Usage • Note • Vulnerabilities • Guidance • Credits
InsecureShop is an Android application that is designed to be intentionally vulnerable. The application serves as a platform to test your Android pentesting skills. The vulnerabilities present in this app are real and have been found during mobile pentests.
You can compile the source code in Android Studio or simply download the APK file from here
- Majority of the vulnerabilities can be exploited on a non-rooted device (Threat Actors - Remote users and Malicious third-party applications)
- No API's being used by the app.
- Hardcoded Credentials: Credentials are hardcoded somewhere that can be used to login to the application
- Insufficient URL Validation: Possible to load any arbitrary URL in webview via Deeplink.
- Weak Host Validation Check: Possible to bypass host validation check to load any arbitrary URL in webview.
- Arbitrary Code Execution: Arbitrary Code Execution via third-party package contexts.
- Access to Protected Components: The app takes an embedded Intent and passes it to method like startActivity. This allows any third party app to launch any protected component.
- Unprotected Data URIs: The untrusted URI's passed via loadUrl method allows attackers to pass arbitrary URL in webview.
- Theft of Arbitrary: Possible to steal files from app's local storage via ChooserActivity.
- Using Components with Known Vulnerabilities: Identify the vulnerable components or libraries used in the app that can allow you to exfiltrate local files to remote domain.
- Insecure Broadcast Receiver: An exported activity registers a broadcast during onCreate method execution. An attacker can trigger this broadcast and provide arbitrary URL in 'web_url' parameter.
- AWS Cognito Misconfiguration: The misconfigured AWS cognito instance can be used to accesss AWS S3 bucket.
- Insecure use of FilePaths in FileProvider: The use of wide file sharing declaration can be used to access root directory via content Provider.
- Use of Implicit intent to send a broadcast with sensitive data: The use of Implicit intent can allow third-party apps to steal credentials.
- Intercepting Implicit intent to load arbitrary URL: The use of Implicit intent can allow third-party apps to load any arbitrary URL in webview.
- Insecure Implementation of SetResult in exported Activity: The insecure implementation used in ResultActivity can be used to access arbitrary content providers.
- Insecure Content Provider: The content provider can be accessed by any third-party app to steal user credentials.
- Lack of SSL Certificate Validation: The unsafe implementation of OnReceived SSL Error can be used to eavesdrop all the traffic loaded in webview.
- Insecure Webview Properties Enabled: Insecure Webview properties are enabled that can allow third-party apps to exfiltrate local data to remote domain.
- Insecure Data Storage: The app stores user credentials locally without encrypting them.
- Insecure Logging: User credentials are leaked in logcat. Only attackers with physical access to the device can access this information.
The provided link doesn't provide you with solutions but can point you in the right direction:
https://docs.insecureshopapp.com
- Rujul Gandhi: Thank you for your contributions towards this app
- Sergey Toshin (Oversecured): Thank you for your amazing research on Android security which prompted me to start this project