Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (.activities.association.TextViewerActivity
) which accepted intent data via the file
scheme + text/*
mime type and opened the associated files from provided URI data string.
It is possible for a malicious application installed within the device to send an intent to this activity and supply a path to a file within the Inure application’s private directory (/data/data/app.simple.inure
) which the Inure application will then open.
PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -n app.simple.inure/.activities.association.TextViewerActivity -d "file:///data/data/app.simple.inure/shared_prefs/Preferences.xml"
Starting: Intent { dat=file:///data/data/app.simple.inure/shared_prefs/Preferences.xml cmp=app.simple.inure/.activities.association.TextViewerActivity }
This opens the Preferences.xml file which belongs to the Inure application’s private directory. The impact of this vulnerability is constrained for now, since trying to Export
this opened file crashes the whole application for some reason.