d4rk3r Profile picture
Dec 27, 2022 23 tweets 9 min read
LOHCE @lohceofficial !
An app that allows you to book trips in cities of Cameroon, it's a service that I kinda 'like'... why? well, because 'it does the job', I mean, when I want to travel, I open the app, I reserve my stuff, then go and travel! #dbunk #CaParleDev
🧵1/23 Image
Today, we will be focusing on the android app and not the website (that's what I thought first) even tho... I really really really don't like the way the website is, the framework used(ZendPHP), the way it was built... everything... but hey... "it does the job"... right?
🧵2/23
Some clarifications before we start:
- I didn't get access to the code from the authors, I will use the apk downloaded from PlayStore, because a good debunking is well done from an outside view!
- I have the approbation for this debunking from the authors (@kamikague)...
🧵3/23 Image
.,. also for its publication!
- Am doing this for free!
- Personal background? I am an LNTG (lazy noob tech guy) that likes playing around with nerd stuff! Nothing special or extra stuff at all to know about!

Now, let's begin... and trust me... you're not ready...
🧵4/23 Image
After grabbing the apk, I reverse-engineered it to get the resources and source code, or "pieces" of code!
In my extraction logs... I saw something 'strange' / 'odd' at first glance... from the assets of the project...

jquery, bootstrap, popper? inside the apk?🤔
🧵5/23 Image
(close your eyes on 'test.png' it's not a big deal!)
To be honest, I was ready to read some java code... that was before I found out... the whole application is mainly 'WEBVIEW' based ?🤔
Yeah, a Web Page Style app'!
What's a webview app, you may ask?
🧵6/23 Image
Basically, it's an extension of Android's View that allows you to display web static pages as a part of your app(like an embedded browser)... in the past, a lot of apps were built like that, ... you have an HTML directory.
🧵7/23
Don't get me wrong, it's fine to build w-apps as long as the context of your product doesn't need a 'huge' business logic... that been said... this is the difference between the android app and the website (on the browser)...
yeah... there is no difference!😙
🧵8/23 ImageImage
On lohce, there are 4 views!
- the 'home/search' view
- the 'My Trips' view
- the 'Notifications' view
- the 'Settings' view

See ? told you it was a small app! it's 1.3MB when downloaded🤷‍♂️!
🧵9/23 ImageImageImageImage
Now let's go deep in the 'dark', when you're extracting resources from apk files, there is always a 'classes.dex' file, it's a 'Dalvik Executable' file that all Android applications must have. This file contains the Java libraries that the app uses to work properly!
🧵10/23
After extracting source code from that .dex file, I was able to browse the code, and as expected, I noticed where and how web pages were loaded and had all views of the app, for example the 'user info', coming from an HTML code... and loaded inside the java source code.
🧵11/23 Image
It's not a bad thing to do... But even if the app is small, webview should be used to load 'small components' of a final app, not everything🤷‍♂️!
You may think it's just an opinion but there is more concern behind it!
WHY? Let me explain, why this is DANGEROUS!
🧵12/23 ImageImage
If you're good enough, it's possible to update an apk asset ! "yeah, I know, normally, it's impossible to do such a thing" you need to meet a lot of conditions to be able to pack, update the resource from the app and re-pack it from a third-party android app!
🧵13/23
this resource injection 'hack' is blocked by the most recents android OS... but you never know if your users are up to date or not!
A hacker can use the trust a user has in your app to create a backdoor to still users' info or else...
🧵14/23
...FORTUNATELY, LOHCE doesn't use/deal with your sensitive infos so, you should be safe! 🙏
Am doing my best to not share code details but there are a lot of things I don't get... for example the notification builder, if you started handling stuff in html/js, why ...
🧵15/23 Image
...embed a machine-gun-code like this when it comes to notifications pop-ups? Sorry, but for me, this is 'hell to maintain'!
Having parts of the business logic dispatched like that is not good, what I can give as advice: if you started with a web-view thing, stick...
🧵16/23 Image
... with it and create 'real bridges'... don't build strings from java that are going to be html concatenated in the webview... 🤔
Now let's have a look at the security part!
There is two main Critical security problem I found!
🧵17/23 Image
- Lohce is vulnerable to the Standhogg 2.0 vulnerability. You should set activity launchModes to 'singleTask' or 'singleInstance'. see promon.co/strandhogg-2-0
🧵18/23
- I was surprised first, but there is an RCE (Remote Code Execution) I found related to CVE-2013-4710 WebView RCE Vulnerability:
For the WebView "addJavascriptInterface" vulnerability. The method can be used to allow JavaScript to control the host application...
🧵19/23
...this is a powerful feature, but also presents a security risk for applications targeted to API level JELLY_BEAN(4.2) or below, because JavaScript could use reflection to access an injected object's public fields, and this is never a good news !
🧵20/23
Use of this method in a WebView containing untrusted content could allow an attacker to manipulate the host application in unintended ways, executing Java code with the permissions of the host application.
Yeah, that one was the most DANGEROUS I found!
🧵21/23
There is still a lot to say and I can not cover everything here since the thread is starting to be too long (PS: I had to cut some parts/tweets to make it shorter)!
I noticed the website was also broken in some places... I think/hope they are working hard to fix it!
🧵22/23 Image
LOHCE is not a huge app, it has its small charm, you open, use for a specific need and close it!
Even tho there are a lot of glitches I don't agree with in the codebase, I definitely recommend it for an end-user (but hey @kamikague please work again on the UI/UX abec)!
🧵23/23

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with d4rk3r

d4rk3r Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(