Nextcloud: Malicious apps can crash Nextcloud Android client by sending malformed intents

Not sure if this can be tracked as a security issue, but this definitely calls for a code change. This can be classified into Denial of Service category attack and can seriously hamper user experience.

Asset: Nexcloud Android Client (com.nextcloud.client)
Version: 3.11.1 (latest)

###Details

The Nextcloud android app registers a deeplink nc://login that is handled by the com.owncloud.android.authentication.ModifiedAuthenticatorActivity class as seen in AndroidManifest file.

The above mentioned class implements AuthenticatorActivity class in order to handle incoming deeplinks.

It is seen that the method parseLoginDataUrl does not handle exception correctly crashing the Nextcloud app.

malicious apps can thus crash the nextcloud client by sending following data in intent : nc://login.

ADB payload:

adb shell am start -a "android.intent.action.VIEW" -c "android.intent.category.DEFAULT" -n "com.nextcloud.client/com.owncloud.android.authentication.ModifiedAuthenticatorActivity" -d "nc://login"

Attaching video PoC
{F803256}

Impact

1. Malicious apps can crash the nextcloud android client to cause a denial of service attack.