[MUSIC] Let's talk about some new stories that have been out on the internet about different security issues that we've seen with some production apps. These are some pretty big name apps that have had security issues, and we don't write apps that have these same flaws. Now the specific type of flaw we're going to look at in this case, is called a privilege escalation. Now you may say, well I would never write an app that would accidentally have this flaw. But, the reality is, these are very subtle mistakes that developers make, where they don't realize the ramifications of the decisions they're making, particularly when they let other apps talk to their app in order to access services within their app. It's very easy to make mistakes to accidentally break things like the permissions model on Android. Now, you may say I'll never do that. Let's show you how you could accidentally and inadvertently do something like this with the iRemember app. Let's talk about two services that we could extend the iRemember app with. That might seem benign and very helpful to other apps on the device, but that we can actually show we'll create a security issue on the device. So let's talk about these two services that we're going to extend the iRemember app with, and then use as an example of poor security. So the first one is we decide that we'd like to be able to share stories via an intent. So that other apps that allow you to compose a story, and maybe attach a photo to a story can simply send an intent to this service. So they'll send an intent, and that intent will have a story, plus a photo, and then the service will go off and share that story and that photo that the other app sent to us. Now, let's further assume that, you know, to be really flexible, we decide that we want to create a version of the iRemember app that can share stories and photos to different servers on the Internet. So, we don't want to control all of the iRemember servers, we want to have, maybe, iRemember servers that are for Vanderbilt University, or a set of iRemember servers that are for the University of Maryland. Because we want to be able to have different sets of stories and photographs depending on the location. And we decide we don't want to centrally manage all that information. So one of the things that we could do on this intent is we could allow it to also include the URL of the server that we want to share that story in that photo with. And then what we would do is actually when this intent gets sent to this service to share the story and photo, it would go off and would access the internet. And do the actual share force by sending it to that server. Now this seems like a very benign thing, but as we'll show in a second here this actually opens up a security hole in Android's permissions model. Now let's look at our second service that we're going to add. So let's say for example that we decided that we want to be able to attach photos to the stories in iRemember. But attach photos that aren't necessarily locally stored on the device. So we want the user to be able to type in a URL of a photo to share. Maybe it's a photo that's stored on Facebook's servers or Google+'s servers or somewhere else. So we want to give the ability for a user to specify an arbitrary URL. And then we want to create a service that will automatically go and fetch that photo from the Internet and download it to the local disk. And then return a file descriptor, or URI, specifying where that photo was downloaded to. But, since we're already going in and creating a capability to allow other apps to share stories and photos, why don't we go ahead and just expose this service to download arbitrary photos from the internet as an intent service, as well. Similarly we'll allow apps to send to this service and intent, and in that intent we will have the URL of the photo that we want to go and collect from the internet. The service will go an access the internet, it'll download that file And then it will return to this original service, the file that was downloaded, a location of that file that was downloaded. Again this seems like a helpful service, to that we could have our app, the iRemember app exposed to other apps on the device. So that it makes it easier for them to share photos and stories. But in both cases, we'll actually see that we're doing something inadvertently that's breaking Android's permissions model. One of the things to remember is that for both of these to work we're going to have to add the uses permission to iRemember for internet. Now we've already probably got it there for the capabilities that we were exposing iRemember but we have to remember that we have internet permissions in order for all of this to work.
