# Mobile Apps

## Refs

a bug which allow to open arbitrary URLs in `com.irccloud.android.activity.SAMLAuthActivity`

This activity is exported:

```
        <activity android:name="com.irccloud.android.activity.SAMLAuthActivity" android:theme="@style/dawn" android:windowSoftInputMode="adjustResize">
            <intent-filter>
                <action android:name="android.intent.action.VIEW"/>
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>
```

it means that it can be accessed by any third-party apps installed on the same device. On the newest Androids it also could be exploited by Android Instant Apps directly from a web-browser.

In file can see that it opens attacker provided URLs

```
        if (getIntent() == null || !getIntent().hasExtra("auth_url")) {
            finish();
            return;
        }
        getSupportActionBar().setTitle(getIntent().getStringExtra("title"));
        this.mWebView.loadUrl(getIntent().getStringExtra("auth_url"));
```

PoC from ADB:

```
adb shell am start -n com.irccloud.android/com.irccloud.android.activity.SAMLAuthActivity -e title "ATTAAACK" -e auth_url "http://google.com/"
```

PoC in Java:

```
        Intent intent = new Intent();
        intent.setClassName("com.irccloud.android", "com.irccloud.android.activity.SAMLAuthActivity");
        intent.putExtra("title", "ATTAAACK");
        intent.putExtra("auth_url", "http://google.com/");
        startActivity(intent);
```

Result:\
[![](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/233/002/c14b0581cdbea4e7ac27c626f9638d191c75af07/2017-10-26_14-17-33.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256\&X-Amz-Credential=ASIAQGK6FURQYO6TYIH6%2F20190521%2Fus-west-2%2Fs3%2Faws4_request\&X-Amz-Date=20190521T074650Z\&X-Amz-Expires=3600\&X-Amz-SignedHeaders=host\&X-Amz-Security-Token=AgoJb3JpZ2luX2VjEH8aCXVzLXdlc3QtMiJGMEQCIBnPReQsJ8CFULsgcQ52SamRM6bwnTsy7UOX7J9EMFs5AiBvfjigB2cPXxDaVlnOCKyWQjB6EWhuKxX9fBipgNc%2FWSrjAwiI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDAxMzYxOTI3NDg0OSIMTWL7Sc15AOeF%2B2zEKrcDuScj0NBTdgeJ1pkyz0iAcGMTqUtwYm6S%2FQRV2oIIEZs05h0E6xqI3JzO27VHkvtYSoBU6ONh9yW%2BhdpliDDI1uuqxS2cHafeIXwKnqrF%2FIEgK0LCpeM51gQGrHZ0kAuGOiHbs6gz057xKE7AzyI32Lt3ftDr%2FtzW3yEEY%2BSpOMb6oa44vG1xtNfjaRLQfkfTk7cC1Rl81xVsPEGV0%2B0v1c%2FA9O%2F1rrhJ9C8h7w8oXrq1uceA9ZwUBlbd1czfCEPzFjqt2XgXBrTizNix50TwVwAcwb%2BHSl3DQ1w6ar9vNNLZd0sLO5YnckvXImJiH9c6yPp198oincpY192nS7Lz3ERsQe06DY9EzDP6YICbh7wWJ7phanWDWnel1Z0%2BURSdqZvCuO2QDRXLoL8zGi7Y02gDTZ6D2EdKEG%2F51RMxrF8BAW8bjeIgMArF1bW1qZXIaiK3A2MUECB22jIl%2Fr0gcDxhABsAnhMvnGr20tXffPyzdUSAmNRBwimPwGid93gXDUC4znNyeBdTwjLrDogRZiwyc3Ail9q147BBwy3fwwqE8pyna4pS6ndQN9erxhTrQIjyfgth0TDNv47nBTq1AW%2FEA%2BhazpUi1nFPxu8NJ%2FsyamSi55bix42poxLkUrqX9nzaC3fp9YzMsUP9OsqGozjoktYMnVQm927Vn2y3H2mCDkCP7fsTOr7JviYqB9WrDO892P4M640EV1inUzPh%2BUTzcYYfZq%2FDRSrn%2FHmmVf0cLEsqpf8DEZNpPwyGhKSGapbsLovh%2F2Sqa25AtzbgxdFBNL2NS34ag3LxnxHe1R46bO8ziBznCZtKiff%2Flif5l9FvWh0%3D\&X-Amz-Signature=4675feaaba334410d4c24dd948c54d0698c9673be46aad25f975f69748e62ede)](https://hackerone.com/reports/283058)\
[![](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/000/233/003/f39c5a4371dbbbcffd6653fa22a59cac5e9b76ed/2017-10-26_14-15-36.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256\&X-Amz-Credential=ASIAQGK6FURQYO6TYIH6%2F20190521%2Fus-west-2%2Fs3%2Faws4_request\&X-Amz-Date=20190521T074650Z\&X-Amz-Expires=3600\&X-Amz-SignedHeaders=host\&X-Amz-Security-Token=AgoJb3JpZ2luX2VjEH8aCXVzLXdlc3QtMiJGMEQCIBnPReQsJ8CFULsgcQ52SamRM6bwnTsy7UOX7J9EMFs5AiBvfjigB2cPXxDaVlnOCKyWQjB6EWhuKxX9fBipgNc%2FWSrjAwiI%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDAxMzYxOTI3NDg0OSIMTWL7Sc15AOeF%2B2zEKrcDuScj0NBTdgeJ1pkyz0iAcGMTqUtwYm6S%2FQRV2oIIEZs05h0E6xqI3JzO27VHkvtYSoBU6ONh9yW%2BhdpliDDI1uuqxS2cHafeIXwKnqrF%2FIEgK0LCpeM51gQGrHZ0kAuGOiHbs6gz057xKE7AzyI32Lt3ftDr%2FtzW3yEEY%2BSpOMb6oa44vG1xtNfjaRLQfkfTk7cC1Rl81xVsPEGV0%2B0v1c%2FA9O%2F1rrhJ9C8h7w8oXrq1uceA9ZwUBlbd1czfCEPzFjqt2XgXBrTizNix50TwVwAcwb%2BHSl3DQ1w6ar9vNNLZd0sLO5YnckvXImJiH9c6yPp198oincpY192nS7Lz3ERsQe06DY9EzDP6YICbh7wWJ7phanWDWnel1Z0%2BURSdqZvCuO2QDRXLoL8zGi7Y02gDTZ6D2EdKEG%2F51RMxrF8BAW8bjeIgMArF1bW1qZXIaiK3A2MUECB22jIl%2Fr0gcDxhABsAnhMvnGr20tXffPyzdUSAmNRBwimPwGid93gXDUC4znNyeBdTwjLrDogRZiwyc3Ail9q147BBwy3fwwqE8pyna4pS6ndQN9erxhTrQIjyfgth0TDNv47nBTq1AW%2FEA%2BhazpUi1nFPxu8NJ%2FsyamSi55bix42poxLkUrqX9nzaC3fp9YzMsUP9OsqGozjoktYMnVQm927Vn2y3H2mCDkCP7fsTOr7JviYqB9WrDO892P4M640EV1inUzPh%2BUTzcYYfZq%2FDRSrn%2FHmmVf0cLEsqpf8DEZNpPwyGhKSGapbsLovh%2F2Sqa25AtzbgxdFBNL2NS34ag3LxnxHe1R46bO8ziBznCZtKiff%2Flif5l9FvWh0%3D\&X-Amz-Signature=7a1630d1b61b6230486e99b72d917942cecd7babaa36d905af73328f11735604)](https://hackerone.com/reports/283058)

It's dangerous because user doesn't see real URL. Attacker can open anything and specify any title (like "IRCCloud: Login Required"), and using that trick steal user credentials.

## Jan 17th, 2019

Game: Cat Runner (Android)

{% embed url="<https://youtu.be/u5iEeLZnYVg>" %}

## Sep 14th, 2018

Company: blockchain.com

### Summary

If the wallet's owner lost their device, their credential will be definitely exposed to the risk. The attackers can easily obtain their credentials such as password and other wallet's information.

### Vulnerability details

The sensitive data stored in shared\_prefs folder including pin\_key, encrypted password and other information of user's wallet. The encrypted pass word is crack-able when the Stack Protection is not enable which will open up the opportunity for the attackers to reverse the code and find out what hash function is being used.

### Proof of concept

1. Installed Blockchain wallet app on Bluestack
2. Logged on with an authenticated account
3. Using adb to connect with the device via Terminal
4. The user's credential stored in /data/data/piuk.blockchain.android/shared\_prefs/piuk.blockchain.android\_preferences.xml

```markup
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <boolean name="logged_out" value="false" />
    <string name="sharedKey">6cce3c75-6945-442e-827f-d47e0ee894e8</string>
    <string name="guid">ccc64d34-142b-4673-905f-57e0ad52a2fb</string>
    <string name="firebase_token">dFjqwI8-GPo:APA91bGPmOdbhELsOllxsfFTIlLwrHvKwjBsXYGat-8ZRxuSBA21qKdPzylJPBGK_2-P6B-eDx8bx_9hcnDl5cMQ77vnKlz34IpLAEJ86j-CuQb5LLdNGEgIjwnm0q8NbNpMorPqRv1w</string>
    <boolean name="swipe_to_receive_enabled" value="true" />
    <string name="KEY_CURRENCY_CRYPTO_STATE">BTC</string>
    <boolean name="push_notification_enabled" value="true" />
    <boolean name="push_notifications" value="true" />
    <boolean name="screenshots_enabled" value="false" />
    <int name="app_visits" value="3" />
    <string name="LAST_KNOWN_BTC_VALUE_FOR_CURRENCY_EUR">5389.02</string>
    <boolean name="newly_created_wallet" value="false" />
    <string name="LAST_KNOWN_ETH_VALUE_FOR_CURRENCY_EUR">148.31</string>
    <string name="swipe_receive_bch_addresses">1LE3zuwjD216DyE7GKFL22SQtmXdKYKs8R,1HcvXMu91nAsvSHzjAfqxhNxhK2pYFYbsY,14cG3xJ7c482ymwtDa2Qzn1WNDp7VrZSZs,1NKu3MhxtQ9jovYPR9iXyA8QUrPVFAPZ7T,1EutsGyW4v1fJreP6XbzqJ8vgMRHSdBkjy,</string>
    <string name="LAST_KNOWN_ETH_VALUE_FOR_CURRENCY_USD">173.1</string>
    <boolean name="fingerprint" value="false" />
    <boolean name="2fa" value="false" />
    <boolean name="email_notifications" value="false" />
    <boolean name="code_verified" value="true" />
    <string name="swipe_receive_bch_account_name">My Bitcoin Cash Wallet</string>
    <boolean name="tor" value="false" />
    <string name="pin_kookup_key">43948b874026629327952f69d49ea0bb</string>
    <string name="swipe_receive_account_name">My Bitcoin Wallet</string>
    <long name="security_time_elapsed" value="1536740039696" />
    <string name="encrypted_password">26sMpt7MYTI0ItT6wqG+N1grvxgEo8EXJysoBg/nEeQ=</string>
    <string name="LAST_KNOWN_BCH_VALUE_FOR_CURRENCY_USD">419.69</string>
    <boolean name="receive_shortcuts_enabled" value="true" />
    <string name="swipe_receive_addresses">1LE3zuwjD216DyE7GKFL22SQtmXdKYKs8R,1HcvXMu91nAsvSHzjAfqxhNxhK2pYFYbsY,14cG3xJ7c482ymwtDa2Qzn1WNDp7VrZSZs,1NKu3MhxtQ9jovYPR9iXyA8QUrPVFAPZ7T,1EutsGyW4v1fJreP6XbzqJ8vgMRHSdBkjy,</string>
    <string name="LAST_KNOWN_BTC_VALUE_FOR_CURRENCY_USD">6257.9</string>
    <boolean name="fingerprint_enabled" value="false" />
    <int name="pin_fails" value="0" />
    <string name="swipe_receive_eth_address">0x768fd021f8eb3327b58fe0bbd114fac392256eeb</string>
    <string name="ccurrency">USD</string>
</map>
```

5.Obtain the encrypted user's password and pin\_key\
6.Stack Protection is not enabled ,so started reversing the code and look for what hash function is being used to encrypt the password\
For password: the encryption function resides in `public final class DoubleEncryptionFactory`

### Impact

The attacker might be able to steal the password and later decrypt it.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://enderphan.kubertu.com/security-reports/mobile-apps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.