URL verification

Many android attacks start with a failure to verify URLs - whether they come from in-app messages that redirect Web Views to malicious websites (JWT tokens included) or deep links that reveal too much

Verify URLs​

URLs input from external sources are a subtle, yet common source of vulnerabilities. The key capability provided by safe to run in respect of insecure URLs is the ability to call urlVerification on a string.

The return value is true if the URL verification is safe, and false if not

Configuration​

By default, no URLs are allowed:

"https://safetorun.com".urlVerification {} == false 

However, we can add an allowed host:

val url = "https://safetorun.com" // isSafe == true 
val url = "https://evilwebsite.com" // isSafe == false

val isSafe = url.urlVerification {   
   "safetorun.com".allowHost()
}

Or, we can specify an entire URL:

val url = "https://safetorun.com" // isSafe == true 
val url = "https://evilwebsite.com" // isSafe == false

val isSafe = urlrification {  
    "https://safetorun.com".allowUrl()
} == true 

Not recommended - but we can bypass any URL check by allowing all urls:

val url = "https://safetorun.com" // isSafe == true 
val url = "https://evilwebsite.com" // isSafe == false

val isSafe = url.urlVerification { 
    allowAnyUrl()
} 

Parameters​

By default, no parameters are allowed;

"https://safetorun.com?param=abc".urlVerification { 
      "safetorun.com".allowHost()
} == false

We can, however add some allowable configuration:

val url = "https://safetorun.com?param=abc" // isSafe == true 
val url = "https://safetorun.com?unexpected_url=def" // isSafe == false

val isSafe = url.urlVerification {
    "safetorun.com".allowHost()
    allowParameter {        
        allowedType = AllowedType.String
        parameterName = "param"
    }
} 

These allowed types will only allow the correct types to be used as parameters:

"https://safetorun.com?param=abc".urlVerification {  
  "safetorun.com".allowHost()    
  allowParameter {
      allowedType = AllowedType.Bool
      parameterName = "param"
  }
} == false

You can allow very specific URLs if you prefer:

val url = "https://safetorun.com?param=abc" // isSafe == true 
val url = "https://safetorun.com?param=def" // isSafe == false

val isSafe = url.urlVerification {   
    "https://safetorun.com?param=abc".allowUrl()
} 

Or, you can bypass the whole check for parameters (not recommended ⛔):

"https://safetorun.com?param=abc".urlVerification {
    "safetorun.com".allowHost()
    allowAnyParameter()
} == true

Any URL will also allow parameters:

"https://safetorun.com?param=abc".urlVerification {    
    allowAnyUrl()
} == true

Samples​

A sample of protecting your webview from 3rd party websites:

3rd party website protection

A sample of protecting your app from third party intents:

3rd party intent protection

Last updated