Resources
-
https://blog.oversecured.com/Gaining-access-to-arbitrary-Content-Providers/
- Android Manifest โ> search for exported activities (Check SDK and Android version for intent filter exportation)
- onCreate() โ> first thing that runs in the context of the Application, handled by Binder
- setResult(0, getIntent()) โ> vulnerable if we can control Intent
Example vulnerability
public void onActivityResult(int requestCode, int resultCode, Intent data) {
super.onActivityResult(requestCode, resultCode, data);
RequestCode requestCodeEnum = RequestCode.values()[requestCode];
LogUtil.getInstance().logI(TAG, "onActivityResult requestCode : " + requestCodeEnum + " + resultCode : " + resultCode + " + data : " + (data != null ? "nonNull" : "null"));
if (requestCodeEnum == RequestCode.VERIFY) {
if (resultCode == -1) {
startMyProfileWebView(this.mIntentAction, this.mClientId, this.mServiceAccessToken);
return;
}
setResult(resultCode, this.mIntent);
finish();
} else if (requestCodeEnum == RequestCode.MY_PROFILE) {
setResult(resultCode, data); // EXPLOITABLE
}
}