, March 20, 13 5
  6. 6. Processes and Threads • Application startup • Android creates a Linux process with a single thread of execution • You can (and probably will) create more than a single thread of execution • By default, all components of the same application run in the same processWednesday, March 20, 13 6
  7. 7. Activity Activity System Service Service Component Data PathsWednesday, March 20, 13 7
  8. 8. That was my intent • Intents launch activities and “Intents are system messages, running services around the inside of the device, notifying applications of various events, from • Intents can hold data hardware state changes (e.g.,an SD card was inserted), to incoming data (e.g., an SMS message arrived),to application events (e.g., your activity was launched from the device’s main menu).” http://android.programmerguru.com/android- intent-example/Wednesday, March 20, 13 8
  9. 9. Thats ‘intents’ • You may transmit Data in Intents • You may return Data in Intents • Implicit intents can launch a variety of activities or services • Explicit intents explicitly launch one particular activity or serviceWednesday, March 20, 13 9
  10. 10. Intent Constructors Intent() Create an empty intent. Creates an Intent(String action) ‘implicit’ intent Create an intent with a given action. Intent(String action, Uri uri) Create an intent with a given action and for a given data url. Intent(Context packageContext, Class<?> cls) Create an intent for a specific component. Creates an ‘explicit’ intentWednesday, March 20, 13 10
  11. 11. Implicit Intent Intent(String action, Uri uri) The primary pieces of information in an intent are: • action -- The general action to be performed, such as ACTION_VIEW, ACTION_EDIT, ACTION_MAIN, etc. • data -- The data to operate on, such as a person record in the contacts database, expressed as a Uri.Wednesday, March 20, 13 11
  12. 12. Examples:• ACTION_VIEW content://contacts/people/1 -- Display information about the person whose identifier is "1".• ACTION_DIAL content://contacts/people/1 -- Display the phone dialer with the person filled in.• ACTION_VIEW tel:123 -- Display the phone dialer with the given number filled in. Note how the VIEW action does what what is considered the most reasonable thing for a particular URI.• ACTION_DIAL tel:123 -- Display the phone dialer with the given number filled in.• ACTION_EDIT content://contacts/people/1 -- Edit information about the person whose identifier is "1".• ACTION_VIEW content://contacts/people/ -- Display a list of people, which the user can browse through. This example is a typical top-level entry into the Contacts application, showing you the list of people. Selecting a particular person to view would result in a new intent {ACTION_VIEW content://contacts/N } being used to start an activity to display that person. http://developer.android.com/reference/android/content/Intent.htmlWednesday, March 20, 13 12
  13. 13. Explicit Intent Intent(Context packageContext, Class<?> cls) The primary pieces of information in an intent are: Context -- package context where the class you wish to invoke resides Class -- name of the classWednesday, March 20, 13 13
  14. 14. Additional attributes • category -- Gives additional information about the action to execute. • type -- Specifies an explicit type (a MIME type) of the intent data. • component -- Specifies an explicit name of a component class to use for the intent. • extras -- This is a Bundle of any additional informationWednesday, March 20, 13 14
  15. 15. EasyActivity.java Example: Explicit Intent Activity Launched Intra-App Context intent = new Intent(this, com.chaski.mobilemarchexample.EasyActivity.class); startActivity(intent); Class Implementing ActivityWednesday, March 20, 13 15
  16. 16. Example: Activity launched, now launch a service!Explicit IntentService LaunchedIntra-App @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.easy_layout); Intent intent = new Intent(this, com.chaski.mobilemarchexample.EasyService.class); intent.putExtra("messenger", messenger); startService(intent); } messenger See EasyActivity.javaWednesday, March 20, 13 16
  17. 17. Inside the Service (EasyService.java) @Override public int onStartCommand(Intent intent, int flags, int startId) { Messenger messenger = intent.getParcelableExtra("messenger"); MyRunnable mr = new MyRunnable(messenger); Thread t = new Thread(mr); grab messenger t.start(); return Service.START_STICKY; } .... Message message = Message.obtain(null, 1, 0, 0); try { Bundle data = new Bundle(); data.putString("mystring", "myvalue:"+i); within myRunnable message.setData(data); messenger.send(message); } catch (RemoteException e) { } ...Wednesday, March 20, 13 17
  18. 18. Activity Handlerpackagpublic class EasyActivity extends Activity { MyHandler handler = new MyHandler(); Messenger messenger = new Messenger(handler); ....... class MyHandler extends Handler { @Override public void handleMessage(Message msg) { switch (msg.what) { case 1: String mydata = msg.getData().getString("mystring"); Toast.makeText(getApplicationContext(), "Got Message:"+mydata, Toast.LENGTH_SHORT).show(); break; case 2: Toast.makeText(getApplicationContext(), "EasyService has ended", Toast.LENGTH_SHORT).show(); default: super.handleMessage(msg); } } }} See EasyActivity.java Wednesday, March 20, 13 18
  19. 19. So far • 2 Examples • Launch activity with explicit intent and no expectation of returned data • Launch service with explicit intent with expectation of data passed via messenger/handlerWednesday, March 20, 13 19
  20. 20. Next example • startActivityForResult - Expect a result from the calling activity • new activity registers for broadcast receiver • new activity starts a service • service finishes, sends message via broadcast • Activity finishes and returns resultWednesday, March 20, 13 20
  21. 21. Example 3: Explicit Intent Activity Launched Intra-App intent = new Intent(this, com.chaski.mobilemarchexample.TrivialActivity.class); startActivityForResult(intent,72); requestCode @Override protected void onActivityResult(int requestCode, int resultCode, Intent data) { String retData = data.getStringExtra("result"); String giantToastString = "onActivityResult-requestCode:"+requestCode+ " " +"onActivityResult-resultCode:"+resultCode+" "+"returnedData:"+retData; Toast.makeText(this, giantToastString,Toast.LENGTH_SHORT).show(); ... } MainActivity.javaWednesday, March 20, 13 21
  22. 22. *You can do the same thing with a service *It takes a couple Extra Steps though *See simpleActivity.java/simpleService.javaWednesday, March 20, 13 22
  23. 23. @Override TrivialActivity.javapublic void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.trivial_layout); receiver = new ResponseReceiver(); registerReceiver(receiver, new IntentFilter("com.chaski.mobilemarchexample.TrivialActivity.broadcast.update")); Intent intent = new Intent(this,com.chaski.mobilemarchexample.TrivialService.class); this.startService(intent);} TrivialService will communication through a BroadcastReceiverclass ResponseReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { Toast.makeText(getApplicationContext(), "TrivialService has ended", Toast.LENGTH_SHORT).show(); } } Or use a BroadcastReceiverWednesday, March 20, 13 23
  24. 24. Response via Broadcast @Override public int onStartCommand(Intent intent, int flags, int startId) { MyRunnable mr = new MyRunnable(); Thread t = new Thread(mr); t.start(); return Service.START_STICKY; } ... public void SendBroadcast(Boolean result, String Msg) { Intent i = new Intent(); i.setAction("com.chaski.mobilemarchexample.TrivialActivity.broadcast.update"); i.putExtra("result", result); i.putExtra("message", Msg); this.sendBroadcast(i); } TrivialService.javaWednesday, March 20, 13 24
  25. 25. Bound and Determined Bound Service • The server in a client-server interface. • Allows components to send requests and receive responses • Typically does not run in the background indefinitelyWednesday, March 20, 13 25
  26. 26. Bound Services • A bound service allows other applications to bind to..to interact with it. • You must implement the onBind()callback • This method returns an IBinder object that defines the programming interface that clients can use to interact with the service.Wednesday, March 20, 13 26
  27. 27. Bound Services • We can use messages as before • We can invoke functions directlyWednesday, March 20, 13 27
  28. 28. Step 1- Make Service final Messenger myMessenger = new Messenger(new MessageHandler()); @Override public IBinder onBind(Intent intent) { Communicating via a messenger return myMessenger.getBinder(); } See BoundMessageService.java public class LocalBoundServiceBinder extends Binder { LocalBoundService getService() { return LocalBoundService.this; } You } Communicating via local methods need a @Override public IBinder onBind(Intent intent) { binder! return binder; See LocalBoundService.java }Wednesday, March 20, 13 28
  29. 29. Make a connection, Start the service! localBoundServiceConnection = new LocalBoundServiceConnection(); intent = new Intent(this, com.chaski.mobilemarchexample.LocalBoundService.class); boundServiceBound = bindService(intent, localBoundServiceConnection, Context.BIND_AUTO_CREATE); class BoundMessageServiceConnection implements ServiceConnection { public void onServiceDisconnected(ComponentName name) { Log.i(TAG, "Service Disconnected"); } public void onServiceConnected(ComponentName name, IBinder service) { messageBinder = (IBinder) service; myMessenger = new Messenger(service); } BoundActivity.java };Wednesday, March 20, 13 29
  30. 30. Use the service localBoundService.getRandomNumber(); BoundActivity.java /** method for clients */ public int getRandomNumber() { return mGenerator.nextInt(100); } BoundService.javaWednesday, March 20, 13 30
  31. 31. AIDL • Previous examples work well for services local to application. • If you want to expose a service for other applications, you need an AIDL file. package com.chaski.mobilemarchexample; interface AIDLServiceaidl { Looks just like an interface file! int add(in int value1, in int value2, out int[] value3); } AIDLServiceaidl.aidlWednesday, March 20, 13 31
  32. 32. class AidlServiceConnection implements ServiceConnection { public void onServiceConnected(ComponentName name, IBinder boundService) { service = AIDLServiceaidl.Stub.asInterface((IBinder) boundService); Log.i(TAG, "onServiceConnected() connected"); } public void onServiceDisconnected(ComponentName name) { service = null; Log.i(TAG, "onServiceDisconnected() disconnected"); } } Connection looks nearly the sameWednesday, March 20, 13 32
  33. 33. AIDL Use is almost the same int res = 0; int[] value3 = new int[3]; try { res = service.add(1, 2, value3); } catch (RemoteException e) { // TODO Auto-generated catch block e.printStackTrace(); } See AidlActivity.java Note: parameters can be used to pass data backWednesday, March 20, 13 33
  34. 34. What about implicit intents, leveraging other peoples applications and reducing developer burden?Wednesday, March 20, 13 34
  35. 35. Lights Camera Action! Action intent = new Intent(MediaStore.ACTION_IMAGE_CAPTURE); startActivityForResult(intent, 987654321); Request Code protected void onActivityResult(int requestCode, int resultCode, Intent intent) { if (requestCode == 987654321) { Bundle extras = intent.getExtras(); Bitmap bitmap = (Bitmap) extras.get("data"); } }Wednesday, March 20, 13 35
  36. 36. Implicit via category intent = new Intent(); intent.setAction(Intent.ACTION_MAIN); intent.addCategory(Intent.CATEGORY_APP_EMAIL); * In this example, we want an application that can handle email. We don’t care which one.Wednesday, March 20, 13 36
  37. 37. Implicit Intents • Work from intent filters • You can define your ownWednesday, March 20, 13 37
  38. 38. Example Implicit via custom category intent = new Intent(); intent.setAction(Intent.ACTION_MAIN); intent.addCategory("jeb"); * category is custom, named jeb! * Application that handles “jeb” needs this intent-filter in the manifest You always need a default <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.DEFAULT"/> <category android:name="jeb"/> </intent-filter>Wednesday, March 20, 13 38
  39. 39. Example Implicit Intent via URI Data Uri uri = Uri.parse("imdb:///find?q=godfather"); intent = new Intent(android.content.Intent.ACTION_VIEW, uri); startActivity(intent); ActionWednesday, March 20, 13 39
  40. 40. Example Implicit Intent via Custom URI <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <data android:scheme="ted"/> </intent-filter> Our Custom URI Intent sender code: Uri uri = Uri.parse("ted:"); intent = new Intent(android.content.Intent.ACTION_VIEW, uri); startActivity(intent);Wednesday, March 20, 13 40
  41. 41. <activity android:name=".MainActivity" android:label="@string/title_activity_main" android:exported="true"> <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" /> </intent-filter> <intent-filter> <action android:name="com.chaski.ButtonCatcher.catch" /> <category android:name="android.intent.category.DEFAULT" /> </intent-filter> Intent <intent-filter> <action android:name="android.intent.action.MAIN" /> filters are <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.APP_EMAIL"/> </intent-filter> loaded into <intent-filter> Manifest <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.DEFAULT"/> <category android:name="jeb"/> </intent-filter> <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> Custom Intents <data android:scheme="ted"/> </intent-filter> </activity>Wednesday, March 20, 13 41
  42. 42. UR’all that… and more! iOS Inter-App Communication • Launching apps automatically via URLs • Providing services from your app • Sending values and returning results • Standardizing interfaces with x-callback-urlWednesday, March 20, 13 42
  43. 43. “Launching” Apps Manually • “Launching” from user context • App startup after install, power-up, kill, jettison, crash • Returning from background • Spring board (a.k.a Home Screen) • Tap app icon • Dock, Folders & Multitasking Bar • “Search iPhone” • Siri • Hold Home button and say app nameWednesday, March 20, 13 43
  44. 44. Launching Apps Automatically • URL schemes • E.g.,http://www.w3schools.com/ fb://friends • Document/file type support • Local notifications • Push notificationsWednesday, March 20, 13 44
  45. 45. Data Sharing via Network • Cloud service • E.g., Facebook, DropBox, proprietary • Allows non-iOS device and browser access • iCloud • Game Center • Push notificationsWednesday, March 20, 13 45
  46. 46. Data Sharing on Device • URL parameters • E.g.,http://maps.apple.com/?daddr=San+Francisco, +CA&saddr=cupertino • Keychain Services • Document/file type support • Pasteboards • Core Audio • Core MIDIWednesday, March 20, 13 46
  47. 47. Apple URL Schemes Safari http://www.yahoo.com https://www.wellsfargo.com Mail mailto:frank@wwdcdemo.example.com Phone tel:1-408-555-5555 Text sms:1-408-555-1212 Maps http://maps.apple.com/?daddr=San+Francisco, +CA&saddr=cupertino YouTube http://www.youtube.com/watch?v=2DSrJXQV9Og iTunes http://phobos.apple.com/WebObjects/MZStore.woa/wa/ viewAlbum?i=156093464&id=156093462&s=143441Wednesday, March 20, 13 47
  48. 48. In-App Services Native API Safari UIWebView Mail MFMailComposeViewController Phone Text MFMessageComposeViewController Map MKMapView YouTube UIWebView iTunesWednesday, March 20, 13 48
  49. 49. Launching App via HTML Link • HTML links <a href="tel:1-408-555-5555">Call your representative</a> • Safari and Email apps • UIWebViewWednesday, March 20, 13 49
  50. 50. Link Auto-Detection • Auto-detection of link-like text within HTML • Telephone numbers • URLs • Parse-able strings containing “://” • Missing “http://” prefixWednesday, March 20, 13 50
  51. 51. Launching app via Native API • Objective-C API UIApplication -canOpenURL: UIApplication -openURL: • Example NSURL *url = [NSURL URLWithString:@"tel:1-408-555-5555"]; if([[UIApplication sharedApplication] canOpenURL:url]) { [[UIApplication sharedApplication] openURL:url]; }Wednesday, March 20, 13 51
  52. 52. Custom URL Schemes • Not cutting edge, but not always well-executed • Many apps provide a “noun” to launch them yelp4:// flixter:// angrybirds-free:// angrybirds-hd-free:// • Fewer apps provide “verbs” to control them yelp:///search?terms=bars&location=sfWednesday, March 20, 13 52
  53. 53. Custom URL Scheme Example googlechrome: Launches Chrome app Opens new tab and navigates to googlechrome://www.yahoo.com http://www.yahoo.com googlechromes://www.wellsfargo.com Similar to https: googlechrome-x-callback://x-callback- url/open? x-success=myscheme%3A%2F%2F& Specifies display name and scheme of app for return x-source=MyApp& url=http%3A%2F%2Fwww.yahoo.comWednesday, March 20, 13 53
  54. 54. Discovering Schemes • iHasApp open source framework • Correlates Schemes and app IDs • schemeApps.json { ... "googlechrome": [535886823], "googlechromes": [535886823], "googledrive": [507874739], "googlegmail": [422689480], ... "yelp4.2": [284910350], "yelp4.4": [284910350], ... }Wednesday, March 20, 13 54
  55. 55. App IDs • iTunes Preview https://itunes.apple.com/us/app/chrome/id535886823?mt=8 • Look up http://itunes.apple.com/lookup?id=535886823 Returns JSON "trackId":535886823, "trackName":"Chrome" "artworkUrl60":"http://a1619.phobos.apple.com/us/r1000/064/ Purple2/v4/96/8d/ce/968dcef9-32d8-bf0b-2e86-a1c0e75c61af/ Icon.png",Wednesday, March 20, 13 55
  56. 56. Scheme “Actions” • handleOpenURL website • Search scheme index skype:thurston.howell.iii?call skype://lovey?chatWednesday, March 20, 13 56
  57. 57. Schemes to the Extreme • akosma software web page • URL encoding tips CFURLCreateStringByAddingPercentEscapes() preferred over NSString -stringByAddingPercentEscapesUsingEncoding: • Undocumented(?) Apple URL schemes • Google Maps, Music,Videos, App Store, iBooks, iBooks Store, Podcasts • Safer: comgooglemaps:// • Objective-C code examplesWednesday, March 20, 13 57
  58. 58. “App Launcher” Apps • Launch Center Pro • Simple Launcher • Launch+ • Simple Phone Launcher • Quickpick • Swipemint • Launcher • Speed U • App GateWednesday, March 20, 13 58
  59. 59. "App Launcher" Typical Features • Pre-canned schemes & • Access to non-scheme actions iOS features • Detection of installed apps • Scheduled notifications • Links to App Store • Organize favorites • Custom URLs • Icon management • Clipboard or user prompt • Download new URLs • In app for iOS features • Uni-directional; no returnWednesday, March 20, 13 59
  60. 60. Your very own URL scheme • Choosing a “unique” scheme name • No official master list beyond IANA • Priority among conflicts undefined • Cannot override Apple schemes • “googlechrome:” instead of “chrome:” • Search unofficial sources and “advertise” your own scheme!Wednesday, March 20, 13 60
  61. 61. Registering Scheme with iOS • E.g., myApp-Info.plist <key>CFBundleURLTypes</key> <array> ! <dict> ! ! <key>CFBundleURLName</key> ! ! <string>com.mydomain.myapp</string> ! ! <key>CFBundleURLSchemes</key> ! ! <array> ! ! ! <string>myscheme</string> ! ! </array> ! </dict> </array>Wednesday, March 20, 13 61
  62. 62. Handling Received URL • Delegate callback API UIApplicationDelegate - application:openURL:sourceApplication:annotation: • Example - (BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation { NSLog(@"%@", [url absoluteString]); return YES; }Wednesday, March 20, 13 62
  63. 63. “Parsing” the URL • Call component methods on(NSURL *)url [url scheme] NSString *theScheme = [url scheme] [url user] " [url password] " [url host] [url port] NSNumber *thePort = [url port] [url path] [url parameterString] [url query] [url fragment]Wednesday, March 20, 13 63
  64. 64. App Startup • A.k.a. “launching” vs. returning from background • Delegate callback API UIApplicationDelegate -application:didFinishLaunchingWithOptions: • Example - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { NSURL *url = [launchOptions valueForKey:UIApplicationLaunchOptionsURLKey]; NSLog(@"%@", [url absoluteString]); return YES; // Allow openURL to run }Wednesday, March 20, 13 64
  65. 65. Smart App Banners • Displays promotional banner on web page <meta name="apple-itunes-app" content="app-id=myAppStoreID, affiliate-data=myAffiliateData, app-argument=myURL"> Offers to take user to App or App Store as appropriate • E.g., “LinkedIn Connections” email on iPhone • Tapping button opens Safari “Sign in” page • If LinkedIn app is installed, banner appears offering to “OPEN” it • Tapping OPEN opens appWednesday, March 20, 13 65
  66. 66. Return to Sender • Facebook scheme format: fb<ID>: E.g. , fb165260790249214: • Google Chrome (as seen earlier) googlechrome-x-callback://x-callback-url/ • Terminology thesaurus lookup & selection terminology://x-callback-url/Wednesday, March 20, 13 66
  67. 67. x-callback-url • Encourages services that perform and return • Standardizes service API structure • Format and URL encoding • Inter-App Communication (IAC) • Taps & Swipes open source frameworkWednesday, March 20, 13 67
  68. 68. How it Works • App “launch” via URL scheme used for both directions • Server defines well-known scheme and service • Client specifies return scheme & delegates Client Server Need It theserverscheme:...?aclientscheme:...aclienttarget... Doing It aclientscheme:.../aclienttarget?theserverparameters Got ItWednesday, March 20, 13 68
  69. 69. Service API Structure [scheme]://[host]/[action]?[x-callback parameters]&[action parameters] • host x-callback-url • x-callback query parameters • App display name x-source • Success delegate x-success • Error delegate x-error • Cancel delegate x-cancelWednesday, March 20, 13 69
  70. 70. Terminology App • Legacy lookup terminology://heavy • Modern, but no return requested terminology://x-callback-url/lookup?text=heavyWednesday, March 20, 13 70
  71. 71. Terminology Return Result • Request return (unencoded) terminology://x-callback-url/replace? x-success=myscheme://x-callback-url/myReturnAction& x-source=MyAppName& text=heavy • Return Result myscheme://x-callback-url/myReturnAction? text=heavy& replaceWith=dense&Wednesday, March 20, 13 71
  72. 72. URL Encoding • Basic URL encoding terminology://x-callback-url/lookup?text=heavy%20metal • URL query parameters specify URLs terminology://x-callback-url/replace? x-success=myscheme://x-callback-url/myReturnAction& x-source=MyAppName& text=heavy • Must encode these nested URLs terminology://x-callback-url/replace? x-success=myscheme%3A%2F%2Fx-callback-url%2FmyReturnAction& x-source=MyAppName& text=heavyWednesday, March 20, 13 72
  73. 73. Demo • XCallbackURL open source test app Replace “Heavy” Replace with “Dense”Wednesday, March 20, 13 73
  74. 74. Just when your ‘intent’ was to go back into the water!Wednesday, March 20, 13 74
  75. 75. Intent-Based Attacks • Unauthorized Intent Receipt • Broadcast Theft • Activity Hijacking • Service Hijacking • Intent Spoofing • Malicious Broadcast InjectionWednesday, March 20, 13 75
  76. 76. Unauthorized Intent Reception • Broadcast Theft • Eavesdropper can silently read contents of a broadcast without interrupting broadcast • Attacker could launch denial of service or data injection attack • Ordered Broadcasts can be subject toWednesday, March 20, 13 76
  77. 77. Intent Spoofing • Malicious Broadcast Injection • Malicious Activity Launch • Malicious Service LaunchWednesday, March 20, 13 77
  78. 78. How hard is this? • apktool • https://code.google.com/p/android- apktool/ • dare • http://siis.cse.psu.edu/dare/index.htmlWednesday, March 20, 13 78
  79. 79. How hard?•Get apktool.jar •https://code.google.com/p/android-apktool/•Get your apk files•java -r apktool.jardecode ..Wednesday, March 20, 13 79
  80. 80. Look at that! Our manifest, our resources. Oh the humanity! TextWednesday, March 20, 13 80
  81. 81. Security • Don’t mess with peoples data if you don’t have to. • When sending private data, use explicit intents • Internal Intents should always be explicit! • Strong permissions be used. As strong as possible. • Review signature permissionsWednesday, March 20, 13 81
  82. 82. iOS Scheme Security • URLs inherently insecure • No HTTPS equivalentWednesday, March 20, 13 82
  83. 83. Hacking URL schemes • iOS handling of duplicates • Masquerading as client • Masquerading as server • Misrouting callbacks • Discovering schemes • Discovering apps • Non-App Store hacking toolsWednesday, March 20, 13 83
  84. 84. What can be done? • Encrypt URL after scheme: (or schemes:// ?) • Shared secret • Public key cryptography • Encrypted data must be “URL parseable” by iOS and URL encoded • Send encrypted data out of band • E.g., iOS Keychain Services • Shared keychainWednesday, March 20, 13 84
  85. 85. Keychain Services • Create Entitlements.plist • Add keychain-access-group • ANSI C API CFDictionaryRef bridged from NSMutableDictionary OSStatus SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result) OSStatus SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result)Wednesday, March 20, 13 85
  86. 86. I have just one question... Huh?Wednesday, March 20, 13 86
  87. 87. Thank you! On the Android banjo and security On the iOS banjo and network mandolin: protocol fiddle: Michael Dorin Dan Ratcliff dorinmike@gmail.com dan_ratcliff@yahoo.com www.linkedin.com/in/michaeldorin http://www.linkedin.com/in/danratcliffWednesday, March 20, 13 87
  88. 88. Sources • Stackoverflow • http://stackoverflow.com • Android Developers Guide • http://developer.android.com/guide • Intent and Intent Filters, by Sang Shin and Michèle Garoche • http://documents.cofares.net/miroires/AndroidPourValeurC/8-android_intent.pdf • Systems and Internet Infrastructure Security, Dare • http://siis.cse.psu.edu/dare/installation.html • Analyzing Inter-Application Communication in Android • http://www.cs.berkeley.edu/~afelt/intentsecurity-mobisys.pdfWednesday, March 20, 13 88
  89. 89. Sources • Apple URL Scheme Reference • http://developer.apple.com/library/ios/#featuredarticles/ iPhoneURLScheme_Reference/Introduction/Introduction.html%23//apple_ref/doc/uid/ TP40007891-SW1 • Communicating with Other Apps • http://developer.apple.com/library/ios/#documentation/iphone/conceptual/ iphoneosprogrammingguide/AdvancedAppTricks/AdvancedAppTricks.html • iPhone Apps | Yelp for Developers • http://www.yelp.com/developers/documentation/iphone • Opening Links in Chrome for iOS • https://developers.google.com/chrome/mobile/docs/ios-linksWednesday, March 20, 13 89
  90. 90. Sources • iHasApp - Installed App Detection • http://www.ihasapp.com • handleOpenURL: Shared App Communication on iOS • http://handleopenurl.com • Skype URI Handler • http://dev.skype.com/desktop-api-reference#URI • IPhone URL Schemes - akosma wiki • http://wiki.akosma.com/IPhone_URL_Schemes • Googles New iOS Maps App and URL Scheme • http://www.pureoxygenmobile.com/googles-new-maps-ios-app-and-url-scheme/Wednesday, March 20, 13 90
  91. 91. Sources • Launch Center Pro • https://itunes.apple.com/us/app/launch-center-pro/id532016360?mt=8 • Launch+ • https://itunes.apple.com/us/app/launch+/id500606931?mt=8 • Quickpick • http://www.neoos.ch/https://itunes.apple.com/us/app/id483079724/quickpick • Launcher • https://itunes.apple.com/us/app/launcher-quick-actions-shortcuts!/id511645204? mt=8 • Speed U • https://itunes.apple.com/us/app/speed-u/id510914771?mt=8Wednesday, March 20, 13 91
  92. 92. Sources • App Gate • https://itunes.apple.com/us/app/app-gate./id566901497?mt=8 • Simple Launcher • https://itunes.apple.com/us/app/simple-launcher-for-ipad-launch/id467950393? mt=8&ign-mpt=uo%3D2 • Simple Phone Launcher • https://itunes.apple.com/hk/app/simple-phone-launcher-launch/id430233514?mt=8 • Swipemint • https://itunes.apple.com/us/app/swipemint-fastest-simple-launcher/id540044893? mt=8 • URI Scheme •Wednesday, March 20, 13 http://en.wikipedia.org/wiki/URI_scheme 92
  93. 93. Sources • Promoting Apps with Smart App Banners • http://developer.apple.com/library/ios/#documentation/AppleApplications/ Reference/SafariWebContent/PromotingAppswithAppBanners/ PromotingAppswithAppBanners.html • Share an App ID Across Apps - Facebook Developers • http://developers.facebook.com/docs/howtos/share-appid-across-multiple-apps-ios- sdk/ • Terminology Developers - Agile Tortoise • http://agiletortoise.com/terminology-developers/ • Opening Links in Chrome for iOS • https://developers.google.com/chrome/mobile/docs/ios-linksWednesday, March 20, 13 93
  94. 94. Sources • x-callback-url • http://x-callback-url.com • tapsandswipes/InterAppCommunication - GitHub • https://github.com/tapsandswipes/InterAppCommunication • Taps and Swipes • http://tapsandswipes.com • Terminology • https://itunes.apple.com/us/app/terminology/id380288546?mt=8 • agiletortoise/XCallbackURL - GitHub • https://github.com/agiletortoise/XCallbackURLWednesday, March 20, 13 94
  95. 95. Sources • iOS Keychain: Sharing data between apps • http://shaune.com.au/ios-keychain-sharing-data-between-apps/ • Keychain Services Programming Guide • https://developer.apple.com/library/ios/#documentation/security/conceptual/ keychainServConcepts/iPhoneTasks/iPhoneTasks.html%23//apple_ref/doc/uid/ TP30000897-CH208-SW1 • Audiobus • http://audiob.us • Dueling Banjos • http://www.youtube.com/watch?v=Vj9ghC2SgbYWednesday, March 20, 13 95

×