3

Exploiting Android Components: Loading arbitrary URLs in a Webview.

On Android applications, Webviews can be leveraged to load web content within an activity, they can be used for loading both static and dynamic content depending on what’s needed.

Content can be available as an Android resource within the application itself or as a published web page accessed through the internet, for instance, say you have published the terms and conditions of a product in a web page and you simply wants to make it available in the Android application for the user to read it at any time, you could use a Webview to load this static content when a user clicks on a button in the application.

Used carefully, Webviews provides a means for displaying web content within within Android application, but, incautious usage may create a risk and open your application to be exploited by an attacker with certain level of control over the device.

Imagine you are assessing an Android application and, after reverse engineering it’s code, you take note of the application’s package name (which will be required down below) and you also find an activity that marked as exported, that is, it has the the android:exported flag set to true (android:exported=”true”) or has an intent-filter:



<activity android:exported="true" android:name=".LoadWebView" />


All this information is available in the AndroidManifest.xml file, which is the main configuration file for every Android application and contains a lot of information about how the application is supposed to behave,

If you want to learn more about reverse engineering Android applications, check the below article:

This article shows how to reverse engineer an Android application, first by using d2j-dex2jar to convert the .dex file into .class files within a compressed … Continue reading



Say the activity is used for loading web content into a Webview, the onCreate(…) method of this activity executes the next code:

protected void onCreate(Bundle savedInstanceState) {
  ...
  String url = getIntent().getDataString();
  WebView webView = findViewById(R.id.webview);
  webView.setWebViewClient(new WebViewController());
  webView.loadUrl(url);
  ...
}

As we can see, the activity receives an URL as a Data parameter, finds the Webview by Id, sets the WebiewClient and finally loads the provided URL. Given that the activity is exported and the URL that is loaded by the Webview can be sent as a parameter, this could be abused to load arbitrary URLs.



Exploiting with drozer

Drozer is a great option for Android penetration testing, it works as a two part framework, the server is installed in the device as an agent and the client runs in the workstation. Drozer con be used to analyze and launch attacks on installed applications.

If you want to learn more about installing and using the drozer framework, check the below article:

This article describes basic steps to setup, install and use the drozer framework to identify possible vulnerabilities on Android-based applications. The drozer framework … Continue reading



Once drozer is up and running, you can craft a command like the below to exploit this vulnerability. In this case we are simply loading the web page https://securitygrind.com, however, this can be any page controlled by the attacker which can be used to launch phishing attacks or as a delivery method for fake content.

dz> run app.activity.start --component com.example.root.mobilesec com.example.root.mobilesec.LoadWebView --data https://securitygrind.com



Check the below video for more details:



Long time ago (around 2013), this vulnerability was also being leveraged to gain remote code execution by injecting Javascript into a Webview and abusing reflection capabilities. We will see this in detail in a future article.