Hacking Mandated Apps – Part 5: RCE in WebView [ MSTG-PLATFORM-7 ]

This blog post series describes identified flaws in Smart Sheriff, a mandated app, see Intro for background. Please note this work was coordinated with human right activists, vulnerabilities reported to the vendor, etc. Previous blog posts you might have missed and maybe you would like to read first for background:

The OWASP Mobile Application Security Verification Standard classifies the flaw explained in this blog post, under section V6: Platform Interaction Requirements, as follows:

MSTG‑PLATFORM‑7: If native methods of the app are exposed to a WebView, verify that the WebView only renders JavaScript contained within the app package.

Detailed information and steps to test for this kind of issue can be found in the OWASP Mobile Security Testing Guide:

This finding corresponds to the second round of testing we did on Smart Sheriff:

SMS-01-001​​ ​​Possible​​ ​​Remote​​ ​​Code​​ ​​Execution​​ ​​via​​ ​​MitM​​ ​​in​​ ​​WebView​​ (Critical)

So, now we have a mobile app supposed to protect children that:

1: In the first round did not even use SSL

2: In the second round used SSL but accepted self-signed certificates

In both cases, network communications could be intercepted via MitM without the app showing any errors to the user.

In mobile apps this is interesting because it makes attack vectors via malicious or tampered HTTP responses from the server a possibility available even to average attackers (i.e. no need for a government CA-signed SSL certificate to MitM).

In this case, we found the use of a JavaScript interface:

Affected Code (decompiled): 
Object obj1 = "http://ssweb.moiba.or.kr/pushAlarm";
WebView webview = (WebView)findViewById(0x7f070000);
webview.setWebViewClient(new l(this));
webview.addJavascriptInterface(new JavaScriptInterface(), "SmartSheriff");

So, what is the problem with this JavaScript interface?

A JavaScript interface in Android offers a way to execute native functions in an Android app. Basically, this allows you to execute Java from Javascript. Android versions from Android 2.4 to Android 4.1 are affected by a vulnerability that allows remote code execution when JavaScript is injected in the WebView.

Therefore, as vulnerable Android versions were supported by the app, and this app was also vulnerable to MitM attacks, it would be possible for a malicious attacker to gain RCE in the phone of a parent or child using the app over public Wi-Fi, for example.

Hack Smart Sheriff to pieces with us!

NOTE: Attendants will get lifetime access to our training portal with:
– Unlimited course updates & Step-by-step lab video recordings
Lots of real-world apps to practice with, such as:
  + Government-mandated and police apps in various countries
  + Many other excitingly vulnerable real-world apps!
  + IoT apps controlling Toys, Drones, etc.

Cannot make it? ping sales@7asecurity.com for training portal access.

Next blog post:

Hacking Mandated Apps – Part 6: XOR Crypto FAIL [ MSTG-CRYPTO-1 ]