Insecure Broadcast Receiver
The activity
com.insecureshop.AboutUsActivity
is exported and contains the following code:public void onCreate(android.os.Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(2131492892);
com.insecureshop.CustomReceiver customReceiver = new com.insecureshop.CustomReceiver();
this.receiver = customReceiver;
if (customReceiver == null) {
kotlin.jvm.internal.Intrinsics.throwUninitializedPropertyAccessException("receiver");
}
registerReceiver(customReceiver, new android.content.IntentFilter("com.insecureshop.CUSTOM_INTENT"));
}
Observe that during onCreate method execution, a receiver is registered. The code highlighted above says the receiver named
customReceiver
will trigger when the intent filter com.insecureshop.CUSTOM_INTENT
is called.The class
com.insecureshop.CustomReceiver
contains the following code:public final class CustomReceiver extends android.content.BroadcastReceiver {
public void onReceive(android.content.Context context, android.content.Intent intent) {
android.os.Bundle extras;
java.lang.String stringExtra = (intent == null || (extras = intent.getExtras()) == null) ? null : extras.getString("web_url");
java.lang.String str = stringExtra;
if (!(str == null || kotlin.text.StringsKt.isBlank(str))) {
android.content.Intent intent2 = new android.content.Intent(context, com.insecureshop.WebView2Activity.class);
intent2.putExtra("url", stringExtra);
if (context != null) {
context.startActivity(intent2);
}
}
}
}
The above code says the onReceive method will be called first which receives the value of
web_url
from the intent. Its value is further assigned to the variable str
. If the value of str
is not empty, then this value is passed to the class com.insecureshop.WebView2Activity
and is assigned to url
as extra.Refer the following video which shows how you can exploit this by creating a third-party android application.