Comment on page

URL verification

Many android attacks start with a failure to verify URLs - whether they come from in-app messages that redirect Web Views to malicious websites (JWT tokens included) or deep links that reveal too much

Verify URLs​​
URLs input from external sources are a subtle, yet common source of vulnerabilities. The key capability provided by safe to run in respect of insecure URLs is the ability to call urlVerification on a string.
The return value is true if the URL verification is safe, and false if not
Configuration​​
By default, no URLs are allowed:
"https://safetorun.com".urlVerification {} == false 
However, we can add an allowed host:
val url = "https://safetorun.com" // isSafe == true 
val url = "https://evilwebsite.com" // isSafe == false
​
val isSafe = url.urlVerification {   
   "safetorun.com".allowHost()
}
Or, we can specify an entire URL:
val url = "https://safetorun.com" // isSafe == true 
val url = "https://evilwebsite.com" // isSafe == false
​
val isSafe = urlrification {  
    "https://safetorun.com".allowUrl()
} == true 
Not recommended - but we can bypass any URL check by allowing all urls:
val url = "https://safetorun.com" // isSafe == true 
val url = "https://evilwebsite.com" // isSafe == false
​
val isSafe = url.urlVerification { 
    allowAnyUrl()
} 
Parameters​​
By default, no parameters are allowed;
"https://safetorun.com?param=abc".urlVerification { 
      "safetorun.com".allowHost()
} == false
We can, however add some allowable configuration:
val url = "https://safetorun.com?param=abc" // isSafe == true 
val url = "https://safetorun.com?unexpected_url=def" // isSafe == false
​
val isSafe = url.urlVerification {
    "safetorun.com".allowHost()
    allowParameter {        
        allowedType = AllowedType.String
        parameterName = "param"
    }
} 
These allowed types will only allow the correct types to be used as parameters:
"https://safetorun.com?param=abc".urlVerification {  
  "safetorun.com".allowHost()    
  allowParameter {
      allowedType = AllowedType.Bool
      parameterName = "param"
  }
} == false
You can allow very specific URLs if you prefer:
val url = "https://safetorun.com?param=abc" // isSafe == true 
val url = "https://safetorun.com?param=def" // isSafe == false
​
val isSafe = url.urlVerification {   
    "https://safetorun.com?param=abc".allowUrl()
} 
Or, you can bypass the whole check for parameters (not recommended ⛔
):
"https://safetorun.com?param=abc".urlVerification {
    "safetorun.com".allowHost()
    allowAnyParameter()
} == true
Any URL will also allow parameters:
"https://safetorun.com?param=abc".urlVerification {    
    allowAnyUrl()
} == true
Samples​​
A sample of protecting your webview from 3rd party websites:
​3rd party website protection​
A sample of protecting your app from third party intents:
​3rd party intent protection​

Intent verification

Safe to run - Resilience

Last modified 1yr ago

URL verification

Verify URLs​​

Configuration​​

Parameters​​

Samples​​

Verify URLs

Configuration

Parameters

Samples