Hacking & Securing “Insecure Shop” — Unprotected web views

Hacking

<activity android:name=".WebViewActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />

<data
android:host="com.insecureshop"
android:scheme="insecureshop" />
</intent-filter>
</activity>
val uri: Uri? = intent.datawebview.settings.javaScriptEnabled = true
webview.settings.loadWithOverviewMode = true
webview.settings.useWideViewPort = true
webview.settings.allowUniversalAccessFromFileURLs = true
webview.settings.userAgentString = USER_AGENT
if (uri.path.equals("/web")) {
data = intent.data?.getQueryParameter("url")
} else if (uri.path.equals("/webview")) {
if (intent.data!!.getQueryParameter("url")!!.endsWith("insecureshopapp.com")) {
data = intent.data?.getQueryParameter("url")
}
}
Intent("android.intent.action.VIEW")
.apply {
data = Uri.parse("insecureshop://com.insecureshop/web?url=http://hacked.com")
}
)
Intent("android.intent.action.VIEW")
.apply {
data = Uri.parse("insecureshop://com.insecureshop/webview?url=http://hacked.com?test=insecureshopapp.com")
}
)

Securing

implementation "io.github.dllewellyn.safetorun:inputverification:1.0.7"
intent.data?.getQueryParameter("url")
?.also {
if (it.urlVerification {
"insecureshopapp.com".allowHost()
}) {
throw IllegalArgumentException("Don't hack my app!!")
}
}

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Day 46|Magnet Pickup: 2D Space Shooter Series

Intermediate: Integration of Huawei HiAI Scene Detection in Android

Want to use collapsing toolbar in android app? Here’s how you can do it.

Implementing the 4 UX design principles

Header image of illustrated phone with charts on screen

Android Protobuf with kotlin and Wire

Fix “App Not Installed” error when installing a release APK

Task Manager App using Flutter with persistent Data Storage — Part 1

How to Update Android on Phone Or Tablet

How to Update Android on Phone Or Tablet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Daniel Llewellyn

Daniel Llewellyn

More from Medium

Case Study: Google Pixel 6 phone security & Privacy (Part 1 — Threat Analysis and Countermeasures)

Working with Atomic Widget Services in HarmonyOS

Harmony OS: How to release an app?

Physical layer attacks