oversecured.com
16 15 11
Amobileapplicationvulnerabilityscanner,designedforDevOpsprocessintegration,thatisbuilttoprotectyourcustomers'privacyanddefendtheirdevicesagainstmodernthreats.
ovaa-debug.apk
Package oversecured.ovaa Version 1.0
Statistics42vulnerabilitiesfound
HighseverityvulnerabilitiesCanleadtouserdatabeingleakedandtoaseriousviolationoftheuser'sprivacy
37%
MediumseverityvulnerabilitiesMayaffecttheapp'slevelofprotectionandreducethelevelofsecurity
36%
LowseverityvulnerabilitiesViolatebestpractices
27%
Listofvulnerabilities
Category Level Amount
1 ArbitraryCodeExecution High 1
2 MemoryCorruption High 1
3 Theftofarbitraryfiles High 2
4 Abilitytostartarbitrarycomponents High 1
5 Cross-siteScripting High 1
6 Possibilityofaccesstoarbitrary*contentproviders High 1
7 UsinganimplicitintentinsendBroadcast High 1
8 Hardcodedpasswordortoken High 1
9 Insecureactivitystart High 1
10 Internetserviceaddresssubstitution High 1
11 Loadinganarbitraryclass High 1
12 Insecurestorageofdevicelogs High 1
13 Useofbypassablehostcheck High 1
14 UseofsetResultforexportedactivity High 1
15 Debuggableattributeissettotrue High 1
16 Deletionofarbitraryfiles Medium 1
17 InformationLeakage Medium 2
18 FakeHTTPrequest Medium 1
19 Passinginfecteddatatoanativemethod Medium 1
20 Passwordstorageonthedevice Medium 1
21 UseofinsecureHTTPprotocol Medium 1
22 StoringdataontheSDcard Medium 2
23 Fakefilepath Medium 3
24 FileaccessfromfileURIsisenabledforWebView Medium 1
25 ContentaccessisenabledforWebView Medium 1
26 FileaccessisenabledforWebView Medium 1
27 Applicationbackupisallowed Low 1
28 Usinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformation Low 3
29 Exportedcontentprovider Low 1
30 Exportedactivity Low 3
31 Exportedservice Low 1
32 UseofsetJavaScriptEnabled Low 1
33 Vulnerablehashalgorithms Low 1
Vulnerabilitiesinthecode
ArbitraryCodeExecutionFoundinthefileoversecured/ovaa/OversecuredApplication.java12 }1314 privatevoidinvokePlugins(){15 for(PackageInfoinfo:getPackageManager().getInstalledPackages(0)){16 StringpackageName=info.packageName;17 Bundlemeta=info.applicationInfo.metaData;18 if(packageName.startsWith("oversecured.plugin.")&&meta.getInt("version",-1)>=10){19 try{
20createPackageContext(packageName,3).getClassLoader().loadClass("oversecured.plugin.Loader").getMethod("loadMetadata",
Context.class).invoke(null,this);
21 }catch(Exceptione){22 thrownewRuntimeException(e);23 }
Vulnerabilitydescription
Arbitrarycodeexecutiongivesanattackerunrestrictedcapabilitiesandtheabilitytoperformanyactionsinthecontextofanattackedapplication.Theattackerthusgainsaccesstoalltheapplication'sfunctionsandtoanysensitiveinformationtowhichtheapplicationhasaccess.
Remediation
Toavoidarbitrarycodeexecution,theapplicationshouldsanitizeallreceiveddataorchangeitsarchitecturetopreventunintendedaccesstosensitivecomponents.
MemoryCorruptionFoundinthefileoversecured/ovaa/objects/MemoryCorruptionParcelable.java12 returnnewMemoryCorruptionParcelable[i];13 }1415 publicMemoryCorruptionParcelablecreateFromParcel(Parcelparcel){16 returnnewMemoryCorruptionParcelable(parcel);17 }18 };1920 privatestaticfinalGsonGSON=newGsonBuilder().create();21 publicObjectdata;2223 privateMemoryCorruptionParcelable(Parcelparcel){24 try{25 this.data=GSON.fromJson(parcel.readString(),Class.forName(parcel.readString()));26 }catch(ClassNotFoundExceptione){27 thrownewRuntimeException(e);28 }
Vulnerabilitydescription
Theattackercontrolsanativeaddressthattheapplicationdereferencesorusesotherwise,whichmayleadtomemorycorruptionintheapplication.Thiserrorinsomecasesmayberaisedpriortotheexecutionofarbitrarycode.
Remediation
Itisrecommendedtotakemeasurestopreventtheattackerfromcontrollingnativeaddressesinanywaypossible.
TheftofarbitraryfilesFoundinthefileoversecured/ovaa/activities/MainActivity.java23 findViewById(2131165275).setOnClickListener(newOnClickListener(){24 publicvoidonClick(Viewview){25 MainActivity.this.checkPermissions();26 IntentpickerIntent=newIntent("android.intent.action.PICK");27 pickerIntent.setType("image/*");28 MainActivity.this.startActivityForResult(pickerIntent,1001);29 }30 });31 findViewById(2131165251).setOnClickListener(newOnClickListener(){
Foundinthefileoversecured/ovaa/activities/MainActivity.java47 }4849 @Override
50 protectedvoidonActivityResult(intrequestCode,intresultCode,Intentdata){51 super.onActivityResult(requestCode,resultCode,data);52 if(resultCode==-1&&data!=null&&requestCode==1001){53 FileUtils.copyToCache(this,data.getData());54 }55 }56
Foundinthefileoversecured/ovaa/utils/FileUtils.java21 file.delete();22 }2324 publicstaticFilecopyToCache(Contextcontext,Uriuri){25 try{26 FileexternalCacheDir=context.getExternalCacheDir();27 Fileout=newFile(externalCacheDir,""+System.currentTimeMillis());28 InputStreami=context.getContentResolver().openInputStream(uri);29 OutputStreamo=newFileOutputStream(out);30 IOUtils.copy(i,o);31 i .close();32 o.close();33 returnout;
Foundinthefileorg/apache/commons/io/IOUtils.java710 }711 }712713 publicstaticintcopy(InputStreaminput,OutputStreamoutput)throwsIOException{714 longcount=copyLarge(input,output);715 if(count>2147483647L){716 return-1;717 }718 return(int)count;719 }720721 publicstaticlongcopy(InputStreaminput,OutputStreamoutput,intbufferSize)throwsIOException{722 returncopyLarge(input,output,newbyte[bufferSize]);723 }724725 publicstaticlongcopyLarge(InputStreaminput,OutputStreamoutput)throwsIOException{726 returncopy(input,output,4096);727 }728729 publicstaticlongcopyLarge(InputStreaminput,OutputStreamoutput,byte[]buffer)throwsIOException{730 longcount=0;731 while(true){732 intread=input.read(buffer);733 intn=read;734 if(-1==read){735 returncount;736 }737 output.write(buffer,0,n);738 count+=(long)n;739 }740 }
Vulnerabilitydescription Remediation
Vulnerabilitydescription
Anattackerhastheabilitytoobtainthecontentsofarbitraryfilestowhichalegitimateapphasaccess.Mostoften,theinterestingfileswillbestoredin/data/data//*directories,whichmayinclude,forinstance,usercontentorauthenticationtokens,butanattackermayalsousethisvulnerabilitytoobtainuserdocumentsstoredonthesamedevice.
Remediation
Thedevelopermustcontrolthepathsbywhichtheappcanobtainaccesstothepathtoafileitintendstoprocess.
Links
https://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.html
TheftofarbitraryfilesFoundinthefileAndroidManifest.xml51
Foundinthefileoversecured/ovaa/providers/TheftOverwriteProvider.java35 }3637 @Override38 publicParcelFileDescriptoropenFile(Uriuri,Stringmode)throwsFileNotFoundException{39 returnParcelFileDescriptor.open(newFile(Environment.getExternalStorageDirectory(),uri.getLastPathSegment()),805306368);40 }41 }
Vulnerabilitydescription
Anattackerhastheabilitytoobtainthecontentsofarbitraryfilestowhichalegitimateapphasaccess.Mostoften,theinterestingfileswillbestoredin/data/data//*directories,whichmayinclude,forinstance,usercontentorauthenticationtokens,butanattackermayalsousethisvulnerabilitytoobtainuserdocumentsstoredonthesamedevice.
Remediation
Thedevelopermustcontrolthepathsbywhichtheappcanobtainaccesstothepathtoafileitintendstoprocess.
Links
https://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.html
AbilitytostartarbitrarycomponentsFoundinthefileAndroidManifest.xml22 23 24 25 26 27
Foundinthefileoversecured/ovaa/activities/LoginActivity.java61 }6263 privatevoidonLoginFinished(){
https://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.htmlhttps://cwe.mitre.org/data/definitions/359.htmlhttps://cwe.mitre.org/data/definitions/20.html
64 IntentredirectIntent=(Intent)getIntent().getParcelableExtra("redirect_intent");65 if(redirectIntent!=null){66 startActivity(redirectIntent);67 }else{68 startActivity(newIntent(this,MainActivity.class));69 }
Vulnerabilitydescription
Anattackerhastheabilitytostartcomponentsinthenameoftheapp,whichletshimbypassAndroid'sbuilt-inprotectionandgainaccesstoany—evenunexportedactivityorservice.Theattackmaycomefromanyappinstalledonthesamedevice,oriftheIntent.parseUri()methodisusedbyamalwaresite,becauseoneoftheexportedcomponentscontainsanestedintentandbroadcastsitsstartActivity/startActivityForResult/startServicemethodwithoutthenecessarychecks.
Remediation
TheappmustrefrainfrombroadcastingintentstosystemmethodslikestartActivity,startService,etc.,directly.Instead,itshouldconstructanintentindependentlyandexplicitlydefinethereceiver.
Links
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/940.html
Cross-siteScriptingFoundinthefileAndroidManifest.xml8 9 10 11 12 13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13 protectedvoidonCreate(BundlesavedInstanceState){14 super.onCreate(savedInstanceState);15 this.loginUtils=LoginUtils.getInstance(this);16 Intentintent=getIntent();17 if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18 Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21 processDeeplink(uri);22 }23 }24 finish();25 }2627 privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30 if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31 Stringpath=uri.getPath();32 if("/logout".equals(path)){33 this.loginUtils.logout();
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/940.html
34 startActivity(newIntent(this,EntranceActivity.class));35 }elseif("/login".equals(path)){36 Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38 this.loginUtils.setLoginUrl(url2);39 }40 startActivity(newIntent(this,EntranceActivity.class));41 }elseif("/grant_uri_permissions".equals(path)){42 Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43 if(getPackageManager().resolveActivity(i,0)!=null){44 startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48 i2.putExtra("url",url);49 startActivity(i2);50 }51 }
Foundinthefileoversecured/ovaa/activities/WebViewActivity.java10 protectedvoidonCreate(BundlesavedInstanceState){11 super.onCreate(savedInstanceState);12 setContentView(2131361822);13 WebViewwebView=(WebView)findViewById(2131165372);14 setupWebView(webView);15 webView.loadUrl(getIntent().getStringExtra("url"));16 }1718 privatevoidsetupWebView(WebViewwebView){19 webView.setWebChromeClient(newWebChromeClient());20 webView.setWebViewClient(newWebViewClient());21 webView.getSettings().setJavaScriptEnabled(true);22 webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24 }
Vulnerabilitydescription
XSSorCross-sitescriptingisakindofattackwheremaliciousscriptsareinsertedintoaWebViewpage.Inmostcasestheinputsreceivedfromuntrustedsourceslikepublicbroadcastreceivers,unprotectedactivities,orworld-readable/writabledirectoriesarenotproperlyfilteredandareoutputdirectlyontothepagethatisbeingrenderedwithinWebView.JavascriptwillbeexecutedwhenthedeveloperhasalloweditexplicitlyviaWebSettings.setJavaScriptEnabled(true)(bydefaultit'sdisabled).Inothercases,itcanstillbeusedforContentSpoofing(contentinjections).Executionofmaliciousscriptsmightcauseunintendedinformationleakage,modificationofsettingsonserversideviabypassedCSRFprotection,andmore.OnmobilethereisariskthatthescriptmayaccessJavascriptinterfacesthatareintendedforcommunicationbetweentheapplicationandscriptsrunninginsidethebrowser,thusexposinginternalapplicationlogicandfunctionality.
Remediation
Beforeinsertion,clientdatashouldbecorrectlysanitizedusingmethodslikeURLDecoder.encode().Inthiscase,allmetacharacterswillbeescaped.Inothercases,XSSistheresultofinsecureapplicationarchitecture,whenittrustsdatareceivedfromunprotectedinputs.
Links
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf
Possibilityofaccesstoarbitrary*contentprovidersFoundinthefileAndroidManifest.xml8 9 10 11 12 13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java39 }40 startActivity(newIntent(this,EntranceActivity.class));41 }elseif("/grant_uri_permissions".equals(path)){42 Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43 if(getPackageManager().resolveActivity(i,0)!=null){44 startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48 i2.putExtra("url",url);49 startActivity(i2);50 }51 }52 }5354 @Override55 protectedvoidonActivityResult(intrequestCode,intresultCode,Intentdata){56 super.onActivityResult(requestCode,resultCode,data);57 if(resultCode==-1&&requestCode==1003){58 setResult(resultCode,data);59 }60 }61 }
Vulnerabilitydescription
Theappstartsanactivity,andanattackerhastheabilitytoprocessthecall(forexample,ifitisanunclearintentorifitispossibletocontroltheprocessingactivity).FlagsarealsoinstalledforanintentpermittingUriaccessviatheFLAG_GRANT_READ_URI_PERMISSION,FLAG_GRANT_WRITE_URI_PERMISSION,etc.,parameters,andtheattackerhastheabilitytocontroltheUrithatispassed.Ifalltheseconditionsaremet,theappthatisstartedwillhaveaccesstoanarbitrarycontentproviderwheretheandroid:exported="false"butandroid:grantUriPermission="true".
Remediation
ThedevelopershouldrestricttheabilitytosetanarbitraryUriintheIntent'sdataparameter,orelseremovetheflagsgrantingreadandwriteaccessfortheIntentinquestion.
Links
https://developer.android.com/reference/android/content/Intent#FLAG_GRANT_READ_URI_PERMISSIONhttps://developer.android.com/reference/android/content/Intent#FLAG_GRANT_WRITE_URI_PERMISSION
https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdfhttps://developer.android.com/reference/android/content/Intent#FLAG_GRANT_READ_URI_PERMISSIONhttps://developer.android.com/reference/android/content/Intent#FLAG_GRANT_WRITE_URI_PERMISSION
UsinganimplicitintentinsendBroadcastFoundinthefileoversecured/ovaa/activities/MainActivity.java30 });31 findViewById(2131165251).setOnClickListener(newOnClickListener(){32 publicvoidonClick(Viewview){33 Intenti=newIntent("oversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATA");34 i .putExtra("payload",MainActivity.this.loginUtils.getLoginData());35 MainActivity.this.sendBroadcast(i);36 }37 });38 findViewById(2131165241).setOnClickListener(newOnClickListener(){
Vulnerabilitydescription
Animplicitintentisusedwithoutsignaturepermissionforbroadcastsendingtoanothercomponentoftheapplication.Usinganimplicitintentwithoutsignatureprotectionduringthebroadcastsendingallowsanythird-partyapplicationinstalledonthesamemobiledevicetointerceptorhijackinformationbetweencomponents,whichcanleadtoleakageofsensitiveinformationortothefalsificationofdatabroadcastbetweencomponentsoftheapplication.
Remediation
Alwaysuseexplicitintentsforbroadcastofdatawithinthesameapplication.Useasignaturepermissionprotectionlevel.
Links
https://cwe.mitre.org/data/definitions/927.html
HardcodedpasswordortokenFoundinthefileoversecured/ovaa/utils/WeakCrypto.java1213 publicstaticStringencrypt(Stringdata){14 try{15 SecretKeySpecsecretKeySpec=newSecretKeySpec("49u5gh249gh24985ghf429gh4ch8f23f".getBytes(),"AES");16 Cipherinstance=Cipher.getInstance("AES");17 instance.init(1,secretKeySpec);18 returnBase64.encodeToString(instance.doFinal(data.getBytes()),0);19 }catch(Exceptione){20 return"";
Vulnerabilitydescription
Atokenorpasswordwasfound.Itmightbeusedbyanattackertoaccessrestrictedserviceswhichwillcauseinformationleakage,unwantedserversettingchanges,orotherkindsofunrestrictedserviceaccessesormodifications.
Remediation
Thedevelopershouldnothardcodesuchsensitivedata,topreventleakages.
Links
https://cwe.mitre.org/data/definitions/312.html
Insecureactivitystart
https://cwe.mitre.org/data/definitions/927.htmlhttps://cwe.mitre.org/data/definitions/312.html
Foundinthefileoversecured/ovaa/activities/MainActivity.java38 findViewById(2131165241).setOnClickListener(newOnClickListener(){39 publicvoidonClick(Viewview){40 Stringtoken=WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());41 Intenti=newIntent("oversecured.ovaa.action.WEBVIEW");42 i .putExtra("url","http://example.com./?token="+token);43 IntentUtils.protectActivityIntent(MainActivity.this,i);44 MainActivity.this.startActivity(i);45 }46 });47 }
Foundinthefileoversecured/ovaa/utils/IntentUtils.java9 privateIntentUtils(){10 }1112 publicstaticvoidprotectActivityIntent(Contextcontext,Intentintent){13 Iteratorit=context.getPackageManager().queryIntentActivities(intent,0).iterator();14 if(it.hasNext()){15 ResolveInfoinfo=it.next();16 intent.setClassName(info.activityInfo.packageName,info.activityInfo.name);17 }18 }19 }
Vulnerabilitydescription
UsingimplicitactivitystartisdangeroussincethecomponentisnotsetandAndroidOSaskstheuserwhatactuallytostart.Usingamalwareapplication,anattackercanregisterhisownactivitywithactionfromtheintentinAndroidManifest.xmlandspecifya999priorityinintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwithasetofallpossibleapplicationswillbeshownwiththemalwareinthefirstplace.Iftheuserselectsthefakeapplication,theactivitystartwithintentextraswillbehijackedandinmostcasesitwillleadtodisclosureofsensitiveinformation.IncaseofstartActivityForResult,thereisanadditionalriskrelatedtoresultingdata.Whenthecallishijacked,theattacker'sactivitymayuseasetResult(...)calltotransmitarbitrarydatatotheonActivityResult()methodofthevictimactivity,whichwillcausecontentspoofing.
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
Links
https://cwe.mitre.org/data/definitions/927.htmlhttps://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
InternetserviceaddresssubstitutionFoundinthefileAndroidManifest.xml8 9 10 11 12 13 14 15
https://cwe.mitre.org/data/definitions/927.htmlhttps://people.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13 protectedvoidonCreate(BundlesavedInstanceState){14 super.onCreate(savedInstanceState);15 this.loginUtils=LoginUtils.getInstance(this);16 Intentintent=getIntent();17 if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18 Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21 processDeeplink(uri);22 }23 }24 finish();25 }2627 privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30 if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31 Stringpath=uri.getPath();32 if("/logout".equals(path)){33 this.loginUtils.logout();34 startActivity(newIntent(this,EntranceActivity.class));35 }elseif("/login".equals(path)){36 Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38 this.loginUtils.setLoginUrl(url2);39 }40 startActivity(newIntent(this,EntranceActivity.class));41 }elseif("/grant_uri_permissions".equals(path)){
Foundinthefileoversecured/ovaa/utils/LoginUtils.java38 returnnewLoginData(this.preferences.getString("email",null),this.preferences.getString("password",null));39 }4041 publicvoidsetLoginUrl(Stringurl){42 this.editor.putString("login_url",url).commit();43 }4445 publicStringgetLoginUrl(){46 Stringurl=this.preferences.getString("login_url",null);47 if(!TextUtils.isEmpty(url)){48 returnurl;49 }50 Stringurl2=this.context.getString(2131492892);51 this.editor.putString("login_url",url2).commit();
Foundinthefileoversecured/ovaa/activities/LoginActivity.java47 privatevoidprocessLogin(Stringemail,Stringpassword){48 LoginDataloginData=newLoginData(email,password);49 Log.d("ovaa","Processing"+loginData);50 RetrofitInstance.getInstance().create(LoginService.class).login(this.loginUtils.getLoginUrl(),loginData).enqueue(newCallback(){51 @Override52 publicvoidonResponse(Callcall,Responseresponse){53 }
Foundinthefileoversecured/ovaa/network/LoginService.java7 importretrofit2.http.Url;89 publicinterfaceLoginService{10 @POST11 Calllogin(@UrlStringstr,@BodyLoginDataloginData);12 }
Vulnerabilitydescription
Anattackerhastheabilitytoforcetheapptoconnecttoanarbitraryinternetservice(suchasawebserver).Thiscanbeusedbymalwareappsonthesamedevicetocreateinternetquerieswithoutthecorrespondingpermission(android.permission.INTERNET).Insomecasesthisvulnerabilitycanhelptodeceivetheapplication,leadingittothinkitiscommunicatingwithalegitimateserver:theresultscanbetheleakageofconfidentialdata(suchastokensorpasswords),ordisplaytotheuserofcontentcontrolledbytheattacker.
Remediation
Theappshouldeitherprotectfunctionalityresponsibleforconnectiontointernetservices,forinstancebyusingunexportedservices,orelserestrictthelistofserverstowhichaconnectioncanbemade.WithWebViewthereisalsothepossibilityofshowingtheuserthedomainnameorthefullURLfromwhichthecontentoriginates,helpingtheusertomakesurethesiteaddressiscorrect.
Links
https://cwe.mitre.org/data/definitions/451.htmlhttps://cwe.mitre.org/data/definitions/346.htmlhttps://en.wikipedia.org/wiki/Spoofed_URL
LoadinganarbitraryclassFoundinthefileoversecured/ovaa/objects/MemoryCorruptionParcelable.java12 returnnewMemoryCorruptionParcelable[i];13 }1415 publicMemoryCorruptionParcelablecreateFromParcel(Parcelparcel){16 returnnewMemoryCorruptionParcelable(parcel);17 }18 };1920 privatestaticfinalGsonGSON=newGsonBuilder().create();21 publicObjectdata;2223 privateMemoryCorruptionParcelable(Parcelparcel){24 try{25 this.data=GSON.fromJson(parcel.readString(),Class.forName(parcel.readString()));26 }catch(ClassNotFoundExceptione){27 thrownewRuntimeException(e);28 }
Vulnerabilitydescription
Anattackercanspoofthenameofaclassandforcetheapptocreateanduseanobjectofanarbitrarytype.Dependingontheapp'sbusinesslogic,thismayleadtoarangeofconsequences.IftheattackerisabletouseanarbitraryClassLoader,itwillbepossibletoexecutearbitrarycode
Remediation
Makeitimpossibletoacceptaclassnamefromanattacker:insteadmakealistofallpossibleprocessorsanddefineitmanuallyusingsomecharacteristic.
Links
https://cwe.mitre.org/data/definitions/451.htmlhttps://cwe.mitre.org/data/definitions/346.htmlhttps://en.wikipedia.org/wiki/Spoofed_URL
https://cwe.mitre.org/data/definitions/470.html
InsecurestorageofdevicelogsFoundinthefileAndroidManifest.xml46 47 48 49 50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java17 super("InsecureLoggerService");18 }1920 protectedvoidonHandleIntent(Intentintent){21 if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22 dumpLogs(getDumpFile(intent));23 }24 }2526 privateFilegetDumpFile(Intentintent){27 Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28 if(fileinstanceofString){29 returnnewFile((String)file);30 }31 if(fileinstanceofFile){32 return(File)file;33 }34 thrownewIllegalArgumentException();35 }3637 privatevoiddumpLogs(FiletoFile){38 try{39 BufferedReaderreader=newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec("logcat-d").getInputStream()));40 BufferedWriterwriter=newBufferedWriter(newFileWriter(toFile));41 while(true){42 Stringline=reader.readLine();43 if(line==null){44 writer.flush();45 writer.close();46 reader.close();47 return;48 }49 writer.append(line).append('\n');50 }51 }catch(IOExceptione){52 thrownewRuntimeException(e);
Vulnerabilitydescription
Theappstoresdevicelogsusingapaththatisaccessibleforanattackertoread.FromAndroid4.1,apps'logsarenotaccessibletothird-partyapps—butifalegitimateappitselfsavesthemtoaninsecurepath,anattackercangainaccesstothemandextractprivateinformation.
Remediation
Itisrecommendedthatyoushouldstorelogsinthe/data/data/directoryusingastaticpath,topreventyourdatafallingintothehandsofanattacker
https://cwe.mitre.org/data/definitions/470.html
Links
https://cwe.mitre.org/data/definitions/532.html
UseofbypassablehostcheckFoundinthefileAndroidManifest.xml8 9 10 11 12 13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13 protectedvoidonCreate(BundlesavedInstanceState){14 super.onCreate(savedInstanceState);15 this.loginUtils=LoginUtils.getInstance(this);16 Intentintent=getIntent();17 if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18 Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21 processDeeplink(uri);22 }23 }24 finish();25 }2627 privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30 if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31 Stringpath=uri.getPath();32 if("/logout".equals(path)){33 this.loginUtils.logout();34 startActivity(newIntent(this,EntranceActivity.class));35 }elseif("/login".equals(path)){36 Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38 this.loginUtils.setLoginUrl(url2);39 }40 startActivity(newIntent(this,EntranceActivity.class));41 }elseif("/grant_uri_permissions".equals(path)){42 Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43 if(getPackageManager().resolveActivity(i,0)!=null){44 startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48 i2.putExtra("url",url);49 startActivity(i2);
https://cwe.mitre.org/data/definitions/532.html
Vulnerabilitydescription
TheappdoesnotperformsufficientlyprecisechecksofthehostfieldintheURL,meaningthatanattackercanbypassthem.MostURLparsersdonotcountabackslash(/)asadelimiterthatisequivalenttoaforwardslash(/),bute.g.WebViewautomaticallyreplacesallbackslasheswithforwardslashes.Thismeansthatcheckslikehost.endsWith("legal.com")arenotsufficient.ThedevelopermustalsorememberabouttheUserinfopartintheURL,wherebackslashescanalsobeadded:insteadofcheckingthehostfield,checkthewholeauthority
Remediation
OnereliableURLcheckisaschemecheck,whichprohibitspassingvariousprivatedataviatheinsecureHTTPprotocol:itonlypermitstheuseofHTTPS.Anotheroptionistochecktheauthoritypartbycreatingawhitelistofpossiblehostsorusingareliableregularexpressionthatexcludesmanipulationwithbackslashesandothercontrolcharacters
UseofsetResultforexportedactivityFoundinthefileAndroidManifest.xml8 9 10 11 12 13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java39 }40 startActivity(newIntent(this,EntranceActivity.class));41 }elseif("/grant_uri_permissions".equals(path)){42 Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43 if(getPackageManager().resolveActivity(i,0)!=null){44 startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);48 i2.putExtra("url",url);49 startActivity(i2);50 }51 }52 }5354 @Override55 protectedvoidonActivityResult(intrequestCode,intresultCode,Intentdata){56 super.onActivityResult(requestCode,resultCode,data);57 if(resultCode==-1&&requestCode==1003){58 setResult(resultCode,data);59 }60 }61 }
Vulnerabilitydescription
Anexportedactivityreturnstheresultsofitsoperations(whichmayincludeprivatedata).Athird-partyapphastheabilitytostartthisactivityandreceivetheIntentthatispassedtosetResult.
Remediation
Itisrecommendedthatyoueithermaketheactivitynon-exported,therebypreventingdataleakage,orelsemakesurethatsetResultisnotusedtopassanyimportantdata.
DebuggableattributeissettotrueFoundinthefileAndroidManifest.xml
7
Vulnerabilitydescription
The“android:debuggable”attributeissettotrueinAndroidManifest.xml.Ifanapplicationisflaggedasdebuggable,anattackerpossessingphysicalaccesstothedevicecaninjectarbitrarycodeandexecuteitinthecontextofavulnerableapplicationprocessandextractsensitivedata.It'shighlyrecommendedtosetthedebuggableattributetofalsewhentheapplicationisreleasedintoproduction.
Remediation
Set“android:debuggable”tofalseintheAndroidManifest.xmlfile.
Links
https://developer.android.com/guide/topics/manifest/application-element.html#debug
DeletionofarbitraryfilesFoundinthefileoversecured/ovaa/objects/DeleteFilesSerializable.java7 importoversecured.ovaa.utils.FileUtils;89 publicclassDeleteFilesSerializableimplementsSerializable{10 privatevoidreadObject(ObjectInputStreamin)throwsIOException{11 Filefile=newFile(in.readUTF());12 if(file.exists()){13 FileUtils.deleteRecursive(file);14 }15 }16 }
Foundinthefileoversecured/ovaa/utils/FileUtils.java12 privateFileUtils(){13 }1415 publicstaticvoiddeleteRecursive(Filefile){16 if(file.isDirectory()){17 for(Filechild:file.listFiles()){18 deleteRecursive(child);19 }20 }21 file.delete();22 }2324 publicstaticFilecopyToCache(Contextcontext,Uriuri){
Vulnerabilitydescription
Theattackercanfakethepathtothefilethatwillbesubsequentlydeleted.Thismaybecomedangerousinsituationsinwhichtheapplicationstoressensitiveuserdatathatwillbedifficultorimpossibletorestoreafterward.
Remediation
Itisrecommendedtoaddadditionalchecksforfileorfolderpathstopreventpath-traversalattacks.
https://developer.android.com/guide/topics/manifest/application-element.html#debug
Thismayalsoleadtotheincorrectoperationoftheapplication,resultinginreputationalandbusinessdamage.
InformationLeakageFoundinthefileoversecured/ovaa/activities/MainActivity.java38 findViewById(2131165241).setOnClickListener(newOnClickListener(){39 publicvoidonClick(Viewview){40 Stringtoken=WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());41 Intenti=newIntent("oversecured.ovaa.action.WEBVIEW");42 i .putExtra("url","http://example.com./?token="+token);43 IntentUtils.protectActivityIntent(MainActivity.this,i);44 MainActivity.this.startActivity(i);45 }46 });47 }
Foundinthefileoversecured/ovaa/utils/IntentUtils.java9 privateIntentUtils(){10 }1112 publicstaticvoidprotectActivityIntent(Contextcontext,Intentintent){13 Iteratorit=context.getPackageManager().queryIntentActivities(intent,0).iterator();14 if(it.hasNext()){15 ResolveInfoinfo=it.next();16 intent.setClassName(info.activityInfo.packageName,info.activityInfo.name);17 }18 }19 }
Vulnerabilitydescription
Theapplicationmakesitpossibletorevealsensitiveuserinformationsuchasencryptionkeysoruserpasswordsbydisplayingthemonthescreen,savingthemtoinsecurestorage,ortransmittingthemviaanunsafechannel,anyofwhichallowsanattackertomakeuseofthem.
Remediation
Donottransmitthiskindofinformationinunencryptedform,orstoreitinmoretrustworthystorage.
Links
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
InformationLeakageFoundinthefileAndroidManifest.xml46 47 48 49 50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
17 super("InsecureLoggerService");18 }1920 protectedvoidonHandleIntent(Intentintent){21 if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22 dumpLogs(getDumpFile(intent));23 }24 }2526 privateFilegetDumpFile(Intentintent){27 Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28 if(fileinstanceofString){29 returnnewFile((String)file);30 }31 if(fileinstanceofFile){32 return(File)file;33 }34 thrownewIllegalArgumentException();35 }3637 privatevoiddumpLogs(FiletoFile){38 try{39 BufferedReaderreader=newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec("logcat-d").getInputStream()));40 BufferedWriterwriter=newBufferedWriter(newFileWriter(toFile));41 while(true){42 Stringline=reader.readLine();43 if(line==null){44 writer.flush();45 writer.close();46 reader.close();47 return;48 }49 writer.append(line).append('\n');50 }51 }catch(IOExceptione){52 thrownewRuntimeException(e);
Vulnerabilitydescription
Theapplicationmakesitpossibletorevealsensitiveuserinformationsuchasencryptionkeysoruserpasswordsbydisplayingthemonthescreen,savingthemtoinsecurestorage,ortransmittingthemviaanunsafechannel,anyofwhichallowsanattackertomakeuseofthem.
Remediation
Donottransmitthiskindofinformationinunencryptedform,orstoreitinmoretrustworthystorage.
Links
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
FakeHTTPrequestFoundinthefileAndroidManifest.xml8 9 10 11 12
https://cwe.mitre.org/data/definitions/200.htmlhttps://cwe.mitre.org/data/definitions/359.html
13 14 15
Foundinthefileoversecured/ovaa/activities/DeeplinkActivity.java13 protectedvoidonCreate(BundlesavedInstanceState){14 super.onCreate(savedInstanceState);15 this.loginUtils=LoginUtils.getInstance(this);16 Intentintent=getIntent();17 if(intent!=null&&"android.intent.action.VIEW".equals(intent.getAction())){18 Uridata=intent.getData();19 Uriuri=data;20 if(data!=null){21 processDeeplink(uri);22 }23 }24 finish();25 }2627 privatevoidprocessDeeplink(Uriuri){28 Stringurl;29 Stringhost;30 if("oversecured".equals(uri.getScheme())&&"ovaa".equals(uri.getHost())){31 Stringpath=uri.getPath();32 if("/logout".equals(path)){33 this.loginUtils.logout();34 startActivity(newIntent(this,EntranceActivity.class));35 }elseif("/login".equals(path)){36 Stringurl2=uri.getQueryParameter("url");37 if(url2!=null){38 this.loginUtils.setLoginUrl(url2);39 }40 startActivity(newIntent(this,EntranceActivity.class));41 }elseif("/grant_uri_permissions".equals(path)){
Foundinthefileoversecured/ovaa/utils/LoginUtils.java38 returnnewLoginData(this.preferences.getString("email",null),this.preferences.getString("password",null));39 }4041 publicvoidsetLoginUrl(Stringurl){42 this.editor.putString("login_url",url).commit();43 }4445 publicStringgetLoginUrl(){46 Stringurl=this.preferences.getString("login_url",null);47 if(!TextUtils.isEmpty(url)){48 returnurl;49 }50 Stringurl2=this.context.getString(2131492892);51 this.editor.putString("login_url",url2).commit();
Foundinthefileoversecured/ovaa/activities/LoginActivity.java47 privatevoidprocessLogin(Stringemail,Stringpassword){48 LoginDataloginData=newLoginData(email,password);49 Log.d("ovaa","Processing"+loginData);50 RetrofitInstance.getInstance().create(LoginService.class).login(this.loginUtils.getLoginUrl(),loginData).enqueue(newCallback(){
51 @Override52 publicvoidonResponse(Callcall,Responseresponse){53 }
Foundinthefileoversecured/ovaa/network/LoginService.java7 importretrofit2.http.Url;89 publicinterfaceLoginService{10 @POST11 Calllogin(@UrlStringstr,@BodyLoginDataloginData);12 }
Vulnerabilitydescription
Theappmakesitpossibletofakearequest,orsomeofitsfields,senttoHTTP,whichcanleadtoawholeseriesofpossibleattacksincludingCross-SiteRequestForgeryandHTTPSplitting.Thiscanmakeitpossibletouncoveruseddata,andcanalsodamagetheapp'sbusinesslogicbycarryingoutactionsthatbenefittheattacker.
Remediation
Thedevelopermustrestrictrequestdatatotrustedsources,andmakesurethesedataarenecessary,areintheexpectedformat,anddonotcontainspecialcharactersthatwouldviolatethestructureofanHTTPrequest.
Links
https://cwe.mitre.org/data/definitions/352.htmlhttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting
PassinginfecteddatatoanativemethodFoundinthefileoversecured/ovaa/objects/MemoryCorruptionSerializable.java45 publicclassMemoryCorruptionSerializableimplementsSerializable{6 privatestaticfinallongserialVersionUID=0;7 privatelongptr;89 privatenativevoidfreePtr(longj);1011 static{12 System.loadLibrary("ovaa");13 }1415 @Override16 protectedvoidfinalize()throwsThrowable{17 longj=this.ptr;18 if(j!=0){19 freePtr(j);20 this.ptr=0;21 }22 }
Vulnerabilitydescription
Theattackercanpasscontrolleddatatoanativemethodoftheapplication.Ifthisdataisused,forexample,asmemoryaddresses,itmayresultinthecreationofsuchvulnerabilitiesasMemoryCorruptionorArbitraryCodeExecution.
Remediation
Itisrecommendedtorestrictthepossibilityofpassinginfecteddatatoanativemethod,ormovethelogiclayerfromC/C++codetoJava/Kotlin.
https://cwe.mitre.org/data/definitions/352.htmlhttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)http://projects.webappsec.org/w/page/13246929/HTTP%20Request%20Splitting
PasswordstorageonthedeviceFoundinthefileoversecured/ovaa/utils/LoginUtils.java31 }3233 publicvoidsaveCredentials(LoginDataloginData){34 this.editor.putString("email",loginData.email).putString("password",loginData.password).commit();35 }3637 publicLoginDatagetLoginData(){
Vulnerabilitydescription
Theappsavestheuser'spasswordonthedevice.Thisisinsecure,becauseunderspecificcircumstancesitcouldbeextractedbyanattacker—forexample,iftherearevulnerabilitiessuchastheabilitytostealarbitraryfilesoriftheattackerhasaccessrightstotheuser'srootdirectory.
Remediation
Insteadofstoringthepassword,thedevelopershoulduseatokenissuedserver-side.Thiscanbesecurelysavedtothe/data/data/directory.Ifanattackerobtainsthetoken,itonlyneedstoberevokedtoaverttheattack.Thepasswordcanbepickedupandusedforotherservicesusedbytheuser,andallowsanattackertoguessotherversionsoftheuser'spasswords.
Links
https://cwe.mitre.org/data/definitions/256.html
UseofinsecureHTTPprotocolFoundinthefilevalues/strings.xml31 http://example.com./
Foundinthefileoversecured/ovaa/network/RetrofitInstance.java4 importretrofit2.Retrofit;56 publicclassRetrofitInstance{7 privatestaticfinalStringBASE_URL="http://example.com./api/v1/";8 privatestaticRetrofitretrofit;910 publicstaticRetrofitgetInstance(){11 if(retrofit==null){12 retrofit=newRetrofit.Builder().baseUrl("http://example.com./api/v1/").addConverterFactory(GsonConverterFactory.create()).build();13 }14 returnretrofit;15 }
Foundinthefileoversecured/ovaa/activities/MainActivity.java39 publicvoidonClick(Viewview){40 Stringtoken=WeakCrypto.encrypt(MainActivity.this.loginUtils.getLoginData().toString());41 Intenti=newIntent("oversecured.ovaa.action.WEBVIEW");42 i .putExtra("url","http://example.com./?token="+token);43 IntentUtils.protectActivityIntent(MainActivity.this,i);44 MainActivity.this.startActivity(i);45 }
https://cwe.mitre.org/data/definitions/256.html
Vulnerabilitydescription
ThemobileapplicationusestheinsecureHTTPprotocoltocommunicatewiththeserver.HTTPlacksencryption,sosensitivedatalikeusername,password,etc.canbeeasilyinterceptedandreplacedbyanattackerwhoisconnectedtothesamenetworkastheuser’sdevice—forinstance,iftheuserisusingapublicWiFinetwork.
Remediation
Replaceallhttplinksintheapplicationwiththeirhttpsequivalents.
Links
https://cwe.mitre.org/data/definitions/319.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M3
StoringdataontheSDcardFoundinthefileoversecured/ovaa/providers/TheftOverwriteProvider.java3637 @Override38 publicParcelFileDescriptoropenFile(Uriuri,Stringmode)throwsFileNotFoundException{39 returnParcelFileDescriptor.open(newFile(Environment.getExternalStorageDirectory(),uri.getLastPathSegment()),805306368);40 }41 }
Vulnerabilitydescription
Theapplicationusesexternalstorage(SDcard)toread/writedata.Datastoredexternallycanbereadandmodifiedbyanythird-partyapplicationsinstalledonthesamemobiledevice,whichcanleadtoinformationdisclosure,datatampering,orothermaliciousbehavior.Example:ifanapplicationstoresitsthird-party.solibrariesonexternalmedia,theselibrariescanbemodifiedbyamalwareapplication,whichinturnmayleadtoarbitrarycodeexecutioninthecontextoftherunningapplication.
Remediation
Donotstoreexecutablefiles,configurationfiles,orsensitiveuserdataonSDcard.
Links
https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2
StoringdataontheSDcardFoundinthefileoversecured/ovaa/utils/FileUtils.java2324 publicstaticFilecopyToCache(Contextcontext,Uriuri){25 try{26 FileexternalCacheDir=context.getExternalCacheDir();27 Fileout=newFile(externalCacheDir,""+System.currentTimeMillis());28 InputStreami=context.getContentResolver().openInputStream(uri);29 OutputStreamo=newFileOutputStream(out);30 IOUtils.copy(i,o);31 i .close();32 o.close();
Vulnerabilitydescription Remediation
https://cwe.mitre.org/data/definitions/319.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M3https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2
Theapplicationusesexternalstorage(SDcard)toread/writedata.Datastoredexternallycanbereadandmodifiedbyanythird-partyapplicationsinstalledonthesamemobiledevice,whichcanleadtoinformationdisclosure,datatampering,orothermaliciousbehavior.Example:ifanapplicationstoresitsthird-party.solibrariesonexternalmedia,theselibrariescanbemodifiedbyamalwareapplication,whichinturnmayleadtoarbitrarycodeexecutioninthecontextoftherunningapplication.
Donotstoreexecutablefiles,configurationfiles,orsensitiveuserdataonSDcard.
Links
https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2
FakefilepathFoundinthefileAndroidManifest.xml46 47 48 49 50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java17 super("InsecureLoggerService");18 }1920 protectedvoidonHandleIntent(Intentintent){21 if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22 dumpLogs(getDumpFile(intent));23 }24 }2526 privateFilegetDumpFile(Intentintent){27 Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28 if(fileinstanceofString){29 returnnewFile((String)file);30 }31 if(fileinstanceofFile){32 return(File)file;
Vulnerabilitydescription
Anattackerhastheabilitytocontrolthepathtoafile,whichcanleadtoprivatedatabeingstoredinapublicdirectorytowhichtheattackerhasaccess;datacomingfromtheattackerbeingreadasthoughtheywerelegitimate;modificationordeletionofexistingfiles.Thedevelopermustrememberthateveniftheattackerhasnoaccesstocertainprotectedfiles,thelegitimateappdoes—sothattheattacker'sobjectiveistomaketheappcarryoutharmfulactionsonitsown.
Remediation
Thedevelopermustmakesurefilepathscanonlybeobtainedfromtrustedsources.Inaddition,it'srecommendedtostorefileswithprivatedatainthe/data/data/%package_name%/file(thepathmaybeobtainedbycallingContext.getFilesDir()),towhichotherappsinstalledonthedevicedonothaveaccess.
Links
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/921.htmlhttps://www.owasp.org/index.php/Mobile_Top_10_2014-M2https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
FakefilepathFoundinthefileAndroidManifest.xml51
Foundinthefileoversecured/ovaa/providers/TheftOverwriteProvider.java35 }3637 @Override38 publicParcelFileDescriptoropenFile(Uriuri,Stringmode)throwsFileNotFoundException{39 returnParcelFileDescriptor.open(newFile(Environment.getExternalStorageDirectory(),uri.getLastPathSegment()),805306368);40 }41 }
Vulnerabilitydescription
Anattackerhastheabilitytocontrolthepathtoafile,whichcanleadtoprivatedatabeingstoredinapublicdirectorytowhichtheattackerhasaccess;datacomingfromtheattackerbeingreadasthoughtheywerelegitimate;modificationordeletionofexistingfiles.Thedevelopermustrememberthateveniftheattackerhasnoaccesstocertainprotectedfiles,thelegitimateappdoes—sothattheattacker'sobjectiveistomaketheappcarryoutharmfulactionsonitsown.
Remediation
Thedevelopermustmakesurefilepathscanonlybeobtainedfromtrustedsources.Inaddition,it'srecommendedtostorefileswithprivatedatainthe/data/data/%package_name%/file(thepathmaybeobtainedbycallingContext.getFilesDir()),towhichotherappsinstalledonthedevicedonothaveaccess.
Links
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
FakefilepathFoundinthefileAndroidManifest.xml46 47 48 49 50
Foundinthefileoversecured/ovaa/services/InsecureLoggerService.java17 super("InsecureLoggerService");18 }1920 protectedvoidonHandleIntent(Intentintent){21 if(intent!=null&&"oversecured.ovaa.action.DUMP".equals(intent.getAction())){22 dumpLogs(getDumpFile(intent));23 }24 }2526 privateFilegetDumpFile(Intentintent){27 Objectfile=intent.getExtras().get("oversecured.ovaa.extra.file");28 if(fileinstanceofString){29 returnnewFile((String)file);30 }31 if(fileinstanceofFile){
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
32 return(File)file;33 }34 thrownewIllegalArgumentException();35 }3637 privatevoiddumpLogs(FiletoFile){38 try{39 BufferedReaderreader=newBufferedReader(newInputStreamReader(Runtime.getRuntime().exec("logcat-d").getInputStream()));40 BufferedWriterwriter=newBufferedWriter(newFileWriter(toFile));41 while(true){42 Stringline=reader.readLine();43 if(line==null){
Vulnerabilitydescription
Anattackerhastheabilitytocontrolthepathtoafile,whichcanleadtoprivatedatabeingstoredinapublicdirectorytowhichtheattackerhasaccess;datacomingfromtheattackerbeingreadasthoughtheywerelegitimate;modificationordeletionofexistingfiles.Thedevelopermustrememberthateveniftheattackerhasnoaccesstocertainprotectedfiles,thelegitimateappdoes—sothattheattacker'sobjectiveistomaketheappcarryoutharmfulactionsonitsown.
Remediation
Thedevelopermustmakesurefilepathscanonlybeobtainedfromtrustedsources.Inaddition,it'srecommendedtostorefileswithprivatedatainthe/data/data/%package_name%/file(thepathmaybeobtainedbycallingContext.getFilesDir()),towhichotherappsinstalledonthedevicedonothaveaccess.
Links
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.html
FileaccessfromfileURIsisenabledforWebViewFoundinthefileoversecured/ovaa/activities/WebViewActivity.java10 protectedvoidonCreate(BundlesavedInstanceState){11 super.onCreate(savedInstanceState);12 setContentView(2131361822);13 WebViewwebView=(WebView)findViewById(2131165372);14 setupWebView(webView);15 webView.loadUrl(getIntent().getStringExtra("url"));16 }1718 privatevoidsetupWebView(WebViewwebView){19 webView.setWebChromeClient(newWebChromeClient());20 webView.setWebViewClient(newWebViewClient());21 webView.getSettings().setJavaScriptEnabled(true);22 webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24 }
Vulnerabilitydescription
FullfileaccessispermittedinWebViewtopagesloadedusingthefile://scheme.IfJSexecutionispermitted,andifothervulnerabilitiesarepresent,anattackercanuseaspeciallycreatedscripttogainaccesstoanylocalfilestowhichtheappitselfhasaccess.
Remediation
ItisrecommendedthatdevelopersdisablethisfunctionalitybyusingacalltomyWebView.getSettings().setAllowFileAccessFromFileURLs(false),soastoavoidleakingpersonaldata.
Links
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccessFromFileURLs(boolean)
https://cwe.mitre.org/data/definitions/73.htmlhttps://cwe.mitre.org/data/definitions/22.htmlhttps://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccessFromFileURLs(boolean)
ContentaccessisenabledforWebViewFoundinthefileoversecured/ovaa/activities/WebViewActivity.java10 protectedvoidonCreate(BundlesavedInstanceState){11 super.onCreate(savedInstanceState);12 setContentView(2131361822);13 WebViewwebView=(WebView)findViewById(2131165372);14 setupWebView(webView);15 webView.loadUrl(getIntent().getStringExtra("url"));16 }1718 privatevoidsetupWebView(WebViewwebView){19 webView.setWebChromeClient(newWebChromeClient());20 webView.setWebViewClient(newWebViewClient());21 webView.getSettings().setJavaScriptEnabled(true);22 webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24 }
Vulnerabilitydescription
Accesstodatausingcontent://isnotdisabledinWebView,orisexplicitlyenabled.Thedangeristhatanattackermaybeabletoinsertaspecially-preparedlinkintothewebsiteanduseittoloadsomeprotectedcontent(forinstance,photosfrom/data/data//directoriesinasimilarway)andthenemployspeciallycreatedJavaScriptcodetogainaccesstotheactualdata,leadingtothetheftofuserinformation.
Remediation
Iftheappdoesnotusethisfunctionality,developersarerecommendedtodisableaccesstocontentusingcontent://bycallingmyWebView.getSettings().setAllowContentAccess(false)
Links
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowContentAccess(boolean)https://cwe.mitre.org/data/definitions/200.html
FileaccessisenabledforWebViewFoundinthefileoversecured/ovaa/activities/WebViewActivity.java10 protectedvoidonCreate(BundlesavedInstanceState){11 super.onCreate(savedInstanceState);12 setContentView(2131361822);13 WebViewwebView=(WebView)findViewById(2131165372);14 setupWebView(webView);15 webView.loadUrl(getIntent().getStringExtra("url"));16 }1718 privatevoidsetupWebView(WebViewwebView){19 webView.setWebChromeClient(newWebChromeClient());20 webView.setWebViewClient(newWebViewClient());21 webView.getSettings().setJavaScriptEnabled(true);22 webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24 }
Vulnerabilitydescription Remediation
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowContentAccess(boolean)https://cwe.mitre.org/data/definitions/200.html
TheapplicationallowstheuseoftheWebSettingssetAllowFileAccessmethod.ThesetAllowFileAccessmethodallowJavaScripttoaccesslocalfilesinthecontextoftherunningapplication.PerformingaMan-in-the-Middleattackortamperingwithaserverresponse,anattackerisabletoaccesstheapplication'sfiles,suchaspreferences,localdatabases,cache,etc.Thiscanleadtotheleakageofconfidentialdata,suchasauthenticationtokensandpasswords.It'snotrecommendedtousesetAllowFileAccessmethodunlessabsolutelynecessary.
DonotusethesetAllowFileAccessmethodunlessabsolutelynecessary,andexplicitlysetthisvaluetofalseifyouarenotplanningtoaccesslocalfilesfromWebView.
Links
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess(boolean)
ApplicationbackupisallowedFoundinthefileAndroidManifest.xml
7
Vulnerabilitydescription
The“android:allowBackup”attributeissetto“true”inAndroidManifest.xml,thusmakingitpossibletobackupupalltheapplication’sdataincludinglocaldatabases,preferencesanduser'spersonaldatatoexternalstoragewhereitcanbeaccessedbyanunauthorizedthird-partyapplication.It'shighlyrecommendedtoexplicitlysetthe“android:allowBackup”attributetofalsetoavoiddataleakage.
Remediation
Set“android:allowBackup”tofalseintheAndroidManifest.xmlfile.
Links
https://developer.android.com/guide/topics/manifest/application-element.html#allowbackup
UsinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformationFoundinthefileoversecured/ovaa/activities/EntranceActivity.java10 protectedvoidonCreate(BundlesavedInstanceState){11 super.onCreate(savedInstanceState);12 if(LoginUtils.getInstance(this).isLoggedIn()){13 startActivity(newIntent("oversecured.ovaa.action.ACTIVITY_MAIN"));14 }else{15 startActivity(newIntent("oversecured.ovaa.action.LOGIN"));16 }
Vulnerabilitydescription
UsinganimplicitactivitystartisdangeroussincethecomponentisnotdefinedandtheAndroidOSaskstheuserwhatshouldactuallybestarted.Usingamalwareapplication,theattackercanregisteracustomactivityinAndroidManifest.xmlcontainingtheactionfromtheintentandspecifypriority999intheintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwindowwithalistofallpossibleapplicationwillbeshownwiththemalwarebeingattheverytop.Iftheuserchoosesthefakeapplication,thestartoftheactivitywithintentextraswillbehijacked,whichmayresultinthetheftofappusagestatistics,aswellasdifferentapplicationstates.InthecaseofstartActivityForResult,thereisanadditionalriskrelatedtotheresultingdata.Whenthecallishijacked,theattacker's
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
https://developer.android.com/reference/android/webkit/WebSettings.html#setAllowFileAccess(boolean)https://developer.android.com/guide/topics/manifest/application-element.html#allowbackup
activitycanbesentviaasetResult(...)callandtransmitarbitrarydatatotheonActivityResult(...)methodofthevictim'sactivity,whichmaybecomeanadditionalsourceofinfecteddatafortheapp.
UsinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformationFoundinthefileoversecured/ovaa/activities/DeeplinkActivity.java39 }40 startActivity(newIntent(this,EntranceActivity.class));41 }elseif("/grant_uri_permissions".equals(path)){42 Intenti=newIntent("oversecured.ovaa.action.GRANT_PERMISSIONS");43 if(getPackageManager().resolveActivity(i,0)!=null){44 startActivityForResult(i,1003);45 }
46}elseif("/webview".equals(path)&&(url=uri.getQueryParameter("url"))!=null&&(host=Uri.parse(url).getHost())!=null&&host.endsWith("example.com"))
{
47 Intenti2=newIntent(this,WebViewActivity.class);
Vulnerabilitydescription
UsinganimplicitactivitystartisdangeroussincethecomponentisnotdefinedandtheAndroidOSaskstheuserwhatshouldactuallybestarted.Usingamalwareapplication,theattackercanregisteracustomactivityinAndroidManifest.xmlcontainingtheactionfromtheintentandspecifypriority999intheintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwindowwithalistofallpossibleapplicationwillbeshownwiththemalwarebeingattheverytop.Iftheuserchoosesthefakeapplication,thestartoftheactivitywithintentextraswillbehijacked,whichmayresultinthetheftofappusagestatistics,aswellasdifferentapplicationstates.InthecaseofstartActivityForResult,thereisanadditionalriskrelatedtotheresultingdata.Whenthecallishijacked,theattacker'sactivitycanbesentviaasetResult(...)callandtransmitarbitrarydatatotheonActivityResult(...)methodofthevictim'sactivity,whichmaybecomeanadditionalsourceofinfecteddatafortheapp.
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
UsinganimplicitintentforstartinganactivitywithoutpotentiallysensitiveinformationFoundinthefileoversecured/ovaa/activities/EntranceActivity.java12 if(LoginUtils.getInstance(this).isLoggedIn()){13 startActivity(newIntent("oversecured.ovaa.action.ACTIVITY_MAIN"));14 }else{15 startActivity(newIntent("oversecured.ovaa.action.LOGIN"));16 }17 finish();18 }
Vulnerabilitydescription
UsinganimplicitactivitystartisdangeroussincethecomponentisnotdefinedandtheAndroidOSaskstheuserwhatshouldactuallybestarted.Usingamalwareapplication,theattackercanregisteracustomactivityinAndroidManifest.xmlcontainingtheactionfromtheintentandspecifypriority999intheintent-filter.WhenstartActivityoritsequivalentisexecuted,adialogwindowwithalistofallpossibleapplicationwillbeshownwiththemalwarebeingattheverytop.Iftheuserchoosesthefakeapplication,thestartoftheactivitywithintentextraswillbehijacked,
Remediation
AlwaysuseexplicitintentstostartactivitiesusingthesetComponent,setPackage,setClassorsetClassNamemethodsoftheIntentclass.
whichmayresultinthetheftofappusagestatistics,aswellasdifferentapplicationstates.InthecaseofstartActivityForResult,thereisanadditionalriskrelatedtotheresultingdata.Whenthecallishijacked,theattacker'sactivitycanbesentviaasetResult(...)callandtransmitarbitrarydatatotheonActivityResult(...)methodofthevictim'sactivity,whichmaybecomeanadditionalsourceofinfecteddatafortheapp.
ExportedcontentproviderFoundinthefileAndroidManifest.xml51
Vulnerabilitydescription
Oneormoreoftheapplication’scontentprovidersarenotprotectedbysignaturepermissioninAndroidManifest.xmlfileandcanbeexported.Forapplicationsthatseteitherandroid:minSdkVersionorandroid:targetSdkVersionto"17"andhigher,alloftheprovidersarenon-exportedbydefaultunlesstheandroid:exportedattributeissetto"true"oranintent-filterelementisdefined.Forapplicationsthatseteitherandroid:minSdkVersionorandroid:targetSdkVersionto"16"orlower,adefaultexportedstatusistrue.Usingamalwareapplication,anattackercanreadorwritetheexportedcontentprovider,whichcanleadtoleakageofsensitiveinformationorunpredictableapplicationbehavior.Toenablethemostrestrictiveandthereforesecurepolicy,youshouldminimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orbyusingsignaturepermissions.
Remediation
Setexported=falseforallbroadcastreceiversthatshouldnotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedactivityFoundinthefileAndroidManifest.xml22 23 24 25 26 27
Vulnerabilitydescription
Oneormoreoftheapplication’sactivitiesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Allactivitiesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"ortheintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatoanexportedactivity,whichcanleadtodataspoofingorevencodeexecution.Forexample,suchactivitiesasWebViewscanbevulnerabletoJavaScriptinjectionattacks,contentspoofingorclickjacking.DespitethefactthatActivitiesarelessexploitablethanServices,it'sstillhighlyrecommendedtocheckallthedatapassedtothem.Tosecuretheapplicationitisrecommendedtominimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orusesignaturepermissions.
Remediation
Makesureyouareexportingonlyactivitiesthatreallyneedtheabilitytobestartedbyanythird-partyapplication;orcreatepermissionsusingtheandroid:protectionLevel=”signature”parameterintheAndroidManifest.xmlfileforallactivitiesthatareintendedtobestartedonlybyyourapplication,andsettheparameterexported=falseforallactivitiesthatmaynotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedactivityFoundinthefileAndroidManifest.xml34 35 36 37 38 39
Vulnerabilitydescription
Oneormoreoftheapplication’sactivitiesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Allactivitiesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"ortheintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatoanexportedactivity,whichcanleadtodataspoofingorevencodeexecution.Forexample,suchactivitiesasWebViewscanbevulnerabletoJavaScriptinjectionattacks,contentspoofingorclickjacking.DespitethefactthatActivitiesarelessexploitablethanServices,it'sstillhighlyrecommendedtocheckallthedatapassedtothem.Tosecuretheapplicationitisrecommendedtominimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orusesignaturepermissions.
Remediation
Makesureyouareexportingonlyactivitiesthatreallyneedtheabilitytobestartedbyanythird-partyapplication;orcreatepermissionsusingtheandroid:protectionLevel=”signature”parameterintheAndroidManifest.xmlfileforallactivitiesthatareintendedtobestartedonlybyyourapplication,andsettheparameterexported=falseforallactivitiesthatmaynotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedactivityFoundinthefileAndroidManifest.xml8 9 10 11 12 13 14 15
Vulnerabilitydescription
Oneormoreoftheapplication’sactivitiesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Allactivitiesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"ortheintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatoanexportedactivity,whichcanleadtodataspoofingorevencodeexecution.Forexample,suchactivitiesasWebViewscanbevulnerabletoJavaScriptinjectionattacks,contentspoofingorclickjacking.DespitethefactthatActivitiesarelessexploitablethanServices,it'sstillhighlyrecommendedtocheckallthedatapassedtothem.Tosecuretheapplicationitisrecommendedtominimizethenumber
Remediation
Makesureyouareexportingonlyactivitiesthatreallyneedtheabilitytobestartedbyanythird-partyapplication;orcreatepermissionsusingtheandroid:protectionLevel=”signature”parameterintheAndroidManifest.xmlfileforallactivitiesthatareintendedtobestartedonlybyyourapplication,andsettheparameterexported=falseforallactivitiesthatmaynotbestartedbythird-partyapplicationsatall.
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/926.html
ofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orusesignaturepermissions.
Links
https://cwe.mitre.org/data/definitions/926.html
ExportedserviceFoundinthefileAndroidManifest.xml46 47 48 49 50
Vulnerabilitydescription
Oneormoreoftheapplication’sservicesarenotprotectedbysignaturepermissionintheAndroidManifest.xmlfileandcanbeexported.Alloftheservicesarenon-exportedbydefault,unlesstheandroid:exportedattributeissetto"true"oranintent-filterelementisdefined.Usingamalwareapplication,anattackercansendarbitrarydatatotheexportedService,whichcanleadtoinvocationofothercomponentsoftheapplicationortocodeexecution.Forexample,ifaservicecansendfilesviaemailandafilepathispassedtotheserviceasaparameteranattackercanchooseanyfileownedbytherunningapplicationandsendittoanarbitraryemail.ServicesarethemostexploitablecomponentamongotherIntents,soit'shighlyrecommendedtocheckallthedatapassedtothem.Toenablethemostrestrictive,andthereforesecurepolicy,youshouldminimizethenumberofexportedintentsbyexplicitlysettingthe“exported”flagtofalse,orbyusingsignaturepermissions.
Remediation
Makesureyouareonlyexportingservicesthatreallyneedtheabilitytobestartedbyanythird-partyapplications;orcreateapermissionwithandroid:protectionLevel=”signature”intheAndroidManifest.xmlfileanduseitforallservicesthataretobestartedonlybyyourapplications,settingexported=falseforallservicesthatshouldnotbestartedbythird-partyapplicationsatall.
Links
https://cwe.mitre.org/data/definitions/926.html
UseofsetJavaScriptEnabledFoundinthefileoversecured/ovaa/activities/WebViewActivity.java18 privatevoidsetupWebView(WebViewwebView){19 webView.setWebChromeClient(newWebChromeClient());20 webView.setWebViewClient(newWebViewClient());21 webView.getSettings().setJavaScriptEnabled(true);22 webView.getSettings().setAllowFileAccessFromFileURLs(true);23 }24 }
Vulnerabilitydescription
TheapplicationhastheWebSettingssetJavaScriptEnabledmethodsettoTrue.The“setJavaScriptEnabled”methodallowsexecutionofJavaScriptinthecontextofarunningapplication.PerformingaMan-in-the-Middleattackortamperingwithaserverresponse,anattackerisabletoinjectandexecutearbitraryJavaScriptcode.Thiscanleadtoinformationleakageorremotecodeexecution.It'snotrecommendedtousesetJavaScriptEnabledunlessabsolutelynecessary.Disablethissettingtoenforcesecurity.
Remediation
SetsetJavaScriptEnabledtoFalse,ormakesureserverdatauseanencryptedchannel(usinghttpsandcorrectcertificateverification)andtherearenovulnerabilitiesintheserverpartoftheapplication.
https://cwe.mitre.org/data/definitions/926.htmlhttps://cwe.mitre.org/data/definitions/926.html
Links
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7http://oasam.org/en/oasam/oasam-dv-data-validation/oasam-dv-001-cross-site-scripting
VulnerablehashalgorithmsFoundinthefileorg/apache/commons/io/input/MessageDigestCalculatingInputStream.java37 }3839 publicMessageDigestCalculatingInputStream(InputStreampStream)throwsNoSuchAlgorithmException{40 this(pStream,MessageDigest.getInstance("MD5"));41 }4243 publicMessageDigestgetMessageDigest(){
Vulnerabilitydescription
Theapplicationusesoneormoreofbrokenhashfunctions.Duetoseveralcriticalflaws,suchascollisions,preimages,it'snotrecommendedtousethisfunctions.
Remediation
UseSHA-256orbetter,insteadofotherhashingalgorithms.
Links
https://www.owasp.org/index.php/Mobile_Top_10_2014-M6
Allrightsreservedbyoversecured.com
https://www.owasp.org/index.php/Mobile_Top_10_2014-M7http://oasam.org/en/oasam/oasam-dv-data-validation/oasam-dv-001-cross-site-scriptinghttps://www.owasp.org/index.php/Mobile_Top_10_2014-M6