Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Theft of Arbitrary files from LocalStorage

The ChooserActivity is exported and has defined several MIME types in the AndroidManifest.xml file.

<activity
    android:name=".ChooserActivity"
    android:excludeFromRecents="true">
    <intent-filter>
    <action android:name="android.intent.action.VIEW" />

    <category android:name="android.intent.category.DEFAULT" />
    </intent-filter>
    <intent-filter>
    <action android:name="android.intent.action.SEND" />

    <category android:name="android.intent.category.DEFAULT" />

    <data android:mimeType="application/*" />
    <data android:mimeType="audio/*" />
    <data android:mimeType="image/*" />
    <data android:mimeType="text/*" />
    <data android:mimeType="video/*" />
    </intent-filter>

    <meta-data
    android:name="android.service.chooser.chooser_target_service"
    android:value=".ConversationChooserTargetService" />
</activity>

The ChooserActivity contains the following code. The code takes the URI of the desired file via android.intent.extra.STREAM.

var uri = intent.getParcelableExtra<Parcelable>("android.intent.extra.STREAM") as Uri
        uri = Uri.fromFile(File(uri.toString()))
        makeTempCopy(uri, this, getFilename(uri))

The ChooserActivity is cloning the file which we got from android.intent.extra.STREAM in our sdcard within the folder named insecureapp .

private fun makeTempCopy(fileUri: Uri, context: Context, original_filename: String?): Uri? {
        try {
            val out = Uri.fromFile(
                File(
                    Environment.getExternalStorageDirectory().absolutePath + File.separator + "insecureapp",
                    original_filename
                )
            )
            val inputStream: InputStream? = contentResolver.openInputStream(fileUri)
            val outputStream: OutputStream? = contentResolver.openOutputStream(out)
            val buffer = ByteArray(8192)
            while (true) {
                val len: Int? = inputStream?.read(buffer)
                if (len != -1) {
                    len?.let { outputStream?.write(buffer, 0, it) }
                }
            }
            return out
        } catch (e: Exception) {
            return null
        }
    }

This flaw allows any malicious third-party app on the device to steal any file from the InsecureShop app's localStorage and send it to sdcard (which is world readable/writeable).

PreviousUnprotected Data URIsNextUsing Components with Known Vulnerabilities

Last updated 3 years ago

Was this helpful?