Description

Tested on Build94 of the Inure application. It was discovered that the application had an exported activity (.activities.association.TextViewerActivity) which accepted intent data via the file scheme + text/* mime type and opened the associated files from provided URI data string. The checking function hasAppPath is not well designed, the attacker can still bypass the validation. It is possible for a malicious application installed within the device to send an intent to this activity and supply a path to a file within the Inure application’s private directory (/data/data/app.simple.inure) which the Inure application will then open.

Proof of Concept

adb shell am start -n app.simple.inure.play/app.simple.inure.activities.association.TextViewerActivity -d “file:///data/./data/app.simple.inure.play/shared_prefs/Preferences.xml”

Please Note that “/data/./data/app.simple.inure.play/” is a valid file path and it can bypass the validation of function hasAppPath