3

first of all i have to admit that im a newbie in Android, but we know that in android we can't start private activities of applications by another application . unless they're set to android:exported=true in their intent-filter or they are made for implicit calls . but we should be able to start private Activities from withing the application . and when it comes to browsers (specially in android) we can use Intent URLs to start a private Activity of the browser .

i found some Activities in Opera Mobile, and the problem is i just cant run them using Intent URL, and i have no idea what am i doing wrong in this .

for example there is a Activity in opera called OperaMainActivity (or another called OperaStartActivity) im trying to start them like this :

intent:#Intent;component=com.opera.browser/com.opera.android.OperaMainActivity;end

or

intent:#Intent;component=com.opera.browser/com.opera.android.OperaStartActivity;end

but none of these will start the Activity Called.

though i can still start AdMarvelActivity which is a private as well :

"intent:#Intent;S.url=https://google.com;component=com.opera.browser/com.admarvel.android.ads.AdMarvelActivity;end";

here is how OperaMain Activity defined in AndroidManifest :

<activity ns0:label="@string/app_name_title" ns0:name="com.opera.android.OperaMainActivity" ns0:launchMode="singleTask" ns0:configChanges="keyboard|keyboardHidden|orientation|screenSize" ns0:windowSoftInputMode="10" />

and there is no intent-filter for it .

and this is how AdMarvelActivity defined in AndroidManifest:

<activity ns0:theme="@*ns0:style/Theme.NoTitleBar.Fullscreen" ns0:name="com.admarvel.android.ads.AdMarvelActivity" ns0:process=":helper" ns0:configChanges="keyboard|keyboardHidden|orientation" />

i see no major difference between these two . what am i doing wrong ?!

Mohammad Siavashi
  • 1,192
  • 2
  • 17
  • 48
  • Are you looking for this? https://stackoverflow.com/questions/3004515/android-sending-an-intent-to-browser-to-open-specific-url – Shmuel Sep 18 '16 at 22:30
  • no . its about starting browsers public activities which could be called from another applications . im looking for explicity calling private activities from withing the browser itself, of course using Intent URL Schemes – Mohammad Siavashi Sep 19 '16 at 08:57

1 Answers1

1

Vulnerable Handling of Intent URL Scheme has been known since a long time and most of the popular browsers (like chrome, opera) have fixed this bug. However alternative android browsers still have this vulnerability.

I tried the attack on the current version of Opera Mobile (v37) and thankfully its not working. You must be running it on an older apk.

If you are interested in testing this attack on alternative browsers, you can follow this talk : All Your Browsers Belong To Us; which demostrates this attack on Dolphin Browser and Mercury Browser.

Shikher Verma
  • 134
  • 4
  • thanks for your answer, i know about the attack . but my question is a bit different . im asking if i can start private activities, then why i cant start the activity provided in the question . i wanna know how to run them . i mean if i can start AdMarvelActivity then why i cant start others ?! am i writing the intent url wrong ?! – Mohammad Siavashi Sep 22 '16 at 11:25
  • 1
    I agree that if `AdMarvelActivity` can be run then others should also be runnable. It might be that you are missing some intent extras which are mandatory for the activity to start. You can intercept or log all intents via `adb logcat | fgrep -i intent` and check if the problem is with the intent being fired or received. What version of Opera Mobile are you trying this. Please share the apk and Intent url that you tried. – Shikher Verma Sep 22 '16 at 12:48
  • the adb command works really good for monitoring . i found that the problem was in some version's of browsers (specially the new ones) filtering the component in intent url's . if you have notices in the codes they set the intent.setComponent(null) immediately after parseURI . so we cant call the private activities using component . is there any other way to start them ? – Mohammad Siavashi Sep 23 '16 at 09:10
  • Nope I don't think starting private activities would be possible without component. `HOST/URI-path#Intent;package=[string];action=[string];category=[string];component=[string];scheme=[string];end;`. `package`,`action`,`category` are not exploitable unless the target code has explicitly made the mistake of starting private activities on certain `action` or added a wrong `category` to some activity. The talk "All your Browsers Belong to Us` discusses about exploiting `scheme` but its not for starting private activities. – Shikher Verma Sep 23 '16 at 10:36
  • thank alot, then i have to search for vulnerability where parseURL happends to see if they made any mistake . – Mohammad Siavashi Sep 23 '16 at 11:35