Professional Documents
Culture Documents
4
DEEPLINKS
WHAT ARE DEEPLINKS?
6
DEEPLINK COMPONENTS
TRIGGERING DEEPLINKS IN ANDROID
TRIGGERING DEEPLINKS IN IOS
FINDING SCHEMES AND AUTHORITY
AndroidManifest.xml
FINDING PATHS AND QUERY PARAMETERS
Phishing: DOS:
Possible if a malformed
Possible If you can load any
deeplink can be used to crash
arbitrary URL in Webview.
the application.
XSS:
Possible if
setJavaScriptEnabled(true)
is set in Webview.
THEFT OF AUTH TOKENS
INSECURE HOST VALIDATION
INSECURE HOST VALIDATION
CVE-2017-13274
Payload:
http://attacker.com\\\\@legitimate.com/smth
21
CREATING AN APP WITH A CUSTOM SCHEME
AndroidManifest.xml
MainActivity.java
SYMLINK ATTACK
REMOTE THEFT OF SESSION COOKIES
Base64 decoded
The attacker domain and cookie gets stored in the database file
‘app_webview/Cookies’.
The Malicious app creates a symlink with .html extention (symlink.html) to force
webview parse database file as a HTML file.
ln -s /data/data/com.target/app_webview/Cookies /data/data/com.hack/symlink.html
When symlink.html file is loaded in webview, JavaScript payload is triggered which
sends data to the attacker domain.
REMOTE THEFT OF ALL FILES
As researched by
DEVELOPERS OVERSECURED,
often create proxy components It was found that more than
80
(activities, broadcast receivers and services)
that take an embedded Intent and
pass it to dangerous methods like %
startActivity(...),
sendBroadcast(...), etc. of apps
contain this vulnerability.
35
EXPORTED ACTIVITY
VULNERABLE CODE
CODE IN A MALICIOUS APP
EXPLOITING IMPLICIT INTENTS
EXPLICIT VS IMPLICIT INTENT
INTENT
EXPLICIT IMPLICIT
Explicitly specify the name of the Does not specify any name of the
component to be invoked by activity component to start. Instead, it declares
and we use explicit intents to start a an action to perform and allows a
component in our own app. component from other apps to handle it.
41
IMPLICIT INTENT
Implicit intent used to launch an activity
Intent
Explicit Implicit
Implicit intent used to send a broadcast
INTENT INTERCEPTION (BROADCAST)
AndroidManifest.xml Intent
Explicit Implicit
INTENT INTERCEPTION (BROADCAST)
EvilReceiver.java Intent
Explicit Implicit
INTENT INTERCEPTION (BROADCAST)
45
INTENT INTERCEPTION (BROADCAST) – OREO
AND ABOVE
MainActivity.java Intent
Explicit Implicit
INTENT INTERCEPTION (BROADCAST) – OREO
AND ABOVE
EvilReceiver.java Intent
Explicit Implicit
DEMO TIME
SUMMARIZING DEMO
Exploited Intent
Broadcast Receiver
Intent
Insecure use of File Paths in FileProvider
Explicit
Android apps are often coded in such a way that it ignores any kind of SSL warning and
proceeds with an attacker provided certificate. This makes an app vulnerable to MITM
attacks.
54
COMMON QUESTIONS
• How are you going to issue an attacker provided certificate to the Android
user and capture the traffic originating from their device?
55
USING BURP’S INVISIBLE PROXY
USING IPTABLES TO FORWARD TRAFFIC TO BURP
HARDCODED API KEYS AND SECRET
HARDCODED API KEYS AND SECRET
KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can
be used, to check if they are valid.
NUCLEI TEMPLATES
NUCLEI TEMPLATES
Releasing 40+ nuclei templates to aid mobile security assessments.
TAKEAWAYS
TAKEAWAYS
Most of the time developers don’t add scheme and host Loading arbitrary URL in webview may give you IPC components can introduce many vulnerabilities if
validation check or either they don’t implement that authentication tokens. Also, try to exfiltrate data from not properly configured
correctly. local sandbox to the remote domain (depending on the
webview properties enabled). Note, Google has fixed the
Symlink attack as part of the system webview update. So
symlink attack won’t work on latest android devices or
devices with the updated system webview.
63
TAKEAWAYS
Expand your attack surface to non-exported components. MITM vulnerabilities are too common in android apps. Hardcoding API keys and secrets in mobile app is
Developers often pass sensitive data via Implicit intents Developers often override SSL error which makes app common. You must understand the purpose of
which can be intercepted by other apps on the device vulnerable to MITM attack (eg. Unsafe implementation hardcoding these keys, check the API docs and see if the
of onReceivedSslError ). keys are supposed to be public or private
64
OPTIV RESOURCES
65
ADDITIONAL RESOURCES
• https://github.com/streaak/keyhacks
• https://hackerone.com/reports/431002
• https://blog.oversecured.com/Interception-of-Android-implicit-intents
• https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all-
cookies-from-all-sites-and-more
• https://blog.mzfr.me/posts/2020-11-07-exported-activities/
• https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-
240266e78105
66