[MUSIC] One of the things that we have to be careful of when we're building activities and services and broadcast receivers, is that we don't accidentally take the permissions, and the capabilities, and the resources that we've been given access to, and expose those permissions or capabilities to other apps. So, how we go about accidentally exposing let's for example say, a resource that we were given access to, in this case, the Internet to another application? Well, intents give other applications the ability to communicate with us. In our process communication gives other applications ability to communicate with us. So whenever we build services or capabilities that allow other activities or other applications to communicate with our activities, we have to be very careful that the way that those activities behave, doesn't violate the trust that's been placed in those activities in terms of permissions that have been given. So, for example, let's take a look at this code base here. We see that we've got a simple DownloadActivity which seems like a good idea to help other people be able to download files. So, we have this DownloadActivity that we're going to expose to other activities to allow them to send us an intent that specifies an address of some resource on the Internet that they would like to download. And then a file where they would like that resource saved. And then that other activity can go and get access to it. So, we'll see that in our onCreate method, we do the normal things where we set up the ContentView for this activity. And then we do something interesting, we do this performDownload. So, immediately upon starting up, our activity is going to try to download some file from the Internet. Now clearly, in order for this code to work, our activity had to be given Internet permission. Otherwise any attempt to access the Internet simply not going to work. So, let's take a look at what we do with that permission, that capability, and how we then leak that, or cause a privilege escalation potentially from another application. So, in our performDownload method, the very first thing that we do is we go and get the intent out that's actually been sent to us. And one of the things that we see in that intent is an address of the file that the caller would like downloaded. We then take that intent and we also extract the actual location where the caller would like that file saved. And then finally, we simply go and download that file and save it to disk. Now, can you see the problem with this code that we've got here? Do you see the issue that we're creating? In order for us to be able to go and download this file, and save it to disk, that requires that our app have a series of permissions. In particular, the Internet permission, but other people, other apps can simply send us an intent and we will go and download a file for them. And we are placing no restrictions on what files or will go and get. So, we'll take anything in the address, we don't care what's on that address. And we'll save it to any old place on disk so, any place that we can access and that another app tells us to save it, we will going save that resource that we download from the Internet there. So, another app doesn't actually have to get the Internet permission. All another app needs to do is send us an intent and we'll go and do the work on that other app's behalf. Now, if you remember early on in the series of lectures, we talked about this model of apps or people, and how apps can try to manipulate each other. And we gave an analogy of convincing the bank manager to go and rob the bank vault for you. And that's essentially what this code is doing. Another app is convincing our code because we're naive in the way that we build this, to go and download some arbitrary resource from the Internet. There are no checks that are being placed on what's being downloaded or what's being done with it. So, we're essentially through all of this code that we've got here. We are causing a privilege escalation. Or a potential privilege escalation. And that's because anybody can call this activity and tell it to go get something off the Internet, which is something that should require Internet permissions. But in this case, we already have the permission, so the caller doesn't need it. And that's a problem. Because that's allowing us to leak access to a critical resource that we've been given access to, to another app. And so, now, all that's some malware needs to do is simply go and fire off an intent to our application. We'll go off and actually access the Internet for it and then, send it back and say, we're done downloading it, and then the malware can go and access the downloaded file. And get it, and do whatever it needs to do with it. So suddenly, the malware doesn't need the Internet permission anymore because we're creating a privilege escalation situation where it can simply get access to the resource that it wants through us.
