Android-Security on Shivasurya

Deep dive on Android Java / Kotlin Deserialization Code Execution with Semgrep Detection

Wed, 24 Jan 2024 00:00:00 +0000

Overview

In this post, we will explore code execution using Java & Kotlin Deserialization in Android Application. Additionally, We will discuss the Gadget Chain, Detection and Exploitation technique specific to Android. Achieving code execution in server side application via Java deserialization has higher chance of success than in client side android application. This is due to limitation of variety of loaded classes in android application. For instance com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl is available in openJDK but not in Android JDK (but with modification). These limitation can be a blocker for loading arbitrary classes and executing payload (mostly compiled bytecode) in Android application. Well there are lot of deserialization vulnerabilities is published out there such as

Detecting Android WebView Vulnerable Configurations with Semgrep Rules - Part 1

Fri, 10 Feb 2023 00:00:00 +0000

Android WebView widget provides APIs that help developers seamlessly integrate webpage contents within Android application. Advancement in Webview & Chrome Custom Tabs lead to exponential growth in webview based mobile development platforms such as Ionic framework, JQuery Mobile, Adobe Phonegap later open-sourced as Cordova Project, React Native. However the race to capture the mobile development market, immature WebView APIs and lack of security guidance lead to multiple vulnerabilities and exploits. In today’s blog post, we’ll deep dive into multiple WebView vulnerability configurations and leverage semgrep to detect those configuration real time.

Detecting Android Content Provider APIs with Semgrep Rules

Mon, 28 Nov 2022 00:00:00 +0000

Content Provider is one of the powerful APIs which helps Android developers programmatically expose resource content within Android ecosystem via Intents. One could easily write those queries easily by extending the ContentProvider class and implementing those methods and accessing via URI (example: android://com.zoho.example/database/:_data). Though these Content Provider is a cupcake for developers, Unfortunately there are lot of vulnerabilities hidden within those APIs and with implementation part.

The main intent for writing this blog post were Semgrep and the recent blog post from project zero regarding Analysis of a Samsung in-the-wild exploit chain. I’ve been using semgrep for a while to tweak my findings instead of naive grep, CodeQL and the Samsung exploit chain may look trivial but how a simple permission bypass can affect system level apps in the Android phone. Later this year, I have added semgrep to my mobile pentesting suite which helps me to run these scripts over large Android projects, decompiled projects in automated way which pings me on Slack 🤖.