Merge pull request #6599 from joefarebrother/android-sensitive-communication

Java: Promote android sensitive broadcast query

Author: joefarebrother

java/change-notes/2021-09-03-android-sensitive-broadcast.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Leaking sensitive information through an implicit Intent" (`java/android/sensitive-communication`) has been promoted from experimental to the main query pack. Its results will now appear by default. The query was originally [submitted as an experimental query by @luchua-bc.](https://github.com/github/codeql/pull/4512) 

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -79,6 +79,7 @@ private module Frameworks {
   private import internal.ContainerFlow
   private import semmle.code.java.frameworks.android.Android
   private import semmle.code.java.frameworks.android.Intent
+  private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.android.XssSinks
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Collections
@@ -114,8 +115,6 @@ private module Frameworks {
   private import semmle.code.java.security.OgnlInjection
   private import semmle.code.java.security.XPath
   private import semmle.code.java.security.XsltInjection
-  private import semmle.code.java.frameworks.android.Android
-  private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Jdbc
   private import semmle.code.java.frameworks.SpringJdbc
   private import semmle.code.java.frameworks.MyBatis

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

@@ -0,0 +1,179 @@
+/** Provides definitions to reason about Android Sensitive Communication queries */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.security.SensitiveActions
+
+/**
+ * Gets regular expression for matching names of Android variables that indicate the value being held contains sensitive information.
+ */
+private string getAndroidSensitiveInfoRegex() { result = "(?i).*(email|phone|ticket).*" }
+
+/** Finds variables that hold sensitive information judging by their names. */
+private class SensitiveInfoExpr extends Expr {
+  SensitiveInfoExpr() {
+    exists(Variable v | this = v.getAnAccess() |
+      v.getName().regexpMatch([getCommonSensitiveInfoRegex(), getAndroidSensitiveInfoRegex()])
+    )
+  }
+}
+
+private predicate maybeNullArg(Expr ex) {
+  exists(DataFlow::Node src, DataFlow::Node sink, MethodAccess ma |
+    ex = ma.getAnArgument() and
+    sink.asExpr() = ex and
+    src.asExpr() instanceof NullLiteral
+  |
+    DataFlow::localFlow(src, sink)
+  )
+}
+
+private predicate maybeEmptyArrayArg(Expr ex) {
+  exists(DataFlow::Node src, DataFlow::Node sink, MethodAccess ma |
+    ex = ma.getAnArgument() and
+    sink.asExpr() = ex and
+    src.asExpr().(ArrayCreationExpr).getFirstDimensionSize() = 0
+  |
+    DataFlow::localFlow(src, sink)
+  )
+}
+
+/**
+ * Holds if a `sendBroadcast` call doesn't specify receiver permission.
+ */
+private predicate isSensitiveBroadcastSink(DataFlow::Node sendBroadcastCallArg) {
+  exists(MethodAccess ma, string name | ma.getMethod().hasName(name) |
+    ma.getMethod().getDeclaringType().getASourceSupertype*() instanceof TypeContext and
+    sendBroadcastCallArg.asExpr() = ma.getAnArgument() and
+    (
+      name = "sendBroadcast" and
+      (
+        // sendBroadcast(Intent intent)
+        ma.getNumArgument() = 1
+        or
+        // sendBroadcast(Intent intent, String receiverPermission)
+        maybeNullArg(ma.getArgument(1))
+      )
+      or
+      name = "sendBroadcastAsUser" and
+      (
+        // sendBroadcastAsUser(Intent intent, UserHandle user)
+        ma.getNumArgument() = 2
+        or
+        // sendBroadcastAsUser(Intent intent, UserHandle user, String receiverPermission)
+        maybeNullArg(ma.getArgument(2))
+      )
+      or
+      // sendBroadcastWithMultiplePermissions(Intent intent, String[] receiverPermissions)
+      name = "sendBroadcastWithMultiplePermissions" and
+      maybeEmptyArrayArg(ma.getArgument(1))
+      or
+      // Method calls of `sendOrderedBroadcast` whose second argument is always `receiverPermission`
+      name = "sendOrderedBroadcast" and
+      (
+        // sendOrderedBroadcast(Intent intent, String receiverPermission)
+        // sendOrderedBroadcast(Intent intent, String receiverPermission, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
+        maybeNullArg(ma.getArgument(1)) and
+        ma.getNumArgument() = [2, 7]
+        or
+        // sendOrderedBroadcast(Intent intent, String receiverPermission, String receiverAppOp, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
+        maybeNullArg(ma.getArgument(1)) and
+        maybeNullArg(ma.getArgument(2)) and
+        ma.getNumArgument() = 8
+      )
+      or
+      // sendOrderedBroadcastAsUser(Intent intent, UserHandle user, String receiverPermission, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
+      name = "sendOrderedBroadcastAsUser" and
+      maybeNullArg(ma.getArgument(2))
+      or
+      // sendStickyBroadcast(Intent intent)
+      // sendStickyBroadcast(Intent intent, Bundle options)
+      // sendStickyBroadcastAsUser(Intent intent, UserHandle user)
+      // sendStickyOrderedBroadcast(Intent intent, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
+      // sendStickyOrderedBroadcastAsUser(Intent intent, UserHandle user, BroadcastReceiver resultReceiver, Handler scheduler, int initialCode, String initialData, Bundle initialExtras)
+      name =
+        [
+          "sendStickyBroadcast", "sendStickyBroadcastAsUser", "sendStickyOrderedBroadcast",
+          "sendStickyOrderedBroadcastAsUser"
+        ]
+    )
+  )
+}
+
+/**
+ * Holds if `arg` is an argument in a use of a `startActivity` or `startService` method that sends an Intent to another application.
+ */
+private predicate isStartActivityOrServiceSink(DataFlow::Node arg) {
+  exists(MethodAccess ma, string name | ma.getMethod().hasName(name) |
+    arg.asExpr() = ma.getArgument(0) and
+    ma.getMethod().getDeclaringType().getASourceSupertype*() instanceof TypeContext and
+    // startActivity(Intent intent)
+    // startActivity(Intent intent, Bundle options)
+    // startActivities(Intent[] intents)
+    // startActivities(Intent[] intents, Bundle options)
+    // startService(Intent service)
+    // startForegroundService(Intent service)
+    // bindService (Intent service, int flags, Executor executor, ServiceConnection conn)
+    // bindService (Intent service, Executor executor, ServiceConnection conn)
+    name =
+      ["startActivity", "startActivities", "startService", "startForegroundService", "bindService"]
+  )
+}
+
+private predicate isCleanIntent(Expr intent) {
+  intent.getType() instanceof TypeIntent and
+  (
+    exists(MethodAccess setRecieverMa |
+      setRecieverMa.getQualifier() = intent and
+      setRecieverMa.getMethod().hasName(["setPackage", "setClass", "setClassName", "setComponent"])
+    )
+    or
+    // Handle the cases where the PackageContext and Class are set at construction time
+    //    Intent(Context packageContext, Class<?> cls)
+    //    Intent(String action, Uri uri, Context packageContext, Class<?> cls)
+    exists(ConstructorCall cc | cc = intent |
+      cc.getConstructedType() instanceof TypeIntent and
+      cc.getNumArgument() > 1 and
+      (
+        cc.getArgument(0).getType() instanceof TypeContext and
+        not maybeNullArg(cc.getArgument(1))
+        or
+        cc.getArgument(2).getType() instanceof TypeContext and
+        not maybeNullArg(cc.getArgument(3))
+      )
+    )
+  )
+}
+
+/**
+ * Taint configuration tracking flow from variables containing sensitive information to broadcast Intents.
+ */
+class SensitiveCommunicationConfig extends TaintTracking::Configuration {
+  SensitiveCommunicationConfig() { this = "Sensitive Communication Configuration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof SensitiveInfoExpr
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    isSensitiveBroadcastSink(sink)
+    or
+    isStartActivityOrServiceSink(sink)
+  }
+
+  /**
+   * Holds if broadcast doesn't specify receiving package name of the 3rd party app
+   */
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(DataFlow::Node intent | isCleanIntent(intent.asExpr()) |
+      DataFlow::localFlow(intent, node)
+    )
+  }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    super.allowImplicitRead(node, c)
+    or
+    this.isSink(node)
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.java renamed to java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.java

@@ -2,30 +2,24 @@
 <qhelp>
 
   <overview>
-    <p>Broadcast intents in an Android application are visible to all applications installed on the same mobile device, exposing all sensitive information they contain.</p>
-    <p>Broadcasts are vulnerable to passive eavesdropping or active denial of service attacks when an intent is broadcast without specifying any receiver permission or receiver application.</p>
+    <p>When an implicit Intent is used with a method such as <code>startActivity</code>, <code>startService</code>, or <code>sendBroadcast</code>, it may be read by other applications on the device.</p>
+    <p>This means that sensitive data in these Intents may be leaked.</p>
   </overview>
 
   <recommendation>
-    <p>
-      Specify a receiver permission or application when broadcasting intents, or switch to
-      <code>LocalBroadcastManager</code>
-      or the latest
-      <code>LiveData</code>
-      library.
+    <p> 
+      For <code>sendBroadcast</code> methods, a receiver permission may be specified so that only applications with a certain permission may receive the Intent; 
+      or a <code>LocalBroadcastManager</code> may be used.
+      Otherwise, ensure that Intents containing sensitive data have an explicit receiver class set.
     </p>
   </recommendation>
 
   <example>
-    <p>The following example shows two ways of broadcasting intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
-    <sample src="SensitiveBroadcast.java" />
+    <p>The following example shows two ways of broadcasting Intents. In the 'BAD' case, no "receiver permission" is specified. In the 'GOOD' case, "receiver permission" or "receiver application" is specified.</p>
+    <sample src="SensitiveCommunication.java" />
   </example>
 
   <references>
-    <li>
-      CWE:
-      <a href="https://cwe.mitre.org/data/definitions/927.html">CWE-927: Use of Implicit Intent for Sensitive Communication</a>
-    </li>
     <li>
       Android Developers:
       <a href="https://developer.android.com/guide/components/broadcasts">Security considerations and best practices for sending and receiving broadcasts</a>
@@ -46,5 +40,9 @@
       Android Developers:
       <a href="https://developer.android.com/topic/libraries/architecture/livedata">Android LiveData Overview</a>
     </li>
+    <li>
+      Oversecured: 
+      <a href="https://blog.oversecured.com/Interception-of-Android-implicit-intents/">Interception of Android implicit intents</a>
+    </li>
   </references>
 </qhelp>

java/ql/src/experimental/Security/CWE/CWE-927/SensitiveBroadcast.qhelp renamed to java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.qhelp

@@ -0,0 +1,21 @@
+/**
+ * @name Leaking sensitive information through an implicit Intent
+ * @description An Android application uses implicit Intents containing sensitive data
+ *              in a way that exposes it to arbitrary applications on the device.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 8.2
+ * @precision medium
+ * @id java/android/sensitive-communication
+ * @tags security
+ *       external/cwe/cwe-927
+ */
+
+import java
+import semmle.code.java.security.AndroidSensitiveCommunicationQuery
+import DataFlow::PathGraph
+
+from SensitiveCommunicationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This call may leak sensitive information from $@.",
+  source.getNode(), "here"