Safe to run
Search
K
Comment on page

URL verification

Many android attacks start with a failure to verify URLs - whether they come from in-app messages that redirect Web Views to malicious websites (JWT tokens included) or deep links that reveal too much

Verify URLs

URLs input from external sources are a subtle, yet common source of vulnerabilities. The key capability provided by safe to run in respect of insecure URLs is the ability to call urlVerification on a string.
The return value is true if the URL verification is safe, and false if not

Configuration

By default, no URLs are allowed:
"https://safetorun.com".urlVerification {} == false
However, we can add an allowed host:
val url = "https://safetorun.com" // isSafe == true
val url = "https://evilwebsite.com" // isSafe == false
val isSafe = url.urlVerification {
"safetorun.com".allowHost()
}
Or, we can specify an entire URL:
val url = "https://safetorun.com" // isSafe == true
val url = "https://evilwebsite.com" // isSafe == false
val isSafe = urlrification {
"https://safetorun.com".allowUrl()
} == true
Not recommended - but we can bypass any URL check by allowing all urls:
val url = "https://safetorun.com" // isSafe == true
val url = "https://evilwebsite.com" // isSafe == false
val isSafe = url.urlVerification {
allowAnyUrl()
}

Parameters

By default, no parameters are allowed;
"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
} == false
We can, however add some allowable configuration:
val url = "https://safetorun.com?param=abc" // isSafe == true
val url = "https://safetorun.com?unexpected_url=def" // isSafe == false
val isSafe = url.urlVerification {
"safetorun.com".allowHost()
allowParameter {
allowedType = AllowedType.String
parameterName = "param"
}
}
These allowed types will only allow the correct types to be used as parameters:
"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
allowParameter {
allowedType = AllowedType.Bool
parameterName = "param"
}
} == false
You can allow very specific URLs if you prefer:
val url = "https://safetorun.com?param=abc" // isSafe == true
val url = "https://safetorun.com?param=def" // isSafe == false
val isSafe = url.urlVerification {
"https://safetorun.com?param=abc".allowUrl()
}
Or, you can bypass the whole check for parameters (not recommended
):
"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
allowAnyParameter()
} == true
Any URL will also allow parameters:
"https://safetorun.com?param=abc".urlVerification {
allowAnyUrl()
} == true

Samples

A sample of protecting your webview from 3rd party websites:
A sample of protecting your app from third party intents: