Ranked as the #1 hacker for Google Play Security Rewards Program. The founder of @OversecuredInc Android and iOS vulnerability scanners
1 subscribed
Nov 18, 2020 • 4 tweets • 2 min read
#bugbountytips
An almost universal way to theft or overwrite arbitrary files on #android is sharing activities. You can find them in AndroidManifest.xml. They handle android.intent.action.SEND. Use the PoC from blog.oversecured.com/Evernote-Unive… (ctrl+f "EXTRA_STREAM") and test 4 scenarios:
1. Send a Uri to an internal file using file:// scheme (direct or using a symlink) 2. Send a Uri to an internal file using a victim app's internal content provider
now grep private file contents on SD card
You must love #Android deeplinks! They are the easiest way to get bounties 1. Decompile an app with jadx 2. Collect all deeplink handlers from AndroidManifest.xml, they look like <data android:scheme="airbnb" android:host="d"/>
3. Grep among all sources and resources a pattern from a handler, in this case, airbnb://d 4. You could find a lot of hardcoded urls like airbnb://d/openurl?url=https:// airbnb.com/blabla. That's much simpler than learning app's sources