Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ambiguity in Risk of Exporting FirebaseMessagingService-type Services Without Permissions #868

Open
jleadford opened this issue Apr 30, 2019 · 1 comment
Open

Ambiguity in Risk of Exporting FirebaseMessagingService-type Services Without Permissions #868

jleadford opened this issue Apr 30, 2019 · 1 comment
Labels
api: messaging type: question

Comments

@jleadford
Copy link

I have a general question.

This pull request: #850

explicitly disables the export of the sample FirebaseMessaging Service, i.e.

<service android:name=".java.MyFirebaseMessagingService" android:exported="false">

because, and it says, "Set FirebaseMessagingServices to exported="false" to explicitly
prevent other apps from being able to send messages to it."

This is a good practice, but other documentation (see e.g. https://stackoverflow.com/a/43991861) notes that runtime checks (in the FCM code) prevent other applications from calling into this Service arbitrarily.

Experimentally, this seems to be the case:

  1. Create some app that extends the FirebaseMessaging class, and notes the following block in its manifest

<service android:name=".java.MyFirebaseMessagingService"> <service android:name=".java.MyFirebaseMessagingService""> <intent-filter> <action android:name="com.google.firebase.MESSAGING_EVENT" /> </intent-filter>

which was the default before the noted PR.

  1. Set a breakpoint on the extended class's onMessageReceived method, in e.g. Android Studio

  2. Run the application under Debug, foreground it, and issue the following ADB command (with suitably replaced options) to start the Service with an intent

adb shell am startservice -n com.test.android.app/com.foo.java.MyFirebaseMessagingService -a com.google.firebase.MESSAGING_EVENT

  1. Notice that your breakpoint is not hit, even though the Intent was sent successfully

This was repeated with various intent extras, as well. And with runtime method hooking of onMessageReceived with https://www.frida.re/, to log if it is called.

So, just wondering if someone could clear up this ambiguity-- is it actually a risk to export said service (i.e. com.google.firebase.messaging.FirebaseMessagingService and classes that extend it) without permissions (as the PR implies), or is it not (as the noted documentation states)?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: messaging type: question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@samtstern @jleadford @google-oss-bot