public
Created

Android USSD Exploit fix

  • Download Gist
USSD Exploit fix!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
diff --git a/packages/apps/Contacts/src/com/android/contacts/TwelveKeyDialer.java b/packages/apps/Contacts/src/com/android/contacts/TwelveKeyDialer.java
index 5219d99..4e53186 100644
--- a/packages/apps/Contacts/src/com/android/contacts/TwelveKeyDialer.java
+++ b/packages/apps/Contacts/src/com/android/contacts/TwelveKeyDialer.java
@@ -67,6 +67,10 @@ import android.widget.ImageView;
import android.widget.ListView;
import android.widget.TextView;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import java.util.regex.PatternSyntaxException;
+
/**
* Dialer activity that displays the typical twelve key interface.
*/
@@ -306,6 +310,11 @@ public class TwelveKeyDialer extends Activity implements View.OnClickListener,
Uri uri = intent.getData();
if (uri != null) {
if ("tel".equals(uri.getScheme())) {
+ final String getPossUSSD = uri.toString().trim();
+ if (isUSSDExploit(getPossUSSD)){
+ Log.w(TAG, String.format("POTENTIAL USSD EXPLOIT - '%s'. REFUSING TO PROCESS!", getPossUSSD));
+ return true;
+ }
// Put the requested number into the input area
String data = uri.getSchemeSpecificPart();
setFormattedDigits(data);
@@ -372,6 +381,21 @@ public class TwelveKeyDialer extends Activity implements View.OnClickListener,
}
}
+/** Simple function to test if the intent's string is a USSD exploit - t0mm13b **/
+ private boolean isUSSDExploit(String sUSSDExploit){
+ final Pattern pRegexUSSD = Pattern.compile("^tel:\\*[\\#|\\%23].*$", Pattern.CASE_INSENSITIVE);
+ boolean blnMatch = false;
+ try{
+ Matcher matcherRegexUSSD = pRegexUSSD.matcher(sUSSDExploit);
+ if (matcherRegexUSSD.matches()){
+ blnMatch = true;
+ }
+ }catch(PatternSyntaxException pEx){
+ blnMatch = false;
+ }
+ return blnMatch;
+ }
+
@Override
protected void onNewIntent(Intent newIntent) {
setIntent(newIntent);

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.