PSA: Validate Your ACTION_SEND Inputs
ACTION_SEND implementations accept
EXTRA_STREAM as input.
That is supposed to point to
Uri representing a stream of stuff to be
sent somewhere. Email apps might send it as an attachment, for example.
So, you fire up a
openInputStream() to get
at the content backed by that
that’s how real developers do it),
and then do something with that content. You might not even really care
what the content is… until that content is something from your own app. Like, say, your
user account database.
The problem outlined in Mr. Schürmann’s post and paper is that a malicious
party could provide you with a
to your own internal storage.
While the third-party app cannot access your internal storage, you can.
So, in the case of an email app, the attacker asks you to email one of
your app’s own files to the attacker’s email address. The user may be
involved in this (e.g., having to actually click something to send
the email), but with
a bit of phishing or social engineering,
that problem can
be handled, at least some of the time. After all, courtesy of the
scheme, some Web browsers and the like will allow a simple link click to trigger
To help with this, cketti (of K-9 Mail fame) wrote
that has its own
openInputStream() method. However, this one will
fail if the
Uri points to a file that your app owns. If you use this
instead of the
implementation will be safer from this attack.
You might also think that this problem will fade away in the coming years. After
all, the Grim Reaper has a close eye on the
and so in the fullness of time,
Uri values will be few and
Alas, the same problem can occur if the attacker sends you a
Uri to your own
ContentProvider, such as a
FileProvider. Even though
the provider may not be exported, your app has full access to its
own providers, just as your app has full access to its own internal storage.
I am working on updates to my
and I’ll try to add some stuff in that will make this attack more difficult
to pull off.
More generally, if you accept input from outside parties, validate it.
Have rules for what sorts of
Uri values you will and will not accept
for things like
and provide runtime checks to confirm that the values you receive follow
Stuck on an Android problem? Subscribers have access to live office hours chats with Mark Murphy, to help you work through your challenges!