Improper validation of intent data received in TextViewerActivity allows opening of arbitrary files

Description

Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (.activities.association.TextViewerActivity) which accepted intent data via the file scheme + text/* mime type and opened the associated files from provided URI data string.

It is possible for a malicious application installed within the device to send an intent to this activity and supply a path to a file within the Inure application’s private directory (/data/data/app.simple.inure) which the Inure application will then open.

Proof of Concept

PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -n app.simple.inure/.activities.association.TextViewerActivity -d "file:///data/data/app.simple.inure/shared_prefs/Preferences.xml"  

Starting: Intent { dat=file:///data/data/app.simple.inure/shared_prefs/Preferences.xml cmp=app.simple.inure/.activities.association.TextViewerActivity }

This opens the Preferences.xml file which belongs to the Inure application’s private directory. The impact of this vulnerability is constrained for now, since trying to Export this opened file crashes the whole application for some reason.