Merge pull request github#11915 from egregius313/egregius313/arbitrary-apk-installation

Java: Arbitrary APK installation

Author: egregius313

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallation.qll

@@ -0,0 +1,87 @@
+/** Provide classes to reason about Android Intents that can install APKs. */
+
+import java
+import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.FlowSources
+
+/** A string literal that represents the MIME type for Android APKs. */
+class PackageArchiveMimeTypeLiteral extends StringLiteral {
+  PackageArchiveMimeTypeLiteral() { this.getValue() = "application/vnd.android.package-archive" }
+}
+
+/** The `android.content.Intent.ACTION_INSTALL_PACKAGE` constant. */
+class InstallPackageAction extends Expr {
+  InstallPackageAction() {
+    this.(StringLiteral).getValue() = "android.intent.action.INSTALL_PACKAGE"
+    or
+    exists(VarAccess va |
+      va.getVariable().hasName("ACTION_INSTALL_PACKAGE") and
+      va.getQualifier().getType() instanceof TypeIntent
+    )
+  }
+}
+
+/** A method that sets the MIME type of an intent. */
+class SetTypeMethod extends Method {
+  SetTypeMethod() {
+    this.hasName(["setType", "setTypeAndNormalize"]) and
+    this.getDeclaringType() instanceof TypeIntent
+  }
+}
+
+/** A method that sets the data URI and the MIME type of an intent. */
+class SetDataAndTypeMethod extends Method {
+  SetDataAndTypeMethod() {
+    this.hasName(["setDataAndType", "setDataAndTypeAndNormalize"]) and
+    this.getDeclaringType() instanceof TypeIntent
+  }
+}
+
+/** A method that sets the data URI of an intent. */
+class SetDataMethod extends Method {
+  SetDataMethod() {
+    this.hasName(["setData", "setDataAndNormalize", "setDataAndType", "setDataAndTypeAndNormalize"]) and
+    this.getDeclaringType() instanceof TypeIntent
+  }
+}
+
+/** A dataflow sink for the URI of an intent. */
+class SetDataSink extends DataFlow::ExprNode {
+  SetDataSink() {
+    exists(MethodAccess ma |
+      this.getExpr() = ma.getQualifier() and
+      ma.getMethod() instanceof SetDataMethod
+    )
+  }
+}
+
+/** A method that generates a URI. */
+class UriConstructorMethod extends Method {
+  UriConstructorMethod() {
+    this.hasQualifiedName("android.net", "Uri", ["fromFile", "fromParts"]) or
+    this.hasQualifiedName("androidx.core.content", "FileProvider", "getUriForFile")
+  }
+}
+
+/**
+ * A dataflow source representing the URIs which an APK not controlled by the
+ * application may come from. Including external storage and web URLs.
+ */
+class ExternalApkSource extends DataFlow::Node {
+  ExternalApkSource() {
+    sourceNode(this, "android-external-storage-dir") or
+    this.asExpr().(MethodAccess).getMethod() instanceof UriConstructorMethod or
+    this.asExpr().(StringLiteral).getValue().matches("file://%") or
+    this instanceof RemoteFlowSource
+  }
+}
+
+/** The `setAction` method of the `android.content.Intent` class. */
+class SetActionMethod extends Method {
+  SetActionMethod() {
+    this.hasName("setAction") and
+    this.getDeclaringType() instanceof TypeIntent
+  }
+}

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll

@@ -0,0 +1,121 @@
+/** Provides dataflow configurations to reason about installation of arbitrary Android APKs. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.ArbitraryApkInstallation
+
+/**
+ * A dataflow configuration for flow from an external source of an APK to the
+ * `setData[AndType][AndNormalize]` method of an intent.
+ */
+private module ApkInstallationConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof ExternalApkSource }
+
+  predicate isSink(DataFlow::Node node) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof SetDataMethod and
+      ma.getArgument(0) = node.asExpr() and
+      (
+        PackageArchiveMimeTypeFlow::hasFlowToExpr(ma.getQualifier())
+        or
+        InstallPackageActionFlow::hasFlowToExpr(ma.getQualifier())
+      )
+    )
+  }
+}
+
+module ApkInstallationFlow = DataFlow::Make<ApkInstallationConfiguration>;
+
+private newtype ActionState =
+  ActionUnset() or
+  HasInstallPackageAction()
+
+/**
+ * A dataflow configuration tracking the flow from the `android.content.Intent.ACTION_INSTALL_PACKAGE`
+ * constant to either the constructor of an intent or the `setAction` method of an intent.
+ *
+ * This is used to track if an intent is used to install an APK.
+ */
+private module InstallPackageActionConfiguration implements DataFlow::StateConfigSig {
+  class FlowState = ActionState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source.asExpr() instanceof InstallPackageAction and state instanceof ActionUnset
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
+  ) {
+    state1 instanceof ActionUnset and
+    state2 instanceof HasInstallPackageAction and
+    (
+      exists(ConstructorCall cc |
+        cc.getConstructedType() instanceof TypeIntent and
+        node1.asExpr() = cc.getArgument(0) and
+        node1.asExpr().getType() instanceof TypeString and
+        node2.asExpr() = cc
+      )
+      or
+      exists(MethodAccess ma |
+        ma.getMethod() instanceof SetActionMethod and
+        node1.asExpr() = ma.getArgument(0) and
+        node2.asExpr() = ma.getQualifier()
+      )
+    )
+  }
+
+  predicate isSink(DataFlow::Node node, FlowState state) {
+    state instanceof HasInstallPackageAction and node.asExpr().getType() instanceof TypeIntent
+  }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
+}
+
+private module InstallPackageActionFlow =
+  TaintTracking::MakeWithState<InstallPackageActionConfiguration>;
+
+private newtype MimeTypeState =
+  MimeTypeUnset() or
+  HasPackageArchiveMimeType()
+
+/**
+ * A dataflow configuration tracking the flow of the Android APK MIME type to
+ * the `setType` or `setTypeAndNormalize` method of an intent, followed by a call
+ * to `setData[AndType][AndNormalize]`.
+ */
+private module PackageArchiveMimeTypeConfiguration implements DataFlow::StateConfigSig {
+  class FlowState = MimeTypeState;
+
+  predicate isSource(DataFlow::Node node, FlowState state) {
+    node.asExpr() instanceof PackageArchiveMimeTypeLiteral and
+    state instanceof MimeTypeUnset
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
+  ) {
+    state1 instanceof MimeTypeUnset and
+    state2 instanceof HasPackageArchiveMimeType and
+    exists(MethodAccess ma |
+      ma.getQualifier() = node2.asExpr() and
+      (
+        ma.getMethod() instanceof SetTypeMethod and
+        ma.getArgument(0) = node1.asExpr()
+        or
+        ma.getMethod() instanceof SetDataAndTypeMethod and
+        ma.getArgument(1) = node1.asExpr()
+      )
+    )
+  }
+
+  predicate isSink(DataFlow::Node node, FlowState state) {
+    state instanceof HasPackageArchiveMimeType and
+    node instanceof SetDataSink
+  }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) { none() }
+}
+
+private module PackageArchiveMimeTypeFlow =
+  TaintTracking::MakeWithState<PackageArchiveMimeTypeConfiguration>;

java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.qhelp

@@ -0,0 +1,72 @@
+<!DOCTYPE qhelp PUBLIC
+ "-//Semmle//qhelp//EN"
+ "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Android allows an application to install an Android Package Kit (APK)
+      using an <code>Intent</code> with
+      the <code>"application/vnd.android.package-archive"</code> MIME type. If
+      the file used in the <code>Intent</code> is from a location that is not
+      controlled by the application (for example, an SD card that is
+      universally writable), this can result in the unintended installation of untrusted applications.  
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      You should install packages using
+      the <code>PackageInstaller</code> class.
+    </p>
+
+    <p>
+      If you need to install from a file, you should use
+      a <code>FileProvider</code>. Content providers can provide more specific
+      permissions than file system permissions can.
+    </p>
+
+    <p>
+      When your application does not require package installations, do not add
+      the <code>REQUEST_INSTALL_PACKAGES</code> permission in the manifest file.
+    </p>
+  </recommendation>
+
+  <example>
+
+    <p>
+      In the following (bad) example, the package is installed from a file which
+      may be altered by another application:
+    </p>
+
+    <sample src="InstallApkWithFile.java"/>
+
+    <p>
+      In the following (good) example, the package is installed by using
+      a <code>FileProvider</code>:
+    </p>
+
+    <sample src="InstallApkWithFileProvider.java"/>
+
+    <p>
+      In the following (good) example, the package is installed using an
+      instance of the <code>android.content.pm.PackageInstaller</code> class:
+    </p>
+
+    <sample src="InstallApkWithPackageInstaller.java"/>
+  </example>
+
+  <references>
+    <li>
+      Android Developers: <a href="https://developer.android.com/reference/android/content/Intent#ACTION_INSTALL_PACKAGE">Intent.ACTION_INSTALL_PACKAGE</a>.
+    </li>
+    <li>
+      Android Developers: <a href="https://developer.android.com/reference/android/Manifest.permission#REQUEST_INSTALL_PACKAGES">Manifest.permission.REQUEST_INSTALL_PACKAGES</a>.
+    </li>
+    <li>
+     Android Developers: <a href="https://developer.android.com/reference/android/content/pm/PackageInstaller">PackageInstaller</a>.
+    </li>
+    <li>
+      Android Developers: <a href="https://developer.android.com/reference/androidx/core/content/FileProvider">FileProvider</a>.
+    </li>
+  </references>
+</qhelp>

java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql

@@ -0,0 +1,19 @@
+/**
+ * @id java/android/arbitrary-apk-installation
+ * @name Android APK installation
+ * @description Creating an intent with a URI pointing to a untrusted file can lead to the installation of an untrusted application.
+ * @kind path-problem
+ * @security-severity 9.3
+ * @problem.severity error
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import semmle.code.java.security.ArbitraryApkInstallationQuery
+import ApkInstallationFlow::PathGraph
+
+from ApkInstallationFlow::PathNode source, ApkInstallationFlow::PathNode sink
+where ApkInstallationFlow::hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Arbitrary Android APK installation."

java/ql/src/Security/CWE/CWE-094/InstallApkWithFile.java

@@ -0,0 +1,14 @@
+import android.app.Activity;
+import android.content.Intent;
+import android.net.Uri;
+import android.os.Environment;
+
+import java.io.File;
+
+/* Get a file from external storage */
+File file = new File(Environment.getExternalStorageDirectory(), "myapp.apk");
+Intent intent = new Intent(Intent.ACTION_VIEW);
+/* Set the mimetype to APK */
+intent.setDataAndType(Uri.fromFile(file), "application/vnd.android.package-archive");
+
+startActivity(intent);

java/ql/src/Security/CWE/CWE-094/InstallApkWithFileProvider.java

@@ -0,0 +1,31 @@
+import android.app.Activity;
+import android.content.Context;
+import android.content.Intent;
+import android.net.Uri;
+import androidx.core.content.FileProvider;
+
+import java.io.File;
+import java.io.FileOutputStream;
+
+String tempFilename = "temporary.apk";
+byte[] buffer = new byte[16384];
+
+/* Copy application asset into temporary file */
+try (InputStream is = getAssets().open(assetName);
+     FileOutputStream fout = openFileOutput(tempFilename, Context.MODE_PRIVATE)) {
+    int n;
+    while ((n=is.read(buffer)) >= 0) {
+        fout.write(buffer, 0, n);
+    }
+}
+
+/* Expose temporary file with FileProvider */
+File toInstall = new File(this.getFilesDir(), tempFilename);
+Uri applicationUri = FileProvider.getUriForFile(this, "com.example.apkprovider", toInstall);
+
+/* Create Intent and set data to APK file. */
+Intent intent = new Intent(Intent.ACTION_INSTALL_PACKAGE);
+intent.setData(applicationUri);
+intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+
+startActivity(intent);

java/ql/src/Security/CWE/CWE-094/InstallApkWithPackageInstaller.java

@@ -0,0 +1,32 @@
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageInstaller;
+
+private static final String PACKAGE_INSTALLED_ACTION =
+    "com.example.SESSION_API_PACKAGE_INSTALLED";
+
+/* Create the package installer and session */
+PackageInstaller packageInstaller = getPackageManager().getPackageInstaller();
+PackageInstaller.SessionParams params =
+    new PackageInstaller.SessionParams(PackageInstaller.SessionParams.MODE_FULL_INSTALL);
+int sessionId = packageInstaller.createSession(params);
+session = packageInstaller.openSession(sessionId);
+
+/* Load asset into session */
+try (OutputStream packageInSession = session.openWrite("package", 0, -1);
+     InputStream is = getAssets().open(assetName)) {
+    byte[] buffer = new byte[16384];
+    int n;
+    while ((n = is.read(buffer)) >= 0) {
+        packageInSession.write(buffer, 0, n);
+    }
+}
+
+/* Create status receiver */
+Intent intent = new Intent(this, InstallApkSessionApi.class);
+intent.setAction(PACKAGE_INSTALLED_ACTION);
+PendingIntent pendingIntent = PendingIntent.getActivity(context, 0, intent, 0);
+IntentSender statusReceiver = pendingIntent.getIntentSender();
+
+/* Commit the session */
+session.commit(statusReceiver);

java/ql/src/change-notes/2023-01-19-arbitrary-apk-installation.md

@@ -0,0 +1,5 @@
+---
+category: newQuery
+---
+* Added a new query, `java/android/arbitrary-apk-installation`, to detect installation of APKs from untrusted sources.
+