-
oversecured.com
16 15 11
Amobileapplicationvulnerabilityscanner,designedforDevOpsprocessintegration,thatisbuilttoprotectyourcustomers'privacyanddefendtheirdevicesagainstmodernthreats.
ovaa-debug.apk
Package oversecured.ovaa Version 1.0
Statistics42vulnerabilitiesfound
HighseverityvulnerabilitiesCanleadtouserdatabeingleakedandtoaseriousviolationoftheuser'sprivacy
37%
MediumseverityvulnerabilitiesMayaffecttheapp'slevelofprotectionandreducethelevelofsecurity
36%
LowseverityvulnerabilitiesViolatebestpractices
27%
Listofvulnerabilities
Category Level Amount
1 ArbitraryCodeExecution High 1
2 MemoryCorruption High 1
3 Theftofarbitraryfiles High 2
4 Abilitytostartarbitrarycomponents High 1
5 Cross-siteScripting High 1
6 Possibilityofaccesstoarbitrary*contentproviders High 1
7 UsinganimplicitintentinsendBroadcast High 1
-
8 Hardcodedpasswordortoken High 1
9 Insecureactivitystart High 1
10 Internetserviceaddresssubstitution High 1
11 Loadinganarbitraryclass High 1
12 Insecurestorageofdevicelogs High 1
13 Useofbypassablehostcheck High 1
14 UseofsetResultforexportedactivity High 1
15 Debuggableattributeissettotrue High 1
16 Deletionofarbitraryfiles Medium 1
17 InformationLeakage Medium 2
18 FakeHTTPrequest Medium 1
19 Passinginfecteddatatoanativemethod Medium 1
20 Passwordstorageonthedevice Medium 1
21 UseofinsecureHTTPprotocol Medium 1
22 StoringdataontheSDcard Medium 2
23 Fakefilepath Medium 3
-
24 FileaccessfromfileURIsisenabledforWebView Medium 1
25 ContentaccessisenabledforWebView Medium 1
26 FileaccessisenabledforWebView Medium 1
27 Applicationbackupisallowed Low 1
28
Usinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformation
Low 3
29 Exportedcontentprovider Low 1
30 Exportedactivity Low 3
31 Exportedservice Low 1
32 UseofsetJavaScriptEnabled Low 1
33 Vulnerablehashalgorithms Low 1
Vulnerabilitiesinthecode
ArbitraryCodeExecutionFoundinthefileoversecured/ovaa/OversecuredApplication.java12
}1314 privatevoidinvokePlugins(){15
for(PackageInfoinfo:getPackageManager().getInstalledPackages(0)){16
StringpackageName=info.packageName;17
Bundlemeta=info.applicationInfo.metaData;18
if(packageName.startsWith("oversecured.plugin.")&&meta.getInt("version",-1)>=10){19
try{
20createPackageContext(packageName,3).getClassLoader().loadClass("oversecured.plugin.Loader").getMethod("loadMetadata",
Context.class).invoke(null,this);
21 }catch(Exceptione){22 thrownewRuntimeException(e);23 }
-
Vulnerabilitydescription
Arbitrarycodeexecutiongivesanattackerunrestrictedcapabilitiesandtheabilitytoperformanyactionsinthecontextofanattackedapplication.Theattackerthusgainsaccesstoalltheapplication'sfunctionsandtoanysensitiveinformationtowhichtheapplicationhasaccess.
Remediation
Toavoidarbitrarycodeexecution,theapplicationshouldsanitizeallreceiveddataorchangeitsarchitecturetopreventunintendedaccesstosensitivecomponents.
MemoryCorruptionFoundinthefileoversecured/ovaa/objects/MemoryCorruptionParcelable.java12
returnnewMemoryCorruptionParcelable[i];13 }1415
publicMemoryCorruptionParcelablecreateFromParcel(Parcelparcel){16
returnnewMemoryCorruptionParcelable(parcel);17 }18 };1920
privatestaticfinalGsonGSON=newGsonBuilder().create();21
publicObjectdata;2223
privateMemoryCorruptionParcelable(Parcelparcel){24 try{25
this.data=GSON.fromJson(parcel.readString(),Class.forName(parcel.readString()));26
}catch(ClassNotFoundExceptione){27 thrownewRuntimeException(e);28
}
Vulnerabilitydescription
Theattackercontrolsanativeaddressthattheapplicationdereferencesorusesotherwise,whichmayleadtomemorycorruptionintheapplication.Thiserrorinsomecasesmayberaisedpriortotheexecutionofarbitrarycode.
Remediation
Itisrecommendedtotakemeasurestopreventtheattackerfromcontrollingnativeaddressesinanywaypossible.
TheftofarbitraryfilesFoundinthefileoversecured/ovaa/activities/MainActivity.java23
findViewById(2131165275).setOnClickListener(newOnClickListener(){24
publicvoidonClick(Viewview){25
MainActivity.this.checkPermissions();26
IntentpickerIntent=newIntent("android.intent.action.PICK");27
pickerIntent.setType("image/*");28
MainActivity.this.startActivityForResult(pickerIntent,1001);29 }30
});31
findViewById(2131165251).setOnClickListener(newOnClickListener(){
Foundinthefileoversecured/ovaa/activities/MainActivity.java47
}4849 @Override
-
50
protectedvoidonActivityResult(intrequestCode,intresultCode,Intentdata){51
super.onActivityResult(requestCode,resultCode,data);52
if(resultCode==-1&&data!=null&&requestCode==1001){53
FileUtils.copyToCache(this,data.getData());54 }55 }56
Foundinthefileoversecured/ovaa/utils/FileUtils.java21
file.delete();22 }2324
publicstaticFilecopyToCache(Contextcontext,Uriuri){25 try{26
FileexternalCacheDir=context.getExternalCacheDir();27
Fileout=newFile(externalCacheDir,""+System.currentTimeMillis());28
InputStreami=context.getContentResolver().openInputStream(uri);29
OutputStreamo=newFileOutputStream(out);30 IOUtils.copy(i,o);31 i
.close();32 o.close();33 returnout;
Foundinthefileorg/apache/commons/io/IOUtils.java710 }711 }712713
publicstaticintcopy(InputStreaminput,OutputStreamoutput)throwsIOException{714
longcount=copyLarge(input,output);715 if(count>2147483647L){716
return-1;717 }718 return(int)count;719 }720721
publicstaticlongcopy(InputStreaminput,OutputStreamoutput,intbufferSize)throwsIOException{722
returncopyLarge(input,output,newbyte[bufferSize]);723 }724725
publicstaticlongcopyLarge(InputStreaminput,OutputStreamoutput)throwsIOException{726
returncopy(input,output,4096);727 }728729
publicstaticlongcopyLarge(InputStreaminput,OutputStreamoutput,byte[]buffer)throwsIOException{730
longcount=0;731 while(true){732 intread=input.read(buffer);733
intn=read;734 if(-1==read){735 returncount;736 }737
output.write(buffer,0,n);738 count+=(long)n;739 }740 }
Vulnerabilitydescription Remediation
-
Vulnerabilitydescription
Anattackerhastheabilitytoobtainthecontentsofarbitraryfilestowhichalegitimateapphasaccess.Mostoften,theinterestingfileswillbestoredin/data/data//*directories,whichmayinclude,forinstance,usercontentorauthenticationtokens,butanattackermayalsousethisvulnerabilitytoobtainuserdocumentsstoredonthesamedevice.
Remediation
Thedevelopermustcontrolthepathsbywhichtheappcanobtainaccesstothepathtoafileitintendstoprocess.
Links
https://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.html
TheftofarbitraryfilesFoundinthefileAndroidManifest.xml51
Foundinthefileoversecured/ovaa/providers/TheftOverwriteProvider.java35
}3637 @Override38
publicParcelFileDescriptoropenFile(Uriuri,Stringmode)throwsFileNotFoundException{39
returnParcelFileDescriptor.open(newFile(Environment.getExternalStorageDirectory(),uri.getLastPathSegment()),805306368);40
}41 }
Vulnerabilitydescription
Anattackerhastheabilitytoobtainthecontentsofarbitraryfilestowhichalegitimateapphasaccess.Mostoften,theinterestingfileswillbestoredin/data/data//*directories,whichmayinclude,forinstance,usercontentorauthenticationtokens,butanattackermayalsousethisvulnerabilitytoobtainuserdocumentsstoredonthesamedevice.
Remediation
Thedevelopermustcontrolthepathsbywhichtheappcanobtainaccesstothepathtoafileitintendstoprocess.
Links
https://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.html
AbilitytostartarbitrarycomponentsFoundinthefileAndroidManifest.xml22
23 24 25 26 27
Foundinthefileoversecured/ovaa/activities/LoginActivity.java61
}6263 privatevoidonLoginFinished(){
https://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.htmlhttps://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.html
-
64
IntentredirectIntent=(Intent)getIntent().getParcelableExtra("redirect_intent");65
if(redirectIntent!=null){66 startActivity(redirectIntent);67
}else{68 startActivity(newIntent(this,MainActivity.class));69 }
Vulnerabilitydescription
Anattackerhastheabilitytostartcomponentsinthenameoftheapp,whichletshimbypassAndroid'sbuilt-inprotectionandgainaccesstoany—evenunexportedactivityorservice.Theattackmaycomefromanyappinstalledonthesamedevice,oriftheIntent.parseUri()methodisusedbyamalwaresite,becauseoneoftheexportedcomponentscontainsanestedintentandbroadcastsitsstartActivity/startActivityForResult/startServicemethodwithoutthenecessarychecks.
Remediation
TheappmustrefrainfrombroadcastingintentstosystemmethodslikestartActivity,startService,etc.,directly.Instead,itshouldconstructanintentindependentlyandexplicitlydefinethereceiver.
Links
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/940.html
Cross-siteScriptingFoundinthefileAndroidManifest.xml8 9 10 11 12
13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13
protectedvoidonCreate(BundlesavedInstanceState){14
super.onCreate(savedInstanceState);15
this.loginUtils=LoginUtils.getInstance(this);16
Intentintent=getIntent();17
if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18
Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21
processDeeplink(uri);22 }23 }24 finish();25 }2627
privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30
if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31
Stringpath=uri.getPath();32 if("/logout".equals(path)){33
this.loginUtils.logout();
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/940.html
-
34 startActivity(newIntent(this,EntranceActivity.class));35
}elseif("/login".equals(path)){36
Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38
this.loginUtils.setLoginUrl(url2);39 }40
startActivity(newIntent(this,EntranceActivity.class));41
}elseif("/grant_uri_permissions".equals(path)){42
Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43
if(getPackageManager().resolveActivity(i,0)!=null){44
startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48
i2.putExtra("url",url);49 startActivity(i2);50 }51 }
Foundinthefileoversecured/ovaa/activities/WebViewActivity.java10
protectedvoidonCreate(BundlesavedInstanceState){11
super.onCreate(savedInstanceState);12 setContentView(2131361822);13
WebViewwebView=(WebView)findViewById(2131165372);14
setupWebView(webView);15
webView.loadUrl(getIntent().getStringExtra("url"));16 }1718
privatevoidsetupWebView(WebViewwebView){19
webView.setWebChromeClient(newWebChromeClient());20
webView.setWebViewClient(newWebViewClient());21
webView.getSettings().setJavaScriptEnabled(true);22
webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24
}
Vulnerabilitydescription
XSSorCross-sitescriptingisakindofattackwheremaliciousscriptsareinsertedintoaWebViewpage.Inmostcasestheinputsreceivedfromuntrustedsourceslikepublicbroadcastreceivers,unprotectedactivities,orworld-readable/writabledirectoriesarenotproperlyfilteredandareoutputdirectlyontothepagethatisbeingrenderedwithinWebView.JavascriptwillbeexecutedwhenthedeveloperhasalloweditexplicitlyviaWebSettings.setJavaScriptEnabled(true)(bydefaultit'sdisabled).Inothercases,itcanstillbeusedforContentSpoofing(contentinjections).Executionofmaliciousscriptsmightcauseunintendedinformationleakage,modificationofsettingsonserversideviabypassedCSRFprotection,andmore.OnmobilethereisariskthatthescriptmayaccessJavascriptinterfacesthatareintendedforcommunicationbetweentheapplicationandscriptsrunninginsidethebrowser,thusexposinginternalapplicationlogicandfunctionality.
Remediation
Beforeinsertion,clientdatashouldbecorrectlysanitizedusingmethodslikeURLDecoder.encode().Inthiscase,allmetacharacterswillbeescaped.Inothercases,XSSistheresultofinsecureapplicationarchitecture,whenittrustsdatareceivedfromunprotectedinputs.
Links
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
-
https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf
Possibilityofaccesstoarbitrary*contentprovidersFoundinthefileAndroidManifest.xml8
9 10 11 12 13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java39
}40 startActivity(newIntent(this,EntranceActivity.class));41
}elseif("/grant_uri_permissions".equals(path)){42
Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43
if(getPackageManager().resolveActivity(i,0)!=null){44
startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48
i2.putExtra("url",url);49 startActivity(i2);50 }51 }52 }5354
@Override55
protectedvoidonActivityResult(intrequestCode,intresultCode,Intentdata){56
super.onActivityResult(requestCode,resultCode,data);57
if(resultCode==-1&&requestCode==1003){58
setResult(resultCode,data);59 }60 }61 }
Vulnerabilitydescription
Theappstartsanactivity,andanattackerhastheabilitytoprocessthecall(forexample,ifitisanunclearintentorifitispossibletocontroltheprocessingactivity).FlagsarealsoinstalledforanintentpermittingUriaccessviatheFLAG_GRANT_READ_URI_PERMISSION,FLAG_GRANT_WRITE_URI_PERMISSION,etc.,parameters,andtheattackerhastheabilitytocontroltheUrithatispassed.Ifalltheseconditionsaremet,theappthatisstartedwillhaveaccesstoanarbitrarycontentproviderwheretheandroid:exported="false"butandroid:grantUriPermission="true".
Remediation
ThedevelopershouldrestricttheabilitytosetanarbitraryUriintheIntent'sdataparameter,orelseremovetheflagsgrantingreadandwriteaccessfortheIntentinquestion.
Links
https://developer.android.com/reference/android/content/Intent#FLAG_GRANT_READ_URI_PERMISSIONhttps://developer.android.com/reference/android/content/Intent#FLAG_GRANT_WRITE_URI_PERMISSION
https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdfhttps://developer.android.com/reference/android/content/Intent#FLAG_GRANT_READ_URI_PERMISSIONhttps://developer.android.com/reference/android/content/Intent#FLAG_GRANT_WRITE_URI_PERMISSION
-
UsinganimplicitintentinsendBroadcastFoundinthefileoversecured/ovaa/activities/MainActivity.java30
});31
findViewById(2131165251).setOnClickListener(newOnClickListener(){32
publicvoidonClick(Viewview){33
Intenti=newIntent("oversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATA");34
i
.putExtra("payload",MainActivity.this.loginUtils.getLoginData());35
MainActivity.this.sendBroadcast(i);36 }37 });38
findViewById(2131165241).setOnClickListener(newOnClickListener(){
Vulnerabilitydescription
Animplicitintentisusedwithoutsignaturepermissionforbroadcastsendingtoanothercomponentoftheapplication.Usinganimplicitintentwithoutsignatureprotectionduringthebroadcastsendingallowsanythird-partyapplicationinstalledonthesamemobiledevicetointerceptorhijackinformationbetweencomponents,whichcanleadtoleakageofsensitiveinformationortothefalsificationofdatabroadcastbetweencomponentsoftheapplication.
Remediation
Alwaysuseexplicitintentsforbroadcastofdatawithinthesameapplication.Useasignaturepermissionprotectionlevel.
Links
https://cwe.mitre.org/data/definitions/927.html
HardcodedpasswordortokenFoundinthefileoversecured/ovaa/utils/WeakCrypto.java1213
publicstaticStringencrypt(Stringdata){14 try{15
SecretKeySpecsecretKeySpec=newSecretKeySpec("49u5gh249gh24985ghf429gh4ch8f23f".getBytes(),"AES");16
Cipherinstance=Cipher.getInstance("AES");17
instance.init(1,secretKeySpec);18
returnBase64.encodeToString(instance.doFinal(data.getBytes()),0);19
}catch(Exceptione){20 return"";
Vulnerabilitydescription
Atokenorpasswordwasfound.Itmightbeusedbyanattackertoaccessrestrictedserviceswhichwillcauseinformationleakage,unwantedserversettingchanges,orotherkindsofunrestrictedserviceaccessesormodifications.
Remediation
Thedevelopershouldnothardcodesuchsensitivedata,topreventleakages.
Links
https://cwe.mitre.org/data/definitions/312.html
Insecureactivitystart
https://cwe.mitre.org/data/definitions/927.htmlhttps://cwe.mitre.org/data/definitions/312.html
-
Foundinthefileoversecured/ovaa/activities/MainActivity.java38
findViewById(2131165241).setOnClickListener(newOnClickListener(){39
publicvoidonClick(Viewview){40
Stringtoken=WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());41
Intenti=newIntent("oversecured.ovaa.action.WEBVIEW");42 i
.putExtra("url","http://example.com./?token="+token);43
IntentUtils.protectActivityIntent(MainActivity.this,i);44
MainActivity.this.startActivity(i);45 }46 });47 }
Foundinthefileoversecured/ovaa/utils/IntentUtils.java9
privateIntentUtils(){10 }1112
publicstaticvoidprotectActivityIntent(Contextcontext,Intentintent){13
Iteratorit=context.getPackageManager().queryIntentActivities(intent,0).iterator();14
if(it.hasNext()){15 ResolveInfoinfo=it.next();16
intent.setClassName(info.activityInfo.packageName,info.activityInfo.name);17
}18 }19 }
Vulnerabilitydescription
UsingimplicitactivitystartisdangeroussincethecomponentisnotsetandAndroidOSaskstheuserwhatactuallytostart.Usingamalwareapplication,anattackercanregisterhisownactivitywithactionfromtheintentinAndroidManifest.xmlandspecifya999priorityinintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwithasetofallpossibleapplicationswillbeshownwiththemalwareinthefirstplace.Iftheuserselectsthefakeapplication,theactivitystartwithintentextraswillbehijackedandinmostcasesitwillleadtodisclosureofsensitiveinformation.IncaseofstartActivityForResult,thereisanadditionalriskrelatedtoresultingdata.Whenthecallishijacked,theattacker'sactivitymayuseasetResult(...)calltotransmitarbitrarydatatotheonActivityResult()methodofthevictimactivity,whichwillcausecontentspoofing.
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
Links
https://cwe.mitre.org/data/definitions/927.htmlhttps://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
InternetserviceaddresssubstitutionFoundinthefileAndroidManifest.xml8
9 10 11 12 13 14 15
https://cwe.mitre.org/data/definitions/927.htmlhttps://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
-
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13
protectedvoidonCreate(BundlesavedInstanceState){14
super.onCreate(savedInstanceState);15
this.loginUtils=LoginUtils.getInstance(this);16
Intentintent=getIntent();17
if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18
Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21
processDeeplink(uri);22 }23 }24 finish();25 }2627
privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30
if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31
Stringpath=uri.getPath();32 if("/logout".equals(path)){33
this.loginUtils.logout();34
startActivity(newIntent(this,EntranceActivity.class));35
}elseif("/login".equals(path)){36
Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38
this.loginUtils.setLoginUrl(url2);39 }40
startActivity(newIntent(this,EntranceActivity.class));41
}elseif("/grant_uri_permissions".equals(path)){
Foundinthefileoversecured/ovaa/utils/LoginUtils.java38
returnnewLoginData(this.preferences.getString("email",null),this.preferences.getString("password",null));39
}4041 publicvoidsetLoginUrl(Stringurl){42
this.editor.putString("login_url",url).commit();43 }4445
publicStringgetLoginUrl(){46
Stringurl=this.preferences.getString("login_url",null);47
if(!TextUtils.isEmpty(url)){48 returnurl;49 }50
Stringurl2=this.context.getString(2131492892);51
this.editor.putString("login_url",url2).commit();
Foundinthefileoversecured/ovaa/activities/LoginActivity.java47
privatevoidprocessLogin(Stringemail,Stringpassword){48
LoginDataloginData=newLoginData(email,password);49
Log.d("ovaa","Processing"+loginData);50
RetrofitInstance.getInstance().create(LoginService.class).login(this.loginUtils.getLoginUrl(),loginData).enqueue(newCallback(){51
@Override52 publicvoidonResponse(Callcall,Responseresponse){53
}
-
Foundinthefileoversecured/ovaa/network/LoginService.java7
importretrofit2.http.Url;89 publicinterfaceLoginService{10 @POST11
Calllogin(@UrlStringstr,@BodyLoginDataloginData);12 }
Vulnerabilitydescription
Anattackerhastheabilitytoforcetheapptoconnecttoanarbitraryinternetservice(suchasawebserver).Thiscanbeusedbymalwareappsonthesamedevicetocreateinternetquerieswithoutthecorrespondingpermission(android.permission.INTERNET).Insomecasesthisvulnerabilitycanhelptodeceivetheapplication,leadingittothinkitiscommunicatingwithalegitimateserver:theresultscanbetheleakageofconfidentialdata(suchastokensorpasswords),ordisplaytotheuserofcontentcontrolledbytheattacker.
Remediation
Theappshouldeitherprotectfunctionalityresponsibleforconnectiontointernetservices,forinstancebyusingunexportedservices,orelserestrictthelistofserverstowhichaconnectioncanbemade.WithWebViewthereisalsothepossibilityofshowingtheuserthedomainnameorthefullURLfromwhichthecontentoriginates,helpingtheusertomakesurethesiteaddressiscorrect.
Links
https://cwe.mitre.org/data/definitions/451.htmlhttps://cwe.mitre.org/data/definitions/346.htmlhttps://en.wikipedia.org/wiki/Spoofed_URL
LoadinganarbitraryclassFoundinthefileoversecured/ovaa/objects/MemoryCorruptionParcelable.java12
returnnewMemoryCorruptionParcelable[i];13 }1415
publicMemoryCorruptionParcelablecreateFromParcel(Parcelparcel){16
returnnewMemoryCorruptionParcelable(parcel);17 }18 };1920
privatestaticfinalGsonGSON=newGsonBuilder().create();21
publicObjectdata;2223
privateMemoryCorruptionParcelable(Parcelparcel){24 try{25
this.data=GSON.fromJson(parcel.readString(),Class.forName(parcel.readString()));26
}catch(ClassNotFoundExceptione){27 thrownewRuntimeException(e);28
}
Vulnerabilitydescription
Anattackercanspoofthenameofaclassandforcetheapptocreateanduseanobjectofanarbitrarytype.Dependingontheapp'sbusinesslogic,thismayleadtoarangeofconsequences.IftheattackerisabletouseanarbitraryClassLoader,itwillbepossibletoexecutearbitrarycode
Remediation
Makeitimpossibletoacceptaclassnamefromanattacker:insteadmakealistofallpossibleprocessorsanddefineitmanuallyusingsomecharacteristic.
Links
https://cwe.mitre.org/data/definitions/451.htmlhttps://cwe.mitre.org/data/definitions/346.htmlhttps://en.wikipedia.org/wiki/Spoofed_URL
-
https://cwe.mitre.org/data/definitions/470.html
InsecurestorageofdevicelogsFoundinthefileAndroidManifest.xml46
47 48 49 50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java17
super("InsecureLoggerService");18 }1920
protectedvoidonHandleIntent(Intentintent){21
if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22
dumpLogs(getDumpFile(intent));23 }24 }2526
privateFilegetDumpFile(Intentintent){27
Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28
if(fileinstanceofString){29 returnnewFile((String)file);30 }31
if(fileinstanceofFile){32 return(File)file;33 }34
thrownewIllegalArgumentException();35 }3637
privatevoiddumpLogs(FiletoFile){38 try{39
BufferedReaderreader=newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec("logcat-d").getInputStream()));40
BufferedWriterwriter=newBufferedWriter(newFileWriter(toFile));41
while(true){42 Stringline=reader.readLine();43 if(line==null){44
writer.flush();45 writer.close();46 reader.close();47 return;48 }49
writer.append(line).append('\n');50 }51 }catch(IOExceptione){52
thrownewRuntimeException(e);
Vulnerabilitydescription
Theappstoresdevicelogsusingapaththatisaccessibleforanattackertoread.FromAndroid4.1,apps'logsarenotaccessibletothird-partyapps—butifalegitimateappitselfsavesthemtoaninsecurepath,anattackercangainaccesstothemandextractprivateinformation.
Remediation
Itisrecommendedthatyoushouldstorelogsinthe/data/data/directoryusingastaticpath,topreventyourdatafallingintothehandsofanattacker
https://cwe.mitre.org/data/definitions/470.html
-
Links
https://cwe.mitre.org/data/definitions/532.html
UseofbypassablehostcheckFoundinthefileAndroidManifest.xml8 9 10
11 12 13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13
protectedvoidonCreate(BundlesavedInstanceState){14
super.onCreate(savedInstanceState);15
this.loginUtils=LoginUtils.getInstance(this);16
Intentintent=getIntent();17
if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18
Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21
processDeeplink(uri);22 }23 }24 finish();25 }2627
privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30
if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31
Stringpath=uri.getPath();32 if("/logout".equals(path)){33
this.loginUtils.logout();34
startActivity(newIntent(this,EntranceActivity.class));35
}elseif("/login".equals(path)){36
Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38
this.loginUtils.setLoginUrl(url2);39 }40
startActivity(newIntent(this,EntranceActivity.class));41
}elseif("/grant_uri_permissions".equals(path)){42
Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43
if(getPackageManager().resolveActivity(i,0)!=null){44
startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48
i2.putExtra("url",url);49 startActivity(i2);
https://cwe.mitre.org/data/definitions/532.html
-
Vulnerabilitydescription
TheappdoesnotperformsufficientlyprecisechecksofthehostfieldintheURL,meaningthatanattackercanbypassthem.MostURLparsersdonotcountabackslash(/)asadelimiterthatisequivalenttoaforwardslash(/),bute.g.WebViewautomaticallyreplacesallbackslasheswithforwardslashes.Thismeansthatcheckslikehost.endsWith("legal.com")arenotsufficient.ThedevelopermustalsorememberabouttheUserinfopartintheURL,wherebackslashescanalsobeadded:insteadofcheckingthehostfield,checkthewholeauthority
Remediation
OnereliableURLcheckisaschemecheck,whichprohibitspassingvariousprivatedataviatheinsecureHTTPprotocol:itonlypermitstheuseofHTTPS.Anotheroptionistochecktheauthoritypartbycreatingawhitelistofpossiblehostsorusingareliableregularexpressionthatexcludesmanipulationwithbackslashesandothercontrolcharacters
UseofsetResultforexportedactivityFoundinthefileAndroidManifest.xml8
9 10 11 12 13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java39
}40 startActivity(newIntent(this,EntranceActivity.class));41
}elseif("/grant_uri_permissions".equals(path)){42
Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43
if(getPackageManager().resolveActivity(i,0)!=null){44
startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48
i2.putExtra("url",url);49 startActivity(i2);50 }51 }52 }5354
@Override55
protectedvoidonActivityResult(intrequestCode,intresultCode,Intentdata){56
super.onActivityResult(requestCode,resultCode,data);57
if(resultCode==-1&&requestCode==1003){58
setResult(resultCode,data);59 }60 }61 }
Vulnerabilitydescription
Anexportedactivityreturnstheresultsofitsoperations(whichmayincludeprivatedata).Athird-partyapphastheabilitytostartthisactivityandreceivetheIntentthatispassedtosetResult.
Remediation
Itisrecommendedthatyoueithermaketheactivitynon-exported,therebypreventingdataleakage,orelsemakesurethatsetResultisnotusedtopassanyimportantdata.
-
DebuggableattributeissettotrueFoundinthefileAndroidManifest.xml
7
Vulnerabilitydescription
The“android:debuggable”attributeissettotrueinAndroidManifest.xml.Ifanapplicationisflaggedasdebuggable,anattackerpossessingphysicalaccesstothedevicecaninjectarbitrarycodeandexecuteitinthecontextofavulnerableapplicationprocessandextractsensitivedata.It'shighlyrecommendedtosetthedebuggableattributetofalsewhentheapplicationisreleasedintoproduction.
Remediation
Set“android:debuggable”tofalseintheAndroidManifest.xmlfile.
Links
https://developer.android.com/guide/topics/manifest/application-element.html#debug
DeletionofarbitraryfilesFoundinthefileoversecured/ovaa/objects/DeleteFilesSerializable.java7
importoversecured.ovaa.utils.FileUtils;89
publicclassDeleteFilesSerializableimplementsSerializable{10
privatevoidreadObject(ObjectInputStreamin)throwsIOException{11
Filefile=newFile(in.readUTF());12 if(file.exists()){13
FileUtils.deleteRecursive(file);14 }15 }16 }
Foundinthefileoversecured/ovaa/utils/FileUtils.java12
privateFileUtils(){13 }1415
publicstaticvoiddeleteRecursive(Filefile){16
if(file.isDirectory()){17 for(Filechild:file.listFiles()){18
deleteRecursive(child);19 }20 }21 file.delete();22 }2324
publicstaticFilecopyToCache(Contextcontext,Uriuri){
Vulnerabilitydescription
Theattackercanfakethepathtothefilethatwillbesubsequentlydeleted.Thismaybecomedangerousinsituationsinwhichtheapplicationstoressensitiveuserdatathatwillbedifficultorimpossibletorestoreafterward.
Remediation
Itisrecommendedtoaddadditionalchecksforfileorfolderpathstopreventpath-traversalattacks.
https://developer.android.com/guide/topics/manifest/application-element.html#debug
-
Thismayalsoleadtotheincorrectoperationoftheapplication,resultinginreputationalandbusinessdamage.
InformationLeakageFoundinthefileoversecured/ovaa/activities/MainActivity.java38
findViewById(2131165241).setOnClickListener(newOnClickListener(){39
publicvoidonClick(Viewview){40
Stringtoken=WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());41
Intenti=newIntent("oversecured.ovaa.action.WEBVIEW");42 i
.putExtra("url","http://example.com./?token="+token);43
IntentUtils.protectActivityIntent(MainActivity.this,i);44
MainActivity.this.startActivity(i);45 }46 });47 }
Foundinthefileoversecured/ovaa/utils/IntentUtils.java9
privateIntentUtils(){10 }1112
publicstaticvoidprotectActivityIntent(Contextcontext,Intentintent){13
Iteratorit=context.getPackageManager().queryIntentActivities(intent,0).iterator();14
if(it.hasNext()){15 ResolveInfoinfo=it.next();16
intent.setClassName(info.activityInfo.packageName,info.activityInfo.name);17
}18 }19 }
Vulnerabilitydescription
Theapplicationmakesitpossibletorevealsensitiveuserinformationsuchasencryptionkeysoruserpasswordsbydisplayingthemonthescreen,savingthemtoinsecurestorage,ortransmittingthemviaanunsafechannel,anyofwhichallowsanattackertomakeuseofthem.
Remediation
Donottransmitthiskindofinformationinunencryptedform,orstoreitinmoretrustworthystorage.
Links
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
InformationLeakageFoundinthefileAndroidManifest.xml46 47 48 49
50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
-
17 super("InsecureLoggerService");18 }1920
protectedvoidonHandleIntent(Intentintent){21
if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22
dumpLogs(getDumpFile(intent));23 }24 }2526
privateFilegetDumpFile(Intentintent){27
Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28
if(fileinstanceofString){29 returnnewFile((String)file);30 }31
if(fileinstanceofFile){32 return(File)file;33 }34
thrownewIllegalArgumentException();35 }3637
privatevoiddumpLogs(FiletoFile){38 try{39
BufferedReaderreader=newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec("logcat-d").getInputStream()));40
BufferedWriterwriter=newBufferedWriter(newFileWriter(toFile));41
while(true){42 Stringline=reader.readLine();43 if(line==null){44
writer.flush();45 writer.close();46 reader.close();47 return;48 }49
writer.append(line).append('\n');50 }51 }catch(IOExceptione){52
thrownewRuntimeException(e);
Vulnerabilitydescription
Theapplicationmakesitpossibletorevealsensitiveuserinformationsuchasencryptionkeysoruserpasswordsbydisplayingthemonthescreen,savingthemtoinsecurestorage,ortransmittingthemviaanunsafechannel,anyofwhichallowsanattackertomakeuseofthem.
Remediation
Donottransmitthiskindofinformationinunencryptedform,orstoreitinmoretrustworthystorage.
Links
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
FakeHTTPrequestFoundinthefileAndroidManifest.xml8 9 10 11 12
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
-
13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13
protectedvoidonCreate(BundlesavedInstanceState){14
super.onCreate(savedInstanceState);15
this.loginUtils=LoginUtils.getInstance(this);16
Intentintent=getIntent();17
if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18
Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21
processDeeplink(uri);22 }23 }24 finish();25 }2627
privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30
if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31
Stringpath=uri.getPath();32 if("/logout".equals(path)){33
this.loginUtils.logout();34
startActivity(newIntent(this,EntranceActivity.class));35
}elseif("/login".equals(path)){36
Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38
this.loginUtils.setLoginUrl(url2);39 }40
startActivity(newIntent(this,EntranceActivity.class));41
}elseif("/grant_uri_permissions".equals(path)){
Foundinthefileoversecured/ovaa/utils/LoginUtils.java38
returnnewLoginData(this.preferences.getString("email",null),this.preferences.getString("password",null));39
}4041 publicvoidsetLoginUrl(Stringurl){42
this.editor.putString("login_url",url).commit();43 }4445
publicStringgetLoginUrl(){46
Stringurl=this.preferences.getString("login_url",null);47
if(!TextUtils.isEmpty(url)){48 returnurl;49 }50
Stringurl2=this.context.getString(2131492892);51
this.editor.putString("login_url",url2).commit();
Foundinthefileoversecured/ovaa/activities/LoginActivity.java47
privatevoidprocessLogin(Stringemail,Stringpassword){48
LoginDataloginData=newLoginData(email,password);49
Log.d("ovaa","Processing"+loginData);50
RetrofitInstance.getInstance().create(LoginService.class).login(this.loginUtils.getLoginUrl(),loginData).enqueue(newCallback(){
-
51 @Override52
publicvoidonResponse(Callcall,Responseresponse){53 }
Foundinthefileoversecured/ovaa/network/LoginService.java7
importretrofit2.http.Url;89 publicinterfaceLoginService{10 @POST11
Calllogin(@UrlStringstr,@BodyLoginDataloginData);12 }
Vulnerabilitydescription
Theappmakesitpossibletofakearequest,orsomeofitsfields,senttoHTTP,whichcanleadtoawholeseriesofpossibleattacksincludingCross-SiteRequestForgeryandHTTPSplitting.Thiscanmakeitpossibletouncoveruseddata,andcanalsodamagetheapp'sbusinesslogicbycarryingoutactionsthatbenefittheattacker.
Remediation
Thedevelopermustrestrictrequestdatatotrustedsources,andmakesurethesedataarenecessary,areintheexpectedformat,anddonotcontainspecialcharactersthatwouldviolatethestructureofanHTTPrequest.
Links
https://cwe.mitre.org/data/definitions/352.htmlhttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting
PassinginfecteddatatoanativemethodFoundinthefileoversecured/ovaa/objects/MemoryCorruptionSerializable.java45
publicclassMemoryCorruptionSerializableimplementsSerializable{6
privatestaticfinallongserialVersionUID=0;7 privatelongptr;89
privatenativevoidfreePtr(longj);1011 static{12
System.loadLibrary("ovaa");13 }1415 @Override16
protectedvoidfinalize()throwsThrowable{17 longj=this.ptr;18
if(j!=0){19 freePtr(j);20 this.ptr=0;21 }22 }
Vulnerabilitydescription
Theattackercanpasscontrolleddatatoanativemethodoftheapplication.Ifthisdataisused,forexample,asmemoryaddresses,itmayresultinthecreationofsuchvulnerabilitiesasMemoryCorruptionorArbitraryCodeExecution.
Remediation
Itisrecommendedtorestrictthepossibilityofpassinginfecteddatatoanativemethod,ormovethelogiclayerfromC/C++codetoJava/Kotlin.
https://cwe.mitre.org/data/definitions/352.htmlhttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting
-
PasswordstorageonthedeviceFoundinthefileoversecured/ovaa/utils/LoginUtils.java31
}3233 publicvoidsaveCredentials(LoginDataloginData){34
this.editor.putString("email",loginData.email).putString("password",loginData.password).commit();35
}3637 publicLoginDatagetLoginData(){
Vulnerabilitydescription
Theappsavestheuser'spasswordonthedevice.Thisisinsecure,becauseunderspecificcircumstancesitcouldbeextractedbyanattacker—forexample,iftherearevulnerabilitiessuchastheabilitytostealarbitraryfilesoriftheattackerhasaccessrightstotheuser'srootdirectory.
Remediation
Insteadofstoringthepassword,thedevelopershoulduseatokenissuedserver-side.Thiscanbesecurelysavedtothe/data/data/directory.Ifanattackerobtainsthetoken,itonlyneedstoberevokedtoaverttheattack.Thepasswordcanbepickedupandusedforotherservicesusedbytheuser,andallowsanattackertoguessotherversionsoftheuser'spasswords.
Links
https://cwe.mitre.org/data/definitions/256.html
UseofinsecureHTTPprotocolFoundinthefilevalues/strings.xml31
http://example.com./
Foundinthefileoversecured/ovaa/network/RetrofitInstance.java4
importretrofit2.Retrofit;56 publicclassRetrofitInstance{7
privatestaticfinalStringBASE_URL="http://example.com./api/v1/";8
privatestaticRetrofitretrofit;910
publicstaticRetrofitgetInstance(){11 if(retrofit==null){12
retrofit=newRetrofit.Builder().baseUrl("http://example.com./api/v1/").addConverterFactory(GsonConverterFactory.create()).build();13
}14 returnretrofit;15 }
Foundinthefileoversecured/ovaa/activities/MainActivity.java39
publicvoidonClick(Viewview){40
Stringtoken=WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());41
Intenti=newIntent("oversecured.ovaa.action.WEBVIEW");42 i
.putExtra("url","http://example.com./?token="+token);43
IntentUtils.protectActivityIntent(MainActivity.this,i);44
MainActivity.this.startActivity(i);45 }
https://cwe.mitre.org/data/definitions/256.html
-
Vulnerabilitydescription
ThemobileapplicationusestheinsecureHTTPprotocoltocommunicatewiththeserver.HTTPlacksencryption,sosensitivedatalikeusername,password,etc.canbeeasilyinterceptedandreplacedbyanattackerwhoisconnectedtothesamenetworkastheuser’sdevice—forinstance,iftheuserisusingapublicWiFinetwork.
Remediation
Replaceallhttplinksintheapplicationwiththeirhttpsequivalents.
Links
https://cwe.mitre.org/data/definitions/319.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M3
StoringdataontheSDcardFoundinthefileoversecured/ovaa/providers/TheftOverwriteProvider.java3637
@Override38
publicParcelFileDescriptoropenFile(Uriuri,Stringmode)throwsFileNotFoundException{39
returnParcelFileDescriptor.open(newFile(Environment.getExternalStorageDirectory(),uri.getLastPathSegment()),805306368);40
}41 }
Vulnerabilitydescription
Theapplicationusesexternalstorage(SDcard)toread/writedata.Datastoredexternallycanbereadandmodifiedbyanythird-partyapplicationsinstalledonthesamemobiledevice,whichcanleadtoinformationdisclosure,datatampering,orothermaliciousbehavior.Example:ifanapplicationstoresitsthird-party.solibrariesonexternalmedia,theselibrariescanbemodifiedbyamalwareapplication,whichinturnmayleadtoarbitrarycodeexecutioninthecontextoftherunningapplication.
Remediation
Donotstoreexecutablefiles,configurationfiles,orsensitiveuserdataonSDcard.
Links
https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2
StoringdataontheSDcardFoundinthefileoversecured/ovaa/utils/FileUtils.java2324
publicstaticFilecopyToCache(Contextcontext,Uriuri){25 try{26
FileexternalCacheDir=context.getExternalCacheDir();27
Fileout=newFile(externalCacheDir,""+System.currentTimeMillis());28
InputStreami=context.getContentResolver().openInputStream(uri);29
OutputStreamo=newFileOutputStream(out);30 IOUtils.copy(i,o);31 i
.close();32 o.close();
Vulnerabilitydescription Remediation
https://cwe.mitre.org/data/definitions/319.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M3https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2
-
Theapplicationusesexternalstorage(SDcard)toread/writedata.Datastoredexternallycanbereadandmodifiedbyanythird-partyapplicationsinstalledonthesamemobiledevice,whichcanleadtoinformationdisclosure,datatampering,orothermaliciousbehavior.Example:ifanapplicationstoresitsthird-party.solibrariesonexternalmedia,theselibrariescanbemodifiedbyamalwareapplication,whichinturnmayleadtoarbitrarycodeexecutioninthecontextoftherunningapplication.
Donotstoreexecutablefiles,configurationfiles,orsensitiveuserdataonSDcard.
Links
https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2
FakefilepathFoundinthefileAndroidManifest.xml46 47 48 49 50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java17
super("InsecureLoggerService");18 }1920
protectedvoidonHandleIntent(Intentintent){21
if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22
dumpLogs(getDumpFile(intent));23 }24 }2526
privateFilegetDumpFile(Intentintent){27
Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28
if(fileinstanceofString){29 returnnewFile((String)file);30 }31
if(fileinstanceofFile){32 return(File)file;
Vulnerabilitydescription
Anattackerhastheabilitytocontrolthepathtoafile,whichcanleadtoprivatedatabeingstoredinapublicdirectorytowhichtheattackerhasaccess;datacomingfromtheattackerbeingreadasthoughtheywerelegitimate;modificationordeletionofexistingfiles.Thedevelopermustrememberthateveniftheattackerhasnoaccesstocertainprotectedfiles,thelegitimateappdoes—sothattheattacker'sobjectiveistomaketheappcarryoutharmfulactionsonitsown.
Remediation
Thedevelopermustmakesurefilepathscanonlybeobtainedfromtrustedsources.Inaddition,it'srecommendedtostorefileswithprivatedatainthe/data/data/%package_name%/file(thepathmaybeobtainedbycallingContext.getFilesDir()),towhichotherappsinstalledonthedevicedonothaveaccess.
Links
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
-
FakefilepathFoundinthefileAndroidManifest.xml51
Foundinthefileoversecured/ovaa/providers/TheftOverwriteProvider.java35
}3637 @Override38
publicParcelFileDescriptoropenFile(Uriuri,Stringmode)throwsFileNotFoundException{39
returnParcelFileDescriptor.open(newFile(Environment.getExternalStorageDirectory(),uri.getLastPathSegment()),805306368);40
}41 }
Vulnerabilitydescription
Anattackerhastheabilitytocontrolthepathtoafile,whichcanleadtoprivatedatabeingstoredinapublicdirectorytowhichtheattackerhasaccess;datacomingfromtheattackerbeingreadasthoughtheywerelegitimate;modificationordeletionofexistingfiles.Thedevelopermustrememberthateveniftheattackerhasnoaccesstocertainprotectedfiles,thelegitimateappdoes—sothattheattacker'sobjectiveistomaketheappcarryoutharmfulactionsonitsown.
Remediation
Thedevelopermustmakesurefilepathscanonlybeobtainedfromtrustedsources.Inaddition,it'srecommendedtostorefileswithprivatedatainthe/data/data/%package_name%/file(thepathmaybeobtainedbycallingContext.getFilesDir()),towhichotherappsinstalledonthedevicedonothaveaccess.
Links
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
FakefilepathFoundinthefileAndroidManifest.xml46 47 48 49 50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java17
super("InsecureLoggerService");18 }1920
protectedvoidonHandleIntent(Intentintent){21
if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22
dumpLogs(getDumpFile(intent));23 }24 }2526
privateFilegetDumpFile(Intentintent){27
Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28
if(fileinstanceofString){29 returnnewFile((String)file);30 }31
if(fileinstanceofFile){
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
-
32 return(File)file;33 }34 thrownewIllegalArgumentException();35
}3637 privatevoiddumpLogs(FiletoFile){38 try{39
BufferedReaderreader=newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec("logcat-d").getInputStream()));40
BufferedWriterwriter=newBufferedWriter(newFileWriter(toFile));41
while(true){42 Stringline=reader.readLine();43 if(line==null){
Vulnerabilitydescription
Anattackerhastheabilitytocontrolthepathtoafile,whichcanleadtoprivatedatabeingstoredinapublicdirectorytowhichtheattackerhasaccess;datacomingfromtheattackerbeingreadasthoughtheywerelegitimate;modificationordeletionofexistingfiles.Thedevelopermustrememberthateveniftheattackerhasnoaccesstocertainprotectedfiles,thelegitimateappdoes—sothattheattacker'sobjectiveistomaketheappcarryoutharmfulactionsonitsown.
Remediation
Thedevelopermustmakesurefilepathscanonlybeobtainedfromtrustedsources.Inaddition,it'srecommendedtostorefileswithprivatedatainthe/data/data/%package_name%/file(thepathmaybeobtainedbycallingContext.getFilesDir()),towhichotherappsinstalledonthedevicedonothaveaccess.
Links
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
FileaccessfromfileURIsisenabledforWebViewFoundinthefileoversecured/ovaa/activities/WebViewActivity.java10
protectedvoidonCreate(BundlesavedInstanceState){11
super.onCreate(savedInstanceState);12 setContentView(2131361822);13
WebViewwebView=(WebView)findViewById(2131165372);14
setupWebView(webView);15
webView.loadUrl(getIntent().getStringExtra("url"));16 }1718
privatevoidsetupWebView(WebViewwebView){19
webView.setWebChromeClient(newWebChromeClient());20
webView.setWebViewClient(newWebViewClient());21
webView.getSettings().setJavaScriptEnabled(true);22
webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24
}
Vulnerabilitydescription
FullfileaccessispermittedinWebViewtopagesloadedusingthefile://scheme.IfJSexecutionispermitted,andifothervulnerabilitiesarepresent,anattackercanuseaspeciallycreatedscripttogainaccesstoanylocalfilestowhichtheappitselfhasaccess.
Remediation
ItisrecommendedthatdevelopersdisablethisfunctionalitybyusingacalltomyWebView.getSettings().setAllowFileAccessFromFileURLs(false),soastoavoidleakingpersonaldata.
Links
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccessFromFileURLs(boolean)
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.htmlhttps://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccessFromFileURLs(boolean)
-
ContentaccessisenabledforWebViewFoundinthefileoversecured/ovaa/activities/WebViewActivity.java10
protectedvoidonCreate(BundlesavedInstanceState){11
super.onCreate(savedInstanceState);12 setContentView(2131361822);13
WebViewwebView=(WebView)findViewById(2131165372);14
setupWebView(webView);15
webView.loadUrl(getIntent().getStringExtra("url"));16 }1718
privatevoidsetupWebView(WebViewwebView){19
webView.setWebChromeClient(newWebChromeClient());20
webView.setWebViewClient(newWebViewClient());21
webView.getSettings().setJavaScriptEnabled(true);22
webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24
}
Vulnerabilitydescription
Accesstodatausingcontent://isnotdisabledinWebView,orisexplicitlyenabled.Thedangeristhatanattackermaybeabletoinsertaspecially-preparedlinkintothewebsiteanduseittoloadsomeprotectedcontent(forinstance,photosfrom/data/data//directoriesinasimilarway)andthenemployspeciallycreatedJavaScriptcodetogainaccesstotheactualdata,leadingtothetheftofuserinformation.
Remediation
Iftheappdoesnotusethisfunctionality,developersarerecommendedtodisableaccesstocontentusingcontent://bycallingmyWebView.getSettings().setAllowContentAccess(false)
Links
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowContentAccess(boolean)https://cwe.mitre.org/data/definitions/200.html
FileaccessisenabledforWebViewFoundinthefileoversecured/ovaa/activities/WebViewActivity.java10
protectedvoidonCreate(BundlesavedInstanceState){11
super.onCreate(savedInstanceState);12 setContentView(2131361822);13
WebViewwebView=(WebView)findViewById(2131165372);14
setupWebView(webView);15
webView.loadUrl(getIntent().getStringExtra("url"));16 }1718
privatevoidsetupWebView(WebViewwebView){19
webView.setWebChromeClient(newWebChromeClient());20
webView.setWebViewClient(newWebViewClient());21
webView.getSettings().setJavaScriptEnabled(true);22
webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24
}
Vulnerabilitydescription Remediation
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowContentAccess(boolean)https://cwe.mitre.org/data/definitions/200.html
-
TheapplicationallowstheuseoftheWebSettingssetAllowFileAccessmethod.ThesetAllowFileAccessmethodallowJavaScripttoaccesslocalfilesinthecontextoftherunningapplication.PerformingaMan-in-the-Middleattackortamperingwithaserverresponse,anattackerisabletoaccesstheapplication'sfiles,suchaspreferences,localdatabases,cache,etc.Thiscanleadtotheleakageofconfidentialdata,suchasauthenticationtokensandpasswords.It'snotrecommendedtousesetAllowFileAccessmethodunlessabsolutelynecessary.
DonotusethesetAllowFileAccessmethodunlessabsolutelynecessary,andexplicitlysetthisvaluetofalseifyouarenotplanningtoaccesslocalfilesfromWebView.
Links
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess(boolean)
ApplicationbackupisallowedFoundinthefileAndroidManifest.xml
7
Vulnerabilitydescription
The“android:allowBackup”attributeissetto“true”inAndroidManifest.xml,thusmakingitpossibletobackupupalltheapplication’sdataincludinglocaldatabases,preferencesanduser'spersonaldatatoexternalstoragewhereitcanbeaccessedbyanunauthorizedthird-partyapplication.It'shighlyrecommendedtoexplicitlysetthe“android:allowBackup”attributetofalsetoavoiddataleakage.
Remediation
Set“android:allowBackup”tofalseintheAndroidManifest.xmlfile.
Links
https://developer.android.com/guide/topics/manifest/application-element.html#allowbackup
UsinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformationFoundinthefileoversecured/ovaa/activities/EntranceActivity.java10
protectedvoidonCreate(BundlesavedInstanceState){11
super.onCreate(savedInstanceState);12
if(LoginUtils.getInstance(this).isLoggedIn()){13
startActivity(newIntent("oversecured.ovaa.action.ACTIVITY_MAIN"));14
}else{15
startActivity(newIntent("oversecured.ovaa.action.LOGIN"));16 }
Vulnerabilitydescription
UsinganimplicitactivitystartisdangeroussincethecomponentisnotdefinedandtheAndroidOSaskstheuserwhatshouldactuallybestarted.Usingamalwareapplication,theattackercanregisteracustomactivityinAndroidManifest.xmlcontainingtheactionfromtheintentandspecifypriority999intheintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwindowwithalistofallpossibleapplicationwillbeshownwiththemalwarebeingattheverytop.Iftheuserchoosesthefakeapplication,thestartoftheactivitywithintentextraswillbehijacked,whichmayresultinthetheftofappusagestatistics,aswellasdifferentapplicationstates.InthecaseofstartActivityForResult,thereisanadditionalriskrelatedtotheresultingdata.Whenthecallishijacked,theattacker's
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess(boolean)https://developer.android.com/guide/topics/manifest/application-element.html#allowbackup
-
activitycanbesentviaasetResult(...)callandtransmitarbitrarydatatotheonActivityResult(...)methodofthevictim'sactivity,whichmaybecomeanadditionalsourceofinfecteddatafortheapp.
UsinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformationFoundinthefileoversecured/ovaa/activities/DeeplinkActivity.java39
}40 startActivity(newIntent(this,EntranceActivity.class));41
}elseif("/grant_uri_permissions".equals(path)){42
Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43
if(getPackageManager().resolveActivity(i,0)!=null){44
startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);
Vulnerabilitydescription
UsinganimplicitactivitystartisdangeroussincethecomponentisnotdefinedandtheAndroidOSaskstheuserwhatshouldactuallybestarted.Usingamalwareapplication,theattackercanregisteracustomactivityinAndroidManifest.xmlcontainingtheactionfromtheintentandspecifypriority999intheintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwindowwithalistofallpossibleapplicationwillbeshownwiththemalwarebeingattheverytop.Iftheuserchoosesthefakeapplication,thestartoftheactivitywithintentextraswillbehijacked,whichmayresultinthetheftofappusagestatistics,aswellasdifferentapplicationstates.InthecaseofstartActivityForResult,thereisanadditionalriskrelatedtotheresultingdata.Whenthecallishijacked,theattacker'sactivitycanbesentviaasetResult(...)callandtransmitarbitrarydatatotheonActivityResult(...)methodofthevictim'sactivity,whichmaybecomeanadditionalsourceofinfecteddatafortheapp.
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
UsinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformationFoundinthefileoversecured/ovaa/activities/EntranceActivity.java12
if(LoginUtils.getInstance(this).isLoggedIn()){13
startActivity(newIntent("oversecured.ovaa.action.ACTIVITY_MAIN"));14
}else{15
startActivity(newIntent("oversecured.ovaa.action.LOGIN"));16 }17
finish();18 }
Vulnerabilitydescription
UsinganimplicitactivitystartisdangeroussincethecomponentisnotdefinedandtheAndroidOSaskstheuserwhatshouldactuallybestarted.Usingamalwareapplication,theattackercanregisteracustomactivityinAndroidManifest.xmlcontainingtheactionfromtheintentandspecifypriority999intheintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwindowwithalistofallpossibleapplicationwillbeshownwiththemalwarebeingattheverytop.Iftheuserchoosesthefakeapplication,thestartoftheactivitywithintentextraswillbehijacked,
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
-
whichmayresultinthetheftofappusagestatistics,aswellasdifferentapplicationstates.InthecaseofstartActivityForResult,thereisanadditionalriskrelatedtotheresultingdata.Whenthecallishijacked,theattacker'sactivitycanbesentviaasetResult(...)callandtransmitarbitrarydatatotheonActivityResult(...)methodofthevictim'sactivity,whichmaybecomeanadditionalsourceofinfecteddatafortheapp.
ExportedcontentproviderFoundinthefileAndroidManifest.xml51
Vulnerabilitydescription
Oneormoreoftheapplication’scontentprovidersarenotprotectedbysignaturepermissioninAndroidManifest.xmlfileandcanbeexported.Forapplicationsthatseteitherandroid:minSdkVersionorandroid:targetSdkVersionto"17"andhigher,alloftheprovidersarenon-exportedbydefaultunlesstheandroid:exportedattributeissetto"true"oranintent-filterelementisdefined.Forapplicationsthatseteitherandroid:minSdkVersionorandroid:targetSdkVersionto"16"orlower,adefaultexportedstatusistrue.Usingamalwareapplication,anattackercanreadorwritetheexportedcontentprovider,whichcanleadtoleakageofsensitiveinformationorunpredictableapplicationbehavior.Toenablethemostrestrictiveandthereforesecurepolicy,youshouldminimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orbyusingsignaturepermissions.
Remediation
Setexported=falseforallbroadcastreceiversthatshouldnotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedactivityFoundinthefileAndroidManifest.xml22 23 24 25 26
27
Vulnerabilitydescription
Oneormoreoftheapplication’sactivitiesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Allactivitiesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"ortheintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatoanexportedactivity,whichcanleadtodataspoofingorevencodeexecution.Forexample,suchactivitiesasWebViewscanbevulnerabletoJavaScriptinjectionattacks,contentspoofingorclickjacking.DespitethefactthatActivitiesarelessexploitablethanServices,it'sstillhighlyrecommendedtocheckallthedatapassedtothem.Tosecuretheapplicationitisrecommendedtominimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orusesignaturepermissions.
Remediation
Makesureyouareexportingonlyactivitiesthatreallyneedtheabilitytobestartedbyanythird-partyapplication;orcreatepermissionsusingtheandroid:protectionLevel=”signature”parameterintheAndroidManifest.xmlfileforallactivitiesthatareintendedtobestartedonlybyyourapplication,andsettheparameterexported=falseforallactivitiesthatmaynotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
-
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedactivityFoundinthefileAndroidManifest.xml34 35 36 37 38
39
Vulnerabilitydescription
Oneormoreoftheapplication’sactivitiesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Allactivitiesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"ortheintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatoanexportedactivity,whichcanleadtodataspoofingorevencodeexecution.Forexample,suchactivitiesasWebViewscanbevulnerabletoJavaScriptinjectionattacks,contentspoofingorclickjacking.DespitethefactthatActivitiesarelessexploitablethanServices,it'sstillhighlyrecommendedtocheckallthedatapassedtothem.Tosecuretheapplicationitisrecommendedtominimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orusesignaturepermissions.
Remediation
Makesureyouareexportingonlyactivitiesthatreallyneedtheabilitytobestartedbyanythird-partyapplication;orcreatepermissionsusingtheandroid:protectionLevel=”signature”parameterintheAndroidManifest.xmlfileforallactivitiesthatareintendedtobestartedonlybyyourapplication,andsettheparameterexported=falseforallactivitiesthatmaynotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedactivityFoundinthefileAndroidManifest.xml8 9 10 11 12 13
14 15
Vulnerabilitydescription
Oneormoreoftheapplication’sactivitiesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Allactivitiesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"ortheintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatoanexportedactivity,whichcanleadtodataspoofingorevencodeexecution.Forexample,suchactivitiesasWebViewscanbevulnerabletoJavaScriptinjectionattacks,contentspoofingorclickjacking.DespitethefactthatActivitiesarelessexploitablethanServices,it'sstillhighlyrecommendedtocheckallthedatapassedtothem.Tosecuretheapplicationitisrecommendedtominimizethenumber
Remediation
Makesureyouareexportingonlyactivitiesthatreallyneedtheabilitytobestartedbyanythird-partyapplication;orcreatepermissionsusingtheandroid:protectionLevel=”signature”parameterintheAndroidManifest.xmlfileforallactivitiesthatareintendedtobestartedonlybyyourapplication,andsettheparameterexported=falseforallactivitiesthatmaynotbestartedbythird-partyapplicationsatall.
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/926.html
-
ofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orusesignaturepermissions.
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedserviceFoundinthefileAndroidManifest.xml46 47 48 49
50
Vulnerabilitydescription
Oneormoreoftheapplication’sservicesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Alloftheservicesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"oranintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatotheexportedService,whichcanleadtoinvocationofothercomponentsoftheapplicationortocodeexecution.Forexample,ifaservicecansendfilesviaemailandafilepathispassedtotheserviceasaparameteranattackercanchooseanyfileownedbytherunningapplicationandsendittoanarbitraryemail.ServicesarethemostexploitablecomponentamongotherIntents,soit'shighlyrecommendedtocheckallthedatapassedtothem.Toenablethemostrestrictive,andthereforesecurepolicy,youshouldminimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orbyusingsignaturepermissions.
Remediation
Makesureyouareonlyexportingservicesthatreallyneedtheabilitytobestartedbyanythird-partyapplications;orcreateapermissionwithandroid:protectionLevel=”signature”intheAndroidManifest.xmlfileanduseitforallservicesthataretobestartedonlybyyourapplications,settingexported=falseforallservicesthatshouldnotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
UseofsetJavaScriptEnabledFoundinthefileoversecured/ovaa/activities/WebViewActivity.java18
privatevoidsetupWebView(WebViewwebView){19
webView.setWebChromeClient(newWebChromeClient());20
webView.setWebViewClient(newWebViewClient());21
webView.getSettings().setJavaScriptEnabled(true);22
webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24
}
Vulnerabilitydescription
TheapplicationhastheWebSettingssetJavaScriptEnabledmethodsettoTrue.The“setJavaScriptEnabled”methodallowsexecutionofJavaScriptinthecontextofarunningapplication.PerformingaMan-in-the-Middleattackortamperingwithaserverresponse,anattackerisabletoinjectandexecutearbitraryJavaScriptcode.Thiscanleadtoinformationleakageorremotecodeexecution.It'snotrecommendedtousesetJavaScriptEnabledunlessabsolutelynecessary.Disablethissettingtoenforcesecurity.
Remediation
SetsetJavaScriptEnabledtoFalse,ormakesureserverdatauseanencryptedchannel(usinghttpsandcorrectcertificateverification)andtherearenovulnerabilitiesintheserverpartoftheapplication.
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/926.html
-
Links
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7http://oasam.org/en/oasam/oasam-dv-data-validation/oasam-dv-001-cross-site-scripting
VulnerablehashalgorithmsFoundinthefileorg/apache/commons/io/input/MessageDigestCalculatingInputStream.java37
}3839
publicMessageDigestCalculatingInputStream(InputStreampStream)throwsNoSuchAlgorithmException{40
this(pStream,MessageDigest.getInstance("MD5"));41 }4243
publicMessageDigestgetMessageDigest(){
Vulnerabilitydescription
Theapplicationusesoneormoreofbrokenhashfunctions.Duetoseveralcriticalflaws,suchascollisions,preimages,it'snotrecommendedtousethisfunctions.
Remediation
UseSHA-256orbetter,insteadofotherhashingalgorithms.
Links
https://www.owasp.org/index.php/Mobile_Top_10_2014-M6
Allrightsreservedbyoversecured.com
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7http://oasam.org/en/oasam/oasam-dv-data-validation/oasam-dv-001-cross-site-scriptinghttps://www.owasp.org/index.php/Mobile_Top_10_2014-M6
