With the latest OTA we're still vulnerable to "CVE-2014-8609" or "settings pending intent"
Summary from the full disclosure:
In Android = 4.0), Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party application, bad app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid. Thus bad app can broadcast sensitive intent with the permission of SYSTEM.
Click to expand...
Click to collapse
Now just give me some time
Related
Hi folks,
even though there are many nice 3rd party twitter clients available they are all missing an important feature: push notifications using GCM. The original Twitter app offers GCM based notifications but the app itself is more or less crap.
Therefore I thought about utilizing the original Twitter app for receiving GCM messages which create the Android notifications and then modify these notifications so that another (3rd party) app is started when clicking on them. I already managed to hook into the NotificationManager:
Code:
XposedHelpers.findAndHookMethod(android.app.NotificationManager.class, "notify", String.class, int.class, Notification.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("NotificationManager.beforeHookedMethod(): param=" + param);
for (Object o : param.args) {
if (o instanceof Notification) {
Notification n = (Notification) o;
XposedBridge.log("NotificationManager.beforeHookedMethod(): notification=" + n);
}
}
}
}
);
At this stage, where simple things as changing Notification.tickeText work, I tried the following:
1) Creating a new PendingIntent and assigning it to Notification.contentIntent:
Code:
Intent LaunchIntent = context.getPackageManager().getLaunchIntentForPackage("it.mvilla.android.fenix");
PendingIntent contentIntent = PendingIntent.getActivity(context, 0, LaunchIntent, 0);
n.contentIntent = contentIntent;
This fails due to the fact that I did not succeed in getting my hand on a Context instance. Does anyone have got an idea on how to get a Context instance or can provide another possibility for creating the PendingIntend without a Context?
2) As the previous did not work due to a missing Context I tried to change the LauchIntent of the existing Notification. But I was not able to find the correct place - I did not even find the original LaunchIntent when studying the sources or even by dumping the notification by reflection.
I also started investigating on how to hook into the Twitter app itself. But as the source code is (of course) not public and additionally is obfuscated this seems to be even more complicated. In addition hooking into the NotificationManager is more generic and would allow - when adding configuration - the redirection also for other sources and targets.
As you see, I am somehow stucked. But I'm not hopeless respectively cannot imaging that it should not be possible. So now it's up to you to feed me with the correct ideas
So far and thanks in advance,
yaan04
yaan04 said:
1) Creating a new PendingIntent and assigning it to Notification.contentIntent:
This fails due to the fact that I did not succeed in getting my hand on a Context instance. Does anyone have got an idea on how to get a Context instance or can provide another possibility for creating the PendingIntend without a Context?
Click to expand...
Click to collapse
AndroidAppHelper.currentApplication() should do the trick. Otherwise see this, though if AndroidAppHelper fails most of these probably will, too.
yaan04 said:
2) As the previous did not work due to a missing Context I tried to change the LauchIntent of the existing Notification. But I was not able to find the correct place - I did not even find the original LaunchIntent when studying the sources or even by dumping the notification by reflection.
Click to expand...
Click to collapse
LaunchIntent?
yaan04 said:
I also started investigating on how to hook into the Twitter app itself. But as the source code is (of course) not public and additionally is obfuscated this seems to be even more complicated. In addition hooking into the NotificationManager is more generic and would allow - when adding configuration - the redirection also for other sources and targets.
Click to expand...
Click to collapse
Android API calls won't be obfuscated. Try searching for "NotificationManager" for example and see where it's used.
Yeah, AndroidAppHelper.currentApplication() provides a usable Context instance \o/
Thanks, GermainZ. Now I can go on...
Hi,
I have an Xposed module that listens for certain events and then notify the main application/Activity that contains this module about the events. I tried to put the events into a static buffer class that's accessible from both the module and Activity. But the buffer is always empty. Right now, I have to use Broadcast to achieve the notification. Is it impossible to share data between the module and Activity via static in-memory objects? Thank you!
AFAIK, you can't do it like that when xposed module runs in a different process than your app.
Xposed module hooking on one package and your app package are isolated processes that cannot share memory.
One way is to use broadcast, as you mentioned.
Another way is to create a service within your app and use ServiceConnection to bind to it and execute actions on it
Example of such service: https://github.com/GravityBox/Gravi...o/kitkat/gravitybox/KeyguardImageService.java
Example how that service is called from system context (different process): https://github.com/GravityBox/Gravi...m/ceco/kitkat/gravitybox/ModDisplay.java#L521
Hook is in PhoneWindowManager class, I need to put a value to Settings.System. ContentResolver from the available mContext variable is used.
I get the following:
Code:
InvocationTargetError: java.lang.SecurityException: Package android does not belong to 10036
10036 is UID of my module.
- Which context did you use to get content resolver?
- Depends on where your hook is.
Although your hook is in phone window manager, it still depends from where method you are hooking was called from. If it was called from different package that has different permissions (such as your module app), you will have to clear an identity of calling package while using system settings.
Something like:
Code:
long ident = Binder.clearCallingIdentity();
try {
// store to system settings or whatever
} finally {
Binder.restoreCallingIdentity(ident);
}
- Another option is to add necessary permission to your module's manifest
My module already has WRITE_SETTINGS permission. I use mContext variable that is available in PhoneWindowManager, never had a problem with it. Calling from a separate thread that is created in screenTurnedOff() method.
PhoneWindowManager has a lot of similar code involving Settings.System:
Code:
android.provider.Settings.System.putIntForUser(mContext.getContentResolver(), "screen_brightness_mode", 0, -3);
I tried ...ForUser methods with -2, -3 and 1000 UIDs - still the same error. Regular methods should use current process UID, so it's 1000 anyway.
No idea how it still knows that Xposed module is involved, code is supposed to be executed as if it's a part of a hooked app.
But I guess it knows) so clearing calling identity works perfectly, thanks.
I assume thread in screenTurnedOff you mentioned is your own you created? If yes, then for some reason thread in which runs phone window manager is thinking it's some kind of a foreign thread although created within phone window manager. Question is where screenTurnedOff was called from. If it's an IPC call then it's clear it has different identity. If it's not that case then it's definitely strange.
C3C076 said:
Question is where screenTurnedOff was called from. If it's an IPC call then it's clear it has different identity. If it's not that case then it's definitely strange.
Click to expand...
Click to collapse
screenTurnedOff is a stock method, it's called whenever it's called Definitely not from my module. I bet there is an explanation, something complicated)
Hello everyone,
I want an event to trigger such that whenever a text is shared from any app (context) by using the SHARE button , say Chrome browser or Opera mobile, a sound should PLAY (task). how do I achieve the event trigger?
Many thanks for helping.
The plugin AutoInput has a "UI Action" Event trigger, that you can configure to detect anything that is clicked on in the AI, then in the linked task you can check its "name" or "id" in the variable %aitext or %aiid,
However, to prevent the Event from triggering anytime you press anything all day long, you should add an "App" context to the Profile to constrain it to a list of particular apps (even if its 10 different ones etc) since you'll also need to figure out in those apps if the Share button(s) have a common/same name or ID, or if in the Task you're going to need to look for one of several values in those variables mentioned above.
Ratchet_Guy said:
The plugin AutoInput has a "UI Action" Event trigger, that you can configure to detect anything that is clicked on in the AI, then in the linked task you can check its "name" or "id" in the variable %aitext or %aiid,
However, to prevent the Event from triggering anytime you press anything all day long, you should add an "App" context to the Profile to constrain it to a list of particular apps (even if its 10 different ones etc) since you'll also need to figure out in those apps if the Share button(s) have a common/same name or ID, or if in the Task you're going to need to look for one of several values in those variables mentioned above.
Click to expand...
Click to collapse
Thank you for the reply.
I actuallly succeded doing the thing with Autoshare. [https://play.google.com/store/apps/details?id=com.joaomgcd.autoshare&hl=en]
1. Taker> Event> Plugin> Autoshare> Command=android.intent.action.SEND (rest all parameters default)
2. Taker> Task> Alert> Beep.
So, whenever I share any data, I automatically hear a beep!
Many thanks!
[Question] How to use Tasker to connect and disconnect VPN with "OpenVPN for Android"
Hi folks,
in the past I used "OpenVPN Connect" to connect to my home network.
I found a guide how I can connect and disconnect the VPN automatically with a Tasker task (e.g. when I'm connected to a unknown wifi).
Now I switched to "OpenVPN for Android" for different reasons. I searched in the Internet for a similar soultion for Tasker, but I didn't found one.
I've managed to set up a task by myself to connect the VPN. But disconnecting doesn't work. aLogcat says "Denied" when I try to call the DisconnectVPN function/class.
I know that there's a app called "OpenVpn Tasker Plugin" which can do this for me. But I'm not a friend of "Apps-for-every-little-task". It would like to solve thiss with the Tasker actions itself.
Here are my tasks:
Connect VPN (works!)
Send Intent
Action:android.intent.action.MAIN
Cat:None
Extra:de.blinkt.openvpn.shortcutProfileNameROFILENAME
Package:de.blinkt.openvpn
Class:de.blinkt.openvpn.LaunchVPN
Target:Activity
Disconnect VPN (doesn't work)
Send Intent
Action:android.intent.action.MAIN
Cat:None
Extra:de.blinkt.openvpn.shortcutProfileNameROFILENAME
Package:de.blinkt.openvpn
Class:de.blinkt.openvpn.activities.DisconnectVPN
Target:Activity
The kill action to disconnect the VPN works, but the app restarts the VPN connection itself a few seconds later.
Has anyone an idea how to solve this?
Thank you!
Jas Man
This thread came to the right time
Now I'm working with shell commands (action "Run Shell") to run and stop the VPN.
Start VPN: am start -a android.intent.action.MAIN -n de.blinkt.openvpn/.LaunchVPN -e de.blinkt.openvpn.shortcutProfileName PROFILNAME
Stop VPN: am start -a android.intent.action.MAIN -n de.blinkt.openvpn/activities.DisconnectVPN
(must run with root)
I think the problem with the intents is, that I can't start them with root rights.
Last problem: disconnecting needs a confirmation to stop the VPN. I didn't found any option how I can disable this confirmation. Any idea?
Disconnecting by bypassing the notification can be done with this xposed plugin
http://repo.xposed.info/module/de.blinkt.vpndialogxposed
Mmmmh, I think this plugin confirmes only the VPN dialog which appeared in Android 4.x ("OpenVPN for Android tries to establish...blablabla").
And this is also a app which I have to install. Then I would prefer the "OpenVPN Tasker" plugin.
But regardless of this, thank you for your post.
if you want to do purely with Tasker, then I suggest you can also opt for the input tap function
Send Intent
Action: android.intent.action.VIEW
Cat: None
Extra: net.openvpn.openvpn.AUTOSTART_PROFILE_NAME: <Your VPN Name>
Package: net.openvpn.openvpn
Class: net.openvpn.openvpn.OpenVPNClient
Target: Activity
for OpenVPN Connect version 1.1.17
Click to expand...
Click to collapse
I hope this will help you.
vickylahkarbytes said:
if you want to do purely with Tasker, then I suggest you can also opt for the input tap function
Click to expand...
Click to collapse
That works but only if the screen is not locked. Therefore not usable for me. But also a nice idea.
haode said:
I hope this will help you.
Click to expand...
Click to collapse
That works only with "OpenVPN Connect". I use "OpenVPN for Android".
there is an open vpn tasker plugin the play store that may help you.
HatchetEgg said:
there is an open vpn tasker plugin the play store that may help you.
Click to expand...
Click to collapse
At the moment I use this app, but as I wrote in my first post I'm not a friend of "Apps-for-every-little-task". It would like to solve thiss with the Tasker actions itself.
Hi,
Thank you for all info posted. I have done the connect part. But for disconnect nothing works. I have tried both below solution.
Could you please give a help?
Code:
am start -a android.intent.action.MAIN -net.openvpn.openvpn/activities.DisconnectVPN
and
Code:
Send Intent
Action: android.intent.action.VIEW
Cat: None
Extra: net.openvpn.openvpn.AUTOSTART_PROFILE_NAME: <Your VPN Name>
Package: net.openvpn.openvpn
Class: net.openvpn.openvpn.DisconnectVPN
Target: Activity
Thank you!
amplatfus said:
Hi,
Thank you for all info posted. I have done the connect part. But for disconnect nothing works. I have tried both below solution.
Could you please give a help?
Code:
am start -a android.intent.action.MAIN -net.openvpn.openvpn/activities.DisconnectVPN
and
Code:
Send Intent
Action: android.intent.action.VIEW
Cat: None
Extra: net.openvpn.openvpn.AUTOSTART_PROFILE_NAME: <Your VPN Name>
Package: net.openvpn.openvpn
Class: net.openvpn.openvpn.DisconnectVPN
Target: Activity
Thank you!
Click to expand...
Click to collapse
Hello, you can just use the same code that you used to connect the VPN but, replace your VPN name with a bogus name. When it attempts to connect to the bogus VPN it will disconnect from the existing.
Hi, don't know if this is still relevant topic - but I've found a solution. But it requires root.
Just freeze/unfreeze openvpn app when needed - the command would be:
Run Shell pm disable de.blinkt.openvpn
or pm enable de.blinkt.openvpn
P.S. Running a fake vpn connection doesn't help unfortunately.
Author of the app put a solution together later in 2017: https://github.com/schwabe/ics-openvpn/issues/591
And after digging into the patch, the valid configuration should be
Code:
Send Intent
Action:android.intent.action.MAIN
Cat:None
Extra:de.blinkt.openvpn.shortcutProfileName:PROFIL ENAME
Package:de.blinkt.openvpn
Class:de.blinkt.openvpn.api.DisconnectVPN
Target:Activity
I know this is an ancient question but I haven't seen anyone brought this up other than the GitHub issue. Hope it helps.
Here are my tasks:
Connect VPN (works!)
Send Intent
Action:android.intent.action.MAIN
Cat:None
Extra:de.blinkt.openvpn.shortcutProfileNameROFILENAME
Package:de.blinkt.openvpn
Class:de.blinkt.openvpn.LaunchVPN
Target:Activity
Disconnect VPN (works!)
Send Intent
Action:android.intent.action.MAIN
Cat:None
Extra:de.blinkt.openvpn.shortcutProfileNameROFILENAME
Package:de.blinkt.openvpn
Class:de.blinkt.openvpn.activities.api.DisconnectVPN
Target:Activity
Hope it will help you.
Frederick888 said:
Author of the app put a solution together later in 2017: https://github.com/schwabe/ics-openvpn/issues/591
And after digging into the patch, the valid configuration should be
Code:
Send Intent
Action:android.intent.action.MAIN
Cat:None
Extra:de.blinkt.openvpn.shortcutProfileName:PROFIL ENAME
Package:de.blinkt.openvpn
Class:de.blinkt.openvpn.api.DisconnectVPN
Target:Activity
I know this is an ancient question but I haven't seen anyone brought this up other than the GitHub issue. Hope it helps.
Click to expand...
Click to collapse
Thank you for posting this :good:
Hi I'm looking for a similar guide for tasker for Samsungs S9 VPN comming from VpnCilla that unfortunately doesn't support L2TP/IPsec. Currently I believe I just need to know the right package name.
Looking forward for some new answer.
Samsung VPN
Hi,
I also swtiched VPN app only to Samsung own VPN .
How would I use this with tasker to auto turn on/off for certain apps?
Delete this.
"am start --user 0 -n de.blinkt.openvpn/.api.DisconnectVPN"
When creating this Task, I get a warning stating:
An external app tries to control OpenVPN for Android. The app requesting access cannot be determined. Allowing this app grants ALL apps access.
Is it not possible to only allow this task to access? I really don't want all apps to have access.