Android : Activity is exported, parameter is accepted from other applications
Possible account takeover
Short Version:
dz> run app.activity.start — action android.intent.action.VIEW — data-uri http://www.google.com — component com.redacted.android.jobsearch com.redacted.android.jobsearch.MainActivity
Long Version:
One fine day I was having a Coffee.. 😄
naah..
What is this bug?
Activity is one of the 4 components that builds an android application. It can be marked as exported in the AndroidManifest.xml file while developing it. Only selected, required list of activities must be marked as exported. If not it can lead to a vulnerability.
How to find this bug?
First we need to find the activities which are exported by:
1. Reverse engineering the apk file:
i) “apktool d test.apk” — this will give us a decompiled version of the application which will have AndroidManifest.xml file which is the only file we need to focus on now.
ii) Searching for <activity> tag in the xml file and seeing the exported=”true” attribute can give us list of activities that are exported.
2. Using Drozer:
i) “dz>run app.activity.info -a com.package.name” — this provides a list of activities that are exported in a particular application.
After finding the applications that are exported, we need to do a source code analysis on them. When doing one such analysis, I found that the application is accepting parameters from other applications installed on the mobile.
Impact of the bug:
So this was the PoC I sent to the client:
dz> run app.activity.start — action android.intent.action.VIEW — data-uri http://www.google.com — component com.redacted.android.jobsearch com.redacted.android.jobsearch.MainActivity
This means any url can be opened by a malicious app via the client’s application. So if an attacker makes a login page similar to the clients’ page, it will load via the application (the webview did not display the url as well so more stealth) and the user might enter his credentials which will be received by the attacker leading to compromise of his account.
A classic phishing attack performed by using the legit application as the phishing platform.
Possible fix:
Although exporting the application was needed, there was no real usecase to receive the parameter(login url) from other applications. Validating the url against a whitelist will fix the bug.
