In this blog we are going to discuss about android weak host validation and see how android application is not validating weak host for the android apps.
Requirements:
For the testing purposes, we are using InsecureShop vulnerable android application.
Fig1: Post login interface
First, we need to decompile insecureshop.apk in the JADX decompiler. In the below screenshot, we can see the source code of the insecureshop android application.
Fig2: Source code of insecureshop
Check for the androidmanifest.xml file. There you will have to look for the structure and components of the application. Also, look for the exported activity permissions provided by the developers in the source code of the application.
Fig3: Androidmanifest.xml
In the fig3: androidmanifest.xml screenshot, you can see there is an activity that is used as “<activity android:name=”com.insecureshop.WebViewActivity”>”
An Activity is a single representation in an app. Pass the intent to startActivity() and begin your new Activity. The intent is an Activity that has to be started to carry the essential data. You can also visit developer.android.com for more details.
In the following diagram, you can see the important state paths of an Activity. The callback methods are represented by a colorless rectangles dialog box. When an Activity is transferred between states it will be used for implementation to perform operations. The colored boxes represent the major states of the Activity.
Check the deep link for an activity in the image below
Fig4: Deeplink in androidmanifest.xml
In the figure below, you can see that deeplink invokes webview by looking at the android activity name. You can also visit the blog to know more about webview.
Fig5: WebViewActivity in androidmanifest.xml
In Jadx, to open the code in a new tab, you will have to press hold the ctrl key and click on the activity name.
Fig6: Webview activity source code
Fig7: Webview activity source code – 2
Fig8: URI format
Let’s try to exploit this vulnerability, we have made one payload based on URI format to load the arbitrary web page in the webview.
“insecureshop://com.insecureshop/webview?url=https://varutra.com/ \?insecureshopapp.com”
We will be using ADB to launch webview activity by passing URI as data to it. The command used for exploiting is: adb shell am start -W -a android.intent.action.VIEW -d “insecureshop://com.insecureshop/webview?url=https://varutra.com/\?insecureshopapp.com”.
You can see that Webview loads the arbitrary URI:
Fig9: Arbitrary URI is loaded in webview successfully
References:
Author,
Rituraj Vishwakarma
Attack & Pentest Team
Varutra Consulting Pvt. Ltd.
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…