Misconfigured intent filter?

I’m trying my hand at Android hacking, and I just came across this intent filter for a login activity:

<intent-filter android:autoVerify="true" android:order="10">
        <data android:host="*domain.com"/>
        <data android:path="/login"/>
        <data android:scheme="https"/>
        <data android:scheme="http"/>

Coming from a web background, this looks a lot like the Android equivalent to a misconfigured CORS that allows all origins that end in domain.com - such as attackerdomain.com - because there is no . before the *.

I don’t really understand what the intent filter actually does. Does this look like a vulnerability? How could it be exploited?

Hi @waike that does look interesting. Have you confirmed that you can launch the activity passing a URI like “https://attackerdomain.com/login”?

If so, I can think of a couple things to check:

  • If you are already logged into the app, what is the activity behavior? Does it prompt to login again or does it open a home screen activity? I would check if the app is already authenticated, does the app send session cookies or authentication token(s) to the passed URI without verifying the domain name? Might be worth standing up a web server at https://attackerdomain.com, open the link with this activity, and check if the app hits your server and what if any headers it includes by default.
  • Does the activity open the supplied URI in a webview? If so, can you access the app’s local file system? Would depend on the webview configuration, or if it has any JavascriptInterface to expose Java methods to Javascript code. If it opens an attacker controlled web page and you can pull the app’s local files…
  • Is the BROWSABLE tag set? This would allow the activity to be started when clicking a web link. This isn’t a vulnerability itself, but if you do find a vulnerability it would up the severity if exploitation is possible when clicking a link in a mobile browser versus launching the activity from a malicious app.

Lot’s of “ifs”, but definitely worth digging into. Good luck!

1 Like

Hi @waike!

Intent filters are relate to “intent resolution,” which refers to the way the Android OS matches a new intent (think, “request”) to a receiving app/service. According to the Android docs, “[u]sing an intent filter isn’t a secure way to prevent other apps from starting your components.”

In terms of how that could potentially be exploited, you’d make a PoC app that fires an intent matching those intent filters. For example: http://myevildomain.com/login/.

Here are a couple links you may find useful:

Good Luck!

1 Like