Android on Shivasuryahttp://shivasurya.me/tags/android/Recent content in Android on ShivasuryaHugoen-usFri, 10 Feb 2023 00:00:00 +0000Detecting Android WebView Vulnerable Configurations with Semgrep Rules - Part 1http://shivasurya.me/2023/02/10/android-webview-vulnerabilities-semgrep-rules-detection/Fri, 10 Feb 2023 00:00:00 +0000http://shivasurya.me/2023/02/10/android-webview-vulnerabilities-semgrep-rules-detection/<p>Android WebView widget provides APIs that help developers seamlessly integrate webpage contents within Android application. Advancement in Webview &amp; Chrome Custom Tabs lead to <a href="https://tomtunguz.com/mobile-only-saas/">exponential growth in webview based mobile development</a> platforms such as <code>Ionic framework</code>, <code>JQuery Mobile</code>, <code>Adobe Phonegap</code> later open-sourced as <code>Cordova Project</code>, <code>React Native</code>. However the race to capture the mobile development market, immature WebView APIs and lack of security guidance lead to multiple vulnerabilities and exploits. In today&rsquo;s blog post, we&rsquo;ll deep dive into multiple WebView vulnerability configurations and leverage semgrep to detect those configuration real time.</p>Detecting Android Content Provider APIs with Semgrep Ruleshttp://shivasurya.me/2022/11/28/android-content-provider-semgrep-detection/Mon, 28 Nov 2022 00:00:00 +0000http://shivasurya.me/2022/11/28/android-content-provider-semgrep-detection/<p>Content Provider is one of the powerful APIs which helps Android developers programmatically expose resource content within Android ecosystem via Intents. One could easily write those queries easily by extending the <code>ContentProvider</code> class and implementing those methods and accessing via URI (example: <code>android://com.zoho.example/database/:_data</code>). Though these Content Provider is a cupcake for developers, Unfortunately there are lot of vulnerabilities hidden within those APIs and with implementation part.</p> <p>The main intent for writing this blog post were Semgrep and the recent blog post from <code>project zero</code> regarding <a href="https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html">Analysis of a Samsung in-the-wild exploit chain</a>. I&rsquo;ve been using semgrep for a while to tweak my findings instead of naive grep, CodeQL and the Samsung exploit chain may look trivial but how a simple permission bypass can affect system level apps in the Android phone. Later this year, I have added semgrep to my mobile pentesting suite which helps me to run these scripts over large Android projects, decompiled projects in automated way which pings me on Slack 🤖.</p>