Android mReferrer Security Analysis: Source Tracing and Anti-Forgery Solutions

This article analyzes the security of Android Activity's mReferrer field, which is commonly used via reflection to obtain the source package name when handling external app jumps through DeepLink.

The author explains that the mReferrer field can be easily forged by overriding the context's getBasePackageName() method, potentially causing business logic errors or financial losses. Through extensive debugging and reverse analysis of Android source code, the article traces the complete data flow: mReferrer originates from ActivityTaskManagerService.startActivity, which gets the callingPackage from Context.getBasePackageName(). This value then flows through ActivityClientRecord and LaunchActivityItem via Binder serialization to finally populate Activity.mReferrer in the attach() method.

To address this security issue, the author proposes using Uid instead of package name for verification. Since Uid is obtained via Binder.getCallingUid() in the system process, it cannot be forged by applications. The article provides implementation code:

private String reRealPackage() {

try {

Method getServiceMethod = ActivityManager.class.getMethod("getService");

Object sIActivityManager = getServiceMethod.invoke(null);

Method sGetLaunchedFromUidMethod = sIActivityManager.getClass().getMethod("getLaunchedFromUid", IBinder.class);

Method sGetActivityTokenMethod = Activity.class.getMethod("getActivityToken");

IBinder binder = (IBinder) sGetActivityTokenMethod.invoke(this);

int uid = (int) sGetLaunchedFromUidMethod.invoke(sIActivityManager, binder);

return getPackageManager().getPackagesForUid(uid)[0];

} catch (Exception e) {

e.printStackTrace();

}

return "null";

}

The article concludes that mReferrer can be easily forged and developers should use Uid-based verification through ActivityManagerService for secure source verification.