![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/11\/Android-Weak-Host-Validation-1024x535.png\" "\\"Android")
\nIn this blog we are going to discuss about android weak host validation and see how android application is not validating weak host for the android apps.<\/p>\n
\nIn this blog we are going to discuss about android weak host validation and see how android application is not validating weak host for the android apps.<\/p>\n
Requirements:<\/p>\n
For the testing purposes, we are using InsecureShop<\/a> vulnerable android application.<\/p>\n Fig1:<\/strong> Post login interface<\/p>\n <\/p>\n First, we need to decompile insecureshop.apk in the JADX decompiler. In the below screenshot, we can see the source code of the insecureshop android application.<\/p>\n Fig2:<\/strong> Source code of insecureshop<\/p>\n Check for the androidmanifest.xml file. There you will have to look for the structure and components of the application. Also, look for the exported activity permissions provided by the developers in the source code of the application.<\/p>\n Fig3:<\/strong> Androidmanifest.xml<\/p>\n In the fig3: androidmanifest.xml screenshot, you can see there is an activity that is used as \u201c<activity android:name=”com.insecureshop.WebViewActivity”>\u201d<\/p>\n <\/p>\n An Activity is a single representation in an app. Pass the intent to startActivity() and begin your new Activity. The intent is an Activity that has to be started to carry the essential data. You can also visit\u00a0developer.android.com<\/a>\u00a0for more details.<\/p>\n In the following diagram, you can see the important state paths of an Activity. The callback methods are represented by a colorless rectangles dialog box. When an Activity is transferred between states it will be used for implementation to perform operations. The colored boxes represent the major states of the Activity.<\/p>\n Check the deep link for an activity in the image below<\/p>\n Fig4:<\/strong> Deeplink in androidmanifest.xml<\/p>\n In the figure below, you can see that deeplink invokes webview by looking at the android activity name. You can also visit\u00a0the blog<\/a>\u00a0to know more about webview.<\/p>\n Fig5:<\/strong> WebViewActivity in androidmanifest.xml<\/p>\n In Jadx, to open the code in a new tab, you will have to press hold\u00a0the ctrl\u00a0key and click on the activity name.<\/p>\n Fig6:<\/strong> Webview activity source code<\/p>\n Fig7:<\/strong> Webview activity source code – 2<\/p>\n Fig8:<\/strong> URI format<\/p>\n Let\u2019s try to exploit this vulnerability, we have made one payload based on URI format to load the arbitrary web page in the webview.<\/p>\n “insecureshop:\/\/com.insecureshop\/webview?url=https:\/\/varutra.com\/ \\?insecureshopapp.com”<\/p>\n We will be using ADB to launch webview activity by passing URI as data to it. The command used for exploiting is: adb shell am start -W -a android.intent.action.VIEW -d “insecureshop:\/\/com.insecureshop\/webview?url=https:\/\/varutra.com\/\\?insecureshopapp.com”<\/a>.<\/p>\n You can see that Webview loads the arbitrary URI:<\/p>\n Fig9:<\/strong> Arbitrary URI is loaded in webview successfully<\/p>\n <\/p>\n References:<\/u><\/strong><\/p>\n <\/p>\n Author,<\/p>\n Rituraj Vishwakarma<\/p>\n Attack & Pentest Team<\/p>\n Varutra Consulting Pvt. Ltd.<\/p>","protected":false},"excerpt":{"rendered":" In this blog we are going to discuss about android weak host validation and see how android application is not validating weak host for the…<\/p>\n","protected":false},"author":4,"featured_media":17885,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[51,264],"tags":[],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t![\"Post](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Post-login-interface.png\")
<\/p>\n![\"Source](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Source-code-of-insecureshop-1.png\")
<\/p>\n![\"Androidmanifest\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Androidmanifest.png\")
<\/p>\nWhat is Activity?<\/strong><\/h3>\n
![\"important](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/important-state-paths-of-an-Activity.png\")
<\/p>\n![\"Deeplink](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Deeplink-in-androidmanifest.png\")
<\/p>\n\n
![\"WebView](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/WebView-Activity-in-androidmanifest.png\")
<\/p>\n![\"Webview](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Webview-activity-source-code.png\")
<\/p>\n\n
![\"Webview](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Webview-activity-source-code-2.png\")
<\/p>\n\n
![\"URI](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/URI-format.png\")
<\/p>\n![\"Arbitrary](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/11\/Arbitrary-URI-is-loaded-in-webview-successfully.png\")
<\/p>\n\n