LOHCE @lohceofficial !
An app that allows you to book trips in cities of Cameroon, it's a service that I kinda 'like'... why? well, because 'it does the job', I mean, when I want to travel, I open the app, I reserve my stuff, then go and travel! #dbunk #CaParleDev
🧵1/23
Today, we will be focusing on the android app and not the website (that's what I thought first) even tho... I really really really don't like the way the website is, the framework used(ZendPHP), the way it was built... everything... but hey... "it does the job"... right?
🧵2/23
Some clarifications before we start:
- I didn't get access to the code from the authors, I will use the apk downloaded from PlayStore, because a good debunking is well done from an outside view!
- I have the approbation for this debunking from the authors (@kamikague)...
🧵3/23
.,. also for its publication!
- Am doing this for free!
- Personal background? I am an LNTG (lazy noob tech guy) that likes playing around with nerd stuff! Nothing special or extra stuff at all to know about!
Now, let's begin... and trust me... you're not ready...
🧵4/23
After grabbing the apk, I reverse-engineered it to get the resources and source code, or "pieces" of code!
In my extraction logs... I saw something 'strange' / 'odd' at first glance... from the assets of the project...
jquery, bootstrap, popper? inside the apk?🤔
🧵5/23
(close your eyes on 'test.png' it's not a big deal!)
To be honest, I was ready to read some java code... that was before I found out... the whole application is mainly 'WEBVIEW' based ?🤔
Yeah, a Web Page Style app'!
What's a webview app, you may ask?
🧵6/23
Basically, it's an extension of Android's View that allows you to display web static pages as a part of your app(like an embedded browser)... in the past, a lot of apps were built like that, ... you have an HTML directory.
🧵7/23
Don't get me wrong, it's fine to build w-apps as long as the context of your product doesn't need a 'huge' business logic... that been said... this is the difference between the android app and the website (on the browser)...
yeah... there is no difference!😙
🧵8/23
On lohce, there are 4 views!
- the 'home/search' view
- the 'My Trips' view
- the 'Notifications' view
- the 'Settings' view
See ? told you it was a small app! it's 1.3MB when downloaded🤷♂️!
🧵9/23
Now let's go deep in the 'dark', when you're extracting resources from apk files, there is always a 'classes.dex' file, it's a 'Dalvik Executable' file that all Android applications must have. This file contains the Java libraries that the app uses to work properly!
🧵10/23
After extracting source code from that .dex file, I was able to browse the code, and as expected, I noticed where and how web pages were loaded and had all views of the app, for example the 'user info', coming from an HTML code... and loaded inside the java source code.
🧵11/23
It's not a bad thing to do... But even if the app is small, webview should be used to load 'small components' of a final app, not everything🤷♂️!
You may think it's just an opinion but there is more concern behind it!
WHY? Let me explain, why this is DANGEROUS!
🧵12/23
If you're good enough, it's possible to update an apk asset ! "yeah, I know, normally, it's impossible to do such a thing" you need to meet a lot of conditions to be able to pack, update the resource from the app and re-pack it from a third-party android app!
🧵13/23
this resource injection 'hack' is blocked by the most recents android OS... but you never know if your users are up to date or not!
A hacker can use the trust a user has in your app to create a backdoor to still users' info or else...
🧵14/23
...FORTUNATELY, LOHCE doesn't use/deal with your sensitive infos so, you should be safe! 🙏
Am doing my best to not share code details but there are a lot of things I don't get... for example the notification builder, if you started handling stuff in html/js, why ...
🧵15/23
...embed a machine-gun-code like this when it comes to notifications pop-ups? Sorry, but for me, this is 'hell to maintain'!
Having parts of the business logic dispatched like that is not good, what I can give as advice: if you started with a web-view thing, stick...
🧵16/23
... with it and create 'real bridges'... don't build strings from java that are going to be html concatenated in the webview... 🤔
Now let's have a look at the security part!
There is two main Critical security problem I found!
🧵17/23
- Lohce is vulnerable to the Standhogg 2.0 vulnerability. You should set activity launchModes to 'singleTask' or 'singleInstance'. see promon.co/strandhogg-2-0
🧵18/23
- I was surprised first, but there is an RCE (Remote Code Execution) I found related to CVE-2013-4710 WebView RCE Vulnerability:
For the WebView "addJavascriptInterface" vulnerability. The method can be used to allow JavaScript to control the host application...
🧵19/23
...this is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN(4.2) or below, because JavaScript could use reflection to access an injected object's public fields, and this is never a good news !
🧵20/23
Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application.
Yeah, that one was the most DANGEROUS I found!
🧵21/23
There is still a lot to say and I can not cover everything here since the thread is starting to be too long (PS: I had to cut some parts/tweets to make it shorter)!
I noticed the website was also broken in some places... I think/hope they are working hard to fix it!
🧵22/23
LOHCE is not a huge app, it has its small charm, you open, use for a specific need and close it!
Even tho there are a lot of glitches I don't agree with in the codebase, I definitely recommend it for an end-user (but hey @kamikague please work again on the UI/UX abec)!
🧵23/23
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.