Intent Redirection Vulnerability Android Content Provider - android-security

There is a content provider in the application that I send a sticker to the whats up application.
<provider
android:name=".whatsappsticker.StickerContentProvider"
android:authorities="${stickerContentProviderAuthority}"
android:enabled="true"
android:exported="true"
android:readPermission="com.whatsapp.sticker.READ" />
In the report from Google, it says that I should edit it as exported = false, but it is impossible for me to send stickers this way.
How can I solve this problem without making exported = false?
Best wishes

Related

Android 11 Package Visibilty Https

Hi upgrading to Android 11 and following this guidance
https://devblogs.microsoft.com/xamarin/android-11-package-visibility/
However I dont understand the following query.What is this https scheme actually means?
Is it to allow to make https calls?
Suggestions?
<queries>
<intent>
<action android:name="android.intent.action.VIEW" />
<data android:scheme="https" />
</intent>
</queries>
Also is there a link of all of the queries and what they do?
The custom URL Scheme in Android is an in-page jump protocol, which can also be called URLRouter. It opens an Activity through a route similar to opening a web page, rather than directly jumping through an explicit Intent.
The URL Scheme method is to configure the activity in the manifest that can accept the Scheme mode to start. When a call is needed, the URI of the Scheme protocol is added to the Intent in the form of Data, and the activity is called implicitly.
You could read it at Deep Links.

B2C: AcquireTokenSilent fails for ADFS, works for local accounts

We have set up AD FS as an identity provider in our B2C login flows. Interactive login works just fine, but whenever we execute acquireTokenSilent with MSAL-JS in our Single Page Applications (SPA), we get an error:
Refused to display 'https://mytenant.b2clogin.com...' in a frame because it set 'X-Frame-Options' to 'deny'.
This only happens for the implicit flow. Applications using the authorization code grant work just fine. Local accounts work with both flows. From reading up on the documentation, this should not happen because I should have a session.
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs#x-frame-options
Note that non-interactive logins can be performed via iFrame due to prior session level security that has been established.
What can I do to fix this error?
After double checking my policies and the documentation, the error became obvious. For some reason, we had this code in our policy for the SAML technical profile:
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
So basically the user had a session with B2C, and a session with ADFS, but B2C did not have a session with ADFS.
Everything started working once we used the SamlSSOSessionProvider as indicated in the documentation.
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />
....
<ClaimsProvider>
<DisplayName>Session Management</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="SM-Saml-idp">
<DisplayName>Session Management Provider</DisplayName>
<Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
<Metadata>
<Item Key="IncludeSessionIndex">false</Item>
<Item Key="RegisterServiceProviders">false</Item>
</Metadata>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
When investigating this a bit more, we discovered that the documentation originally contained the same error, which is how we got the code in the first place. The documentation was fixed one month ago!

How can I switch an existing Azure web-role from http over to https

I have a working Azure web role which I've been using over an http endpoint. I'm now trying to switch it over to https but struggling mightily with what I thought would be a simple operation. (I'll include a few tips here for future readers to address issues I've already come across).
I have created (for now) a self-signed certificate using the powershell commands documented by Microsoft here and uploaded it to the azure portal. I'm aware that 3rd parties won't be able to consume the API while it has a self-signed certificate but my plan is to use the following for local client testing before purchasing a 'proper' certificate.
ServicePointManager.ServerCertificateValidationCallback += (o, c, ch, er) => true;
Tip: you need upload the .pfx file and then supply the password you used in the powershell script. Don't be confused by suggestion to create a .cer file which is for completely different purposes.
I then followed the flow documented for configuring azure cloud services here although many of these operations are now done directly through visual studio rather than by hand-editing files.
In the main 'cloud service' project under the role I wanted to modify:
I imported the newly created certificate. Tip: the design of the dialog used to add the thumbprint makes it very easy to incorrectly select the developer certificate that is already installed on your machine (by visual studio?). Click 'more options' to get to _your_ certificate and then check the displayed thumbprint matches that shown in the Azure portal in the certificates section.
Under 'endpoints' I added a new https endpoint. Tip: use the standard https port 443, NOT the 'default' port of 8080 otherwise you will get no response from your service at all
In the web.config of the service itself, I changed the endpoint binding for the service so that the name element matched the new endpoint.
I then published the cloud project to Azure (using Visual Studio).
At this point, I'm not seeing the results I expected. The service is still available on http but is not available on https. When I try to browse for it on https (includeExceptionDetailInFaults is set to true) I get:
HTTP error 404 "The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable"
I interpret this as meaning that the https endpoint is available but the service itself is bound to http rather than https despite my changes to web.config.
I have verified that the publish step really is uploading the new configuration by modifying some of the returned content. (Remember this is still available on http.)
I have tried removing the 'obsolete' http endpoint but this just results in a different error:
"Could not find a base address that matches scheme http for the endpoint with binding WebHttpBinding. Registered base address schemes are [https]"
I'm sure I must be missing something simple here. Can anyone suggest what it is or tips for further trouble-shooting? There are a number of stack-overflow answers that relate to websites and suggest that IIS settings need to be tweaked but I don't see how this applies to a web-role where I don't have direct control of the server.
Edit Following Gaurav's suggestion I repeated the process using a (self-signed) certificate for our own domain rather than cloudapp.net then tried to access the service via this domain. I still see the same results; i.e. the service is available via http but not https.
Edit2 Information from csdef file... is the double reference to "Endpoint1" suspicious?
<Sites>
<Site name="Web">
<Bindings>
<Binding name="Endpoint1" endpointName="HttpsEndpoint" />
<Binding name="Endpoint1" endpointName="HttpEndpoint" />
</Bindings>
</Site>
</Sites>
<Endpoints>
<InputEndpoint name="HttpsEndpoint" protocol="https" port="443" certificate="backend" />
<InputEndpoint name="HttpEndpoint" protocol="http" port="80" />
</Endpoints>
<Certificates>
<Certificate name="backend" storeLocation="LocalMachine" storeName="My" />
</Certificates>

.NET Sessions with React Cross Origin

I'm currently working on putting together my first React application, and I'm using fetch in order to communicate with my API which is currently being developed using the .net webapi. I am running into a bit of a wall however with getting my session variables on the .net server to work properly. Currently I'm running the react application separately locally and using the url of my .net server in order to make a request to the API server. Both of which are on the same machine despite using separate ports. The request is going through, but when i try to make a follow up request to get the current user information, it is not pull any information. I have looked, and it seems no cookies are being stored locally in the browser, so I'm assuming this is the issue. The code for my fetch looks something like this:
let url = "http://localhost:50405";
let requestObject = {
mode: 'cors',
credentials: 'include'
}
fetch(url + '/api/currentuser/get', requestObject).then((res) => {
console.log(res);
});
However, res is null even after the session has been set.
Also, on the server end, I have the following in my config file in order to allow for the cross-site request:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost:3000" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</httpProtocol>
I figured I would see if there's something obvious I am missing here.

Xamarin FCM Topic Subscription

I'm developing an Android + iOS app using Xamarin Studio, I recently integrated the notification management system via Firebase, but I'm having some problems in the subscription of the topic, I'll explain to the Android app I've configured everything correctly, because if sending a notification to the segment of Android users through the dashboard Firebase app registers and receives properly, then I have added to MainActivity this line:
FirebaseMessaging.Instance.SubscribeToTopic ( "news");
within a "Task.Run (() =>" and before the call to the "LoadApplication" method of Forms
Then when I compile and start the application output is written: "[FirebaseInstanceId] topic sync succeeded"
But when I log in to the dashboard Firebase to make a message sending test in a topic, when I go to select the "Topics" is written: "This project has no arguments"
I wanted to ask if you could direct me on what may depend on what?
And how do you solve?
Maybe I need to include some other permission nell'AndroidManifest?
Or it must first ensure that even the iOS project subscribes the same topic Android?
Or maybe there are other things that I do and who currently do not know that you can tell me?
Thank you very much in advance.
For clarity and precision below carry the configuration for Firebase nell'AndroidManifest.xml I entered under the node "
<receiver
android:name="com.google.firebase.iid.FirebaseInstanceIdInternalReceiver"
android:exported="false" />
<receiver
android:name="com.google.firebase.iid.FirebaseInstanceIdReceiver"
android:exported="true"
android:permission="com.google.android.c2dm.permission.SEND">
<intent-filter>
<action android:name="com.google.android.c2dm.intent.RECEIVE" />
<action android:name="com.google.android.c2dm.intent.REGISTRATION" />
<category android:name="${applicationId}" />
</intent-filter>
</receiver>
I also want to clarify that I have inserted in the project the "google-services.json" file by selecting as BuildOptions -> "GoogleServicesJson"
Instead, the version of the package Xamarin.Firebase.Messaging I'm using in the project is the "32.961.0"
Thanks again in advance to all
It may take a few hours (up to possibly a day) for the topic you recently subscribed a client to to show up in the Firebase Notifications Console.
What you could do for the meantime is to send the message to the topic either by using Postman or cURL

Resources