DEEP DIVE INTO ANDROID STATIC

ANALYSIS AND EXPLOITATION

Gaurang Bhatnagar
 ABOUT THE RESEARCH

Mainly focused on Performed Code Found interesting

Custom URI Schemes and Review on Popular Scenarios and
Webview Exploitation Applications (100+) Misconfigurations

Case Studies from

Popular Applications
2
PROJECT - INSECURESHOP
 PROJECT - INSECURESHOP

• Vulnerable Android app built in Kotlin

• Real-World Vulnerabilities
• Based on my research on URI Scheme
and WebView Exploitation
• Replicates Vulnerabilities disclosed
by Well-Known Mobile Researchers

4
DEEPLINKS
 WHAT ARE DEEPLINKS?

• Deeplink are specific URIs which sends users

directly into a specific point in the app, rather
than opening an external website
• Helps users to navigate between web and
mobile apps

6
DEEPLINK COMPONENTS
TRIGGERING DEEPLINKS IN ANDROID
TRIGGERING DEEPLINKS IN IOS
FINDING SCHEMES AND AUTHORITY

AndroidManifest.xml
FINDING PATHS AND QUERY PARAMETERS

Defined paths within a specific class

FINDING PATHS AND QUERY PARAMETERS

Defined paths within a specific class

JOINING THE PIECES TOGETHER
LOADING ARBITRARY URLS IN WEBVIEW
DEEPLINK ABUSE IMPACT
Theft of Auth tokens:
May result in account takeover
Load Local files in webview:
if authentication tokens are Possible if setAllowFileAccess(true)
passed to websites that are is set in Webview.
opened in webview.

Phishing:
Possible If you can load any
arbitrary URL in Webview.
DOS:
Possible if a malformed
deeplink can be used to crash
the application.

XSS:
Possible if
setJavaScriptEnabled(true)
is set in Webview.
THEFT OF AUTH TOKENS
INSECURE HOST VALIDATION
INSECURE HOST VALIDATION
CVE-2017-13274

• There was a problem in android.net.Uri and java.net.URI parsers.

These parsers don't recognize backslashes in authority part

Payload:
http://attacker.com\\\\@legitimate.com/smth

• CVE-2017-13274 - Fixed for API level 28 and above

INSECURE SCHEME VALIDATION
 OAUTH ATTACK VECTOR – REDIRECT URI

Redirect URLs are a critical part of the OAuth flow. After

a user successfully authorizes an application, the
authorization server will redirect the user back to the
application with either an authorization code or access
token in the URL.

Developers often fail to validate Redirect URI parameter,

thus allowing attackers to steal access tokens.

A lack of scheme validation may also lead to leak

of access tokens.

21
CREATING AN APP WITH A CUSTOM SCHEME
AndroidManifest.xml

MainActivity.java
SYMLINK ATTACK
REMOTE THEFT OF SESSION COOKIES

There are following Pre-Requisites:

• If you can load any arbitrary URL in Webview

• If setJavaScriptEnabled(true) is set in Webview [Disabled by default]

• If setAllowFileAccess(true) is set in Webview [Enabled by default]

REMOTE THEFT OF SESSION COOKIES
Malicious app sends an intent with url which loads attacker provided html file in
webview.
http://attackerdomain.com/symlink/set_cookies.html
set_cookies.html

(JavaScript payload which sends current document

contents to attacker-controlled domain)

Base64 decoded
The attacker domain and cookie gets stored in the database file
‘app_webview/Cookies’.
The Malicious app creates a symlink with .html extention (symlink.html) to force
webview parse database file as a HTML file.
ln -s /data/data/com.target/app_webview/Cookies /data/data/com.hack/symlink.html
When symlink.html file is loaded in webview, JavaScript payload is triggered which
sends data to the attacker domain.
REMOTE THEFT OF ALL FILES

There are following Pre-Requisites:

• If you can load any arbitrary URL in Webview

• If target app can read data from External storage

<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>

• If setAllowUniversalAccessFromFileURLs(true) is set in Webview [Disabled by default]

EXPLOITING IPC COMPONENTS
 ACCESS TO PROTECTED COMPONENTS

As researched by
DEVELOPERS OVERSECURED,
often create proxy components It was found that more than

80
(activities, broadcast receivers and services)
that take an embedded Intent and
pass it to dangerous methods like %
startActivity(...),
sendBroadcast(...), etc. of apps
contain this vulnerability.

35
EXPORTED ACTIVITY
VULNERABLE CODE
CODE IN A MALICIOUS APP
EXPLOITING IMPLICIT INTENTS
 EXPLICIT VS IMPLICIT INTENT

INTENT

EXPLICIT IMPLICIT

Explicitly specify the name of the Does not specify any name of the
component to be invoked by activity component to start. Instead, it declares
and we use explicit intents to start a an action to perform and allows a
component in our own app. component from other apps to handle it.

41
IMPLICIT INTENT
Implicit intent used to launch an activity
Intent

Explicit Implicit
Implicit intent used to send a broadcast
INTENT INTERCEPTION (BROADCAST)

AndroidManifest.xml Intent

Explicit Implicit
INTENT INTERCEPTION (BROADCAST)

EvilReceiver.java Intent

Explicit Implicit
 INTENT INTERCEPTION (BROADCAST)

• Since Android Oreo, implicit broadcast receivers won’t work when

registered in the AndroidManifest.xml.

• To use Implicit Receivers in your application, you need to define them

programmatically in your code, using registerReceiver().

45
INTENT INTERCEPTION (BROADCAST) – OREO
AND ABOVE
MainActivity.java Intent

Explicit Implicit
INTENT INTERCEPTION (BROADCAST) – OREO
AND ABOVE
EvilReceiver.java Intent

Explicit Implicit
DEMO TIME
SUMMARIZING DEMO

Exploited Intent
Broadcast Receiver

Loaded untrusted URL in webview

Explicit

Access to Content Provider with

android:grantUriPermissions=“true”
SUMMARIZING DEMO (CONTINUED…)

Intent
Insecure use of File Paths in FileProvider

Ability to read and overwrite internal app

files
Explicit

Code Execution by Overwriting Native Yet to implement in

Library InsecureShop…
SUMMARIZING DEMO (CONTINUED…)
Webview used
“setAllowUniversalAccessFromFileURLs=true”
Intent

placed Malicious HTML file in sdcard

Explicit

Malicious HTML file is called via file:// scheme

Data exfiltrated to remote domain

MITM FLAWS
LACK OF SSL VALIDATION

Android apps are often coded in such a way that it ignores any kind of SSL warning and
proceeds with an attacker provided certificate. This makes an app vulnerable to MITM
attacks.
54
 COMMON QUESTIONS

• How are you going to exploit this in a real scenario?

• How are you going to issue an attacker provided certificate to the Android
user and capture the traffic originating from their device?

55
USING BURP’S INVISIBLE PROXY
USING IPTABLES TO FORWARD TRAFFIC TO BURP
HARDCODED API KEYS AND SECRET
HARDCODED API KEYS AND SECRET

KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can
be used, to check if they are valid.
NUCLEI TEMPLATES
NUCLEI TEMPLATES
Releasing 40+ nuclei templates to aid mobile security assessments.
TAKEAWAYS
 TAKEAWAYS

Most of the time developers don’t add scheme and host Loading arbitrary URL in webview may give you IPC components can introduce many vulnerabilities if
validation check or either they don’t implement that authentication tokens. Also, try to exfiltrate data from not properly configured
correctly. local sandbox to the remote domain (depending on the
webview properties enabled). Note, Google has fixed the
Symlink attack as part of the system webview update. So
symlink attack won’t work on latest android devices or
devices with the updated system webview.

63
 TAKEAWAYS

Expand your attack surface to non-exported components. MITM vulnerabilities are too common in android apps. Hardcoding API keys and secrets in mobile app is
Developers often pass sensitive data via Implicit intents Developers often override SSL error which makes app common. You must understand the purpose of
which can be intercepted by other apps on the device vulnerable to MITM attack (eg. Unsafe implementation hardcoding these keys, check the API docs and see if the
of onReceivedSslError ). keys are supposed to be public or private

64
 OPTIV RESOURCES

• InsecureShop App (https://github.com/optiv/Insecureshop)

• Nuclei Templates (https://github.com/optiv/mobile-nuclei-templates)

• Optiv Source Zero Blog (https://www.optiv.com/insights/source-zero)

65
 ADDITIONAL RESOURCES

• https://github.com/streaak/keyhacks
• https://hackerone.com/reports/431002
• https://blog.oversecured.com/Interception-of-Android-implicit-intents
• https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all-
cookies-from-all-sites-and-more
• https://blog.mzfr.me/posts/2020-11-07-exported-activities/
• https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-
240266e78105

66