Vuldroid App Walkthrough

4 years ago 192
BOOK THIS SPACE FOR AD
ARTICLE AD

Akshansh JaisWal

Hi everyone I hope that you all are well and good, recently I have been learning about security bugs that arise in Android apps from the static code level, while learning the concepts I created a Vuldroid which is a vulnerable app that consists of the following Vulnerabilities:

Steal Password ResetTokens/MagicLoginLinksWebview Xss via Exported ActivityWebview Xss via DeepLinkIntent Sniffing Between Two ApplicationsReading User Email via Broadcasts

Links- APKS

This is a spoiler to the labs so if you want to try reproducing the issues by your own here’s the repository to that. Also, some of these vulnerabilities might not have a high impact if you are looking from a Bug bounty perspective. So let's begin on the application as we install we get a Login screen.

Image for post

Image for post

So our first vulnerable area is

1.Steal Password ResetTokens/MagicLoginLinks

Here first we need to signup as we are going to intercept our password reset token by malicious application we are using firebase for the purpose. Click on login and you can see a Forgot Password option enter your email and click on reset.

Now as we receive a password reset link on clicking this we get redirected to our application where we have built a Webview to process the reset process so lets look at the vulnerability:

Image for post

Image for post

Manifest File

So we have used deeplink to process the activity but the problem here lies that we are not setting deeplink to be opened only by our activity i.e we have not set it to

<intent-filter android:autoVerify="true">

As in the documentation, Developer Guide its recommended to verify sensitive links like magic login and password reset that are being processed by your application to do so we need to set autoVerify and assets link on our controlled domain which would allow the link to be only be intercepted by our app.

So In order to exploit this, we write our application to intercept the token we will create our similar deeplink and when clicking on the link select our malicious Apk to intercept the token which can be sent to a remote attacker. So in our ExploitApp, we have built an activity where:

Image for post

Image for post

we are taking the token from the intent and displaying in Textview.

Here's a sample report which was reported to Shopify and got rewarded 500$ Account takeover intercepting magic link for Arrive app

Next, After we complete this lets login to our dashboard where we can see various activities.

Image for post

Image for post

2.XSS via Exported Webview

Here we have our First Activity Youtubeviewer which loads youtube.com in a webview so in this case the activity is exported and checks if an intent _url is passed as a parameter

Image for post

Image for post

if it is, it loads that url so via our ExploitAPK we can launch this XSS attack by passing intent_url as javascript:prompt(‘Hey’)

3.Webview Xss via DeepLink

In our third Activity blogsviewer, we can see in our manifest files that all URLs from the medium.com are accepted as deep link parameter if they have query URL with ?url= so if we have something as

medium.com?url=javascript:prompt(‘Enter Your Password’)

Image for post

Image for post

Deeplink Xss

4.Intent Sniffing Between Two Applications

In android to share messages between applications if you are using intents to share to send messages in between them generally the most basic approach is to add class name in intent and pass the message but other way also is to add intent.setAction(“listenerName”) here application assumes that only intended listeners would be available to receive our message

Image for post

Image for post

Sender File

Image for post

Image for post

Reciever Ends

Here in the above image is our send activity and receiver should have the manifest with receive filter action and intent method to display it so the problem here is our Exploit App can be installed in the device and when a message is sent from the original app our activity will also be in open via method this attack will best work if the receiver app is not present on device in that case only our exploit app is installed so the user won't be prompted and we can easily receive it in our app. To exploit download the Recievemsg.apk and send normally the message will be received by our recievemsg app next install our malicious app this time you will also be prompted with option of our exploit app.

5. Reading User Email via Broadcasts

In the email viewer activity, we can see our email when we open our activity we are using intents to start our broadcast receiver which in turn sends us with our Firebase registered Email because we have exported our receiver so any app has potential to open it

Image for post

Image for post

Broadcast receiver

Here we have registered our receiver to return a toast message of email but as a malicious application we just have to register a receiver with same name and call it here i have used a button in our ExploitApk

Image for post

Image for post

Once we see email viewer in MainApplication move to Exploit APP and click the button you can still be able to get a toast of your email on button press.

Image for post

Image for post

So with this, we come to end for walkthrough I hope you learned something from these Vulnerabilities shown above. Thank you so much for spending time reading this If you have any feedback and suggestions about this Vuldroid feel free to reach out to me I will try to make more improvements and build a better version in the next release.

Feel free to connect with me on Twitter, Linkedin, Website

Read Entire Article