URL verification Many android attacks start with a failure to verify URLs - whether they come from in-app messages that redirect Web Views to malicious websites (JWT tokens included) or deep links that reveal too much
Verify URLs​
URLs input from external sources are a subtle, yet common source of vulnerabilities. The key capability provided by safe to run in respect of insecure URLs is the ability to call urlVerification
on a string.
The return value is true
if the URL verification is safe, and false if not
Configuration​
By default, no URLs are allowed:
Copy "https://safetorun.com" . urlVerification {} == false
However, we can add an allowed host:
Copy val url = "https://safetorun.com" // isSafe == true
val url = "https://evilwebsite.com" // isSafe == false
val isSafe = url. urlVerification {
"safetorun.com" . allowHost ()
}
Or, we can specify an entire URL:
Copy val url = "https://safetorun.com" // isSafe == true
val url = "https://evilwebsite.com" // isSafe == false
val isSafe = urlrification {
"https://safetorun.com" . allowUrl ()
} == true
Not recommended - but we can bypass any URL check by allowing all urls:
Copy val url = "https://safetorun.com" // isSafe == true
val url = "https://evilwebsite.com" // isSafe == false
val isSafe = url. urlVerification {
allowAnyUrl ()
}
Parameters​
By default, no parameters are allowed;
Copy "https://safetorun.com?param=abc" . urlVerification {
"safetorun.com" . allowHost ()
} == false
We can, however add some allowable configuration:
Copy val url = "https://safetorun.com?param=abc" // isSafe == true
val url = "https://safetorun.com?unexpected_url=def" // isSafe == false
val isSafe = url. urlVerification {
"safetorun.com" . allowHost ()
allowParameter {
allowedType = AllowedType.String
parameterName = "param"
}
}
These allowed types will only allow the correct types to be used as parameters:
Copy "https://safetorun.com?param=abc" . urlVerification {
"safetorun.com" . allowHost ()
allowParameter {
allowedType = AllowedType.Bool
parameterName = "param"
}
} == false
You can allow very specific URLs if you prefer:
Copy val url = "https://safetorun.com?param=abc" // isSafe == true
val url = "https://safetorun.com?param=def" // isSafe == false
val isSafe = url. urlVerification {
"https://safetorun.com?param=abc" . allowUrl ()
}
Or, you can bypass the whole check for parameters (not recommended â›” ):
Copy "https://safetorun.com?param=abc" . urlVerification {
"safetorun.com" . allowHost ()
allowAnyParameter ()
} == true
Any URL will also allow parameters:
Copy "https://safetorun.com?param=abc" . urlVerification {
allowAnyUrl ()
} == true
Samples​
A sample of protecting your webview from 3rd party websites:
3rd party website protection
A sample of protecting your app from third party intents:
3rd party intent protection