M66B
App reads content from incoming SMS
Sony, 4.3 JB. App - https://play.google.com/store/apps/details?id=by.belinvestbank , version 1.0.1. SMS category is totally blocked and on-demand restricting is enabled.
W/ActivityManager( 975): Permission denied: checkComponentPermission() owningUid=10230 W/BroadcastQueue( 975): Permission Denial: broadcasting Intent { act=android.provider.Telephony.SMS_RECEIVED flg=0x10 (has extras) } from com.android.phone (pid=1239, uid=1001) is not exported from uid 10230 due to receiver by.belinvestbank/.utils.IncomingSmsReceiver
10230 - by.belinvestbank
Please provide steps to reproduce and a logcat with XPrivacy debug logging enabled.
This is a mobile banking client and it's only available for bank's clients. It uses two factor authentication - server sends verification code via SMS and app automatically reads it. So for you there are no ways to reproduce it.
Log - http://pastebin.com/KCp4uV6p
I have rebooted my phone, connected it to the internet and started the app. App showed field for code and then automatically read it from SMS. Notification about incoming SMS was shown after a few seconds.
I am sorry, but the logcat is too long to look through on my mobile phone (I am currently on the road).
Did you check the usage data for (dangerous) restrictions which are not yet restricted?
I'm sorry, didn't get you. What did you mean? Expert mode is enabled in XPrivacy. SMS category in the app has no usage data.
I had a look at the log, the app does not request anything related to SMS. From looking at the apps (reverse engineered) source code, it uses an intent receiver to intercept the incoming sms, which it then processes using an internal java function (since I am not a developer, I could also be reading the code wrong) There is a (closed source) xposed mod available (de.defim.apk.receiverstop) which can prevent the app from using the intent receiver.
@an0n981: good work! With the name of the intent, I can add a new restriction. Do you know the intent (action) name?
From app android-mainfest: receiver android:exported="false" android:name="by.belinvestbank.utils.IncomingSmsReceiver" action android:name="android.provider.Telephony.SMS_RECEIVED"
But shouldn't this actually already be restricted?
Yes, this intent can be restricted in the messages category. Please try again by restricting all functions in the messages category and please check the usage data again.
Does the debug log log 'danerous' restrictions? If so then in the log provided by @define there should be a reference to the app requesting it, which there isn't, the only app the requests anything is uid 10033.
Here is the relevent part of the provided log
08-02 16:58:12.395 W/XPrivacy( 982): Get service 10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted? (ccached) 241 ms
08-02 16:58:12.405 W/XPrivacy/XActivityThread( 2196): Get client 10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted 245 ms
08-02 16:58:12.405 W/XPrivacy/XActivityThread( 2196): handleReceiver 246 ms
08-02 16:58:12.415 W/ActivityManager( 982): Permission denied: checkComponentPermission() owningUid=10230
08-02 16:58:12.415 W/BroadcastQueue( 982): Permission Denial: broadcasting Intent { act=android.provider.Telephony.SMS_RECEIVED flg=0x10 (has extras) } from com.android.phone (pid=1256, uid=1001) is not exported from uid 10230 due to receiver by.belinvestbank/.utils.IncomingSmsReceiver
08-02 16:58:12.425 I/XPrivacy/XActivityThread( 2196): Get client 10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted (cached) 0 ms
08-02 16:58:12.425 W/qdhwcomposer( 354): Excessive delay reading vsync: took 133 ms
08-02 16:58:12.545 I/XPrivacy( 982): Get service 10033/SmsProvider(content://sms/inbox;null) messages=!restricted? (ccached) 1 ms
08-02 16:58:12.545 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted 3 ms
08-02 16:58:12.545 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms
08-02 16:58:12.585 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms
08-02 16:58:12.585 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms
08-02 16:58:12.615 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms
08-02 16:58:12.615 I/XPrivacy/XContentResolver( 2196): Get client 10033/SmsProvider(content://sms/inbox;null) messages=!restricted (cached) 0 ms
08-02 16:58:12.635 W/AppOps ( 982): Bad call: specified package com.android.phone under uid 10033 but it is really 1001
08-02 16:58:12.645 I/XPrivacy( 982): Get service 10033/MmsProvider(content://mms-sms/threadid?recipient=1239;null) messages=!restricted? (ccached) 1 ms
08-02 16:58:12.645 I/XPrivacy/XContentResolver( 1256): Get client 10033/MmsProvider(content://mms-sms/threadid?recipient=1239;null) messages=!restricted 3 ms
08-02 16:58:12.645 I/XPrivacy/XContentResolver( 1256): Get client 10033/MmsProvider(content://mms-sms/threadid?recipient=1239;null) messages=!restricted (cached) 0 ms
Dangerous restrictions are treated like all other restrictions by the XPrivacy core, so the logcat will list them as any other restriction.
Looking at:
10033/android.provider.Telephony.SMS_RECEIVED(null;null) messages=!restricted?
receiving SMS was simply not restricted and since this issue contains all information now how to solve this, I will close this issue.
It would be helpful to know which application this uid belongs to, since there might be a helper application doing the SMS stuff or the intent may be attributed to the wrong uid (although this is not very likely).
10033 - com.sonyericsson.conversations - standard app for sms. As for 10230 - by.belinvestbank - it's totally restricted.
This says not restricted:
10033/SmsProvider(content://sms/inbox;null) messages=!restricted
Note that I am currently traveling and cannot do much and even if I could, there is little I can do if I cannot reproduce this. So, maybe find another application with the same problem.
Yes, standard app "Conversations" with uid 10033 is not restricted. But by.belinvestbank with uid 10230 is restricted and receives SMS before "Conversations".
I've just restrict SMS_RECEIVED for 10033 - "Conversations". Restricting and on-demand restricting work as they should.
@M66B Do I read this correctly that in compatibility mode this method is only hooked on SDK 19 and above?
mListHook.add(new Hook("messages", "getAllMessagesFromIcc", "RECEIVE_SMS", 10, null, null).notAOSP(19));
Also, another app that uses such a method is WhatsApp during the registration process. However, from I have read here the way incoming SMS are handled was changed in SDK 19. Meaning this issue can only be properly tested on a 4.3 device. From what I understand this method
mListHook.add(new Hook("messages", Telephony.Sms.Intents.SMS_RECEIVED_ACTION, "RECEIVE_SMS", 1, null, null));
is only available starting with SDK 19 and can only be used by the default SMS app, which in this case is 'Conversations' (com.sonyericsson.conversations). This method is not available for API 18 and lower according to the Android Developer website.
@define: Could you test this with WhatsApp, see if WhatsApp can 'intercept' the registration sms with the entire Messaging category restricted. (If you already use WhatsApp be sure to backup your messages using the in app backup option so that you can restore these later, then delete WhatsApp data in the Android settings app)
@an0n981 I have installed WhatsApp. It was successfully registered and verified SMS code with totally restricted Messaging category. In the log I don't see anything about SMS, excepting:
I/ActivityManager( 982): START u0 {cmp=com.whatsapp/.RegisterPhone} from pid 26111 ... I/ActivityManager( 982): START u0 {cmp=com.whatsapp/.VerifySms (has extras)} from pid 26111
I didn't get any notification about SMS. But verification is completed and in the provider's log I found that there was SMS from +17542******.
Also, autostarts doesn't show SMS_RECEIVED subscription for WhatsApp unlike by.belinvesbank.
I will try to find a 4.3 based rom for my device and try to reproduce the issue
The good news is I can reproduce the issue on Slim 4.3 with the latest version of WhatsApp. The bad news is this issue has been around for quite some time, I tested all stable version back to 2.0, none were able to prevent the registration.
I am sorry for this, but as an excuse: there are so many Android APIs (for Lollipop alone more than 5000 new ones), which I did research as good as I could, but it is inevitable I missed something and in this respect it is a pity nobody is helping.
I have no idea yet how the SMS is being read.
Maybe it helps https://stackoverflow.com/questions/4257045/android-register-application-to-receive-sms
Please send me the code charges and the errors you get by PM and I will take a look.
From WhatsApp's manifest
<activity android:configChanges="keyboard|keyboardHidden|orientation|screenLayout|screenSize|smallestScreenSize|uiMode" android:label="@string/verify_sms_header" android:launchMode="singleTask" android:name="com.whatsapp.VerifySms" android:theme="@style/Theme.App.Gray"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:host="r" android:scheme="whatsapp"/> </intent-filter> </activity>