Attacking Custom URL Schemes

Custom URL schemes allow apps to communicate via a custom protocol.
They can begin with any scheme prefix
If an app processes calls to the URL scheme insecurely, i.e. without proper validation of the URL and parameters, there can be security weaknesses

Defining a Scheme

Custom schemes are defined in the AndroidManifest.xml

<activity android:name="foo">
	<intent-filter>
		<action android:name="android.intent.action.VIEW" />
		<category android:name="android.intent.category.BROWSABLE" />
		<data android:scheme="myscheme" android:host="call" />
	</intent-filter>
</activity>

The above would specify a new URL scheme called myscheme://. The line <category android:name="android.intent.category.BROWSABLE" /> allows the app to open when the URI is entered into a browser on the device.

Format

You would have a scheme something like:

schemename://host/path?query=paramater&string=paramater

so:

myscheme://call?number=1234567890

Enumerating & Attacking URL Schemes

As mentioned above you can find out information about the URL scheme from the android manifest.xml

Drozer

To enumerate URL schemes run:

run scanner.activity.browsable -a com.your.app

This will return a list of invocable URI's including the classes for these.

To then call a URL scheme, call the activity with the intent and the data needed:

run app.activity.start --action android.intent.action.VIEW --data-uri "sms://123456789"

ADB

To call a URI scheme with ADB run:

adb shell am start -W -a android.intent.action.view -d <uri> <package>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Attacking Custom URL Schemes

Defining a Scheme

Format

Enumerating & Attacking URL Schemes

Drozer

ADB

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally