Description

Tested on Build89 of the Inure application. It was discovered that the application had an exported activity (.activities.association.TextViewerActivity) which accepted intent data via the file scheme + text/* mime type and opened the associated files from provided URI data string.
The checking function hasAppPath is not well designed,
private fun hasAppPath(): Boolean {
return intent.data?.path?.contains(“data/data/$packageName”)!!
}
The attacker can still bypass the validation
It is possible for a malicious application installed within the device to send an intent to this activity and supply a path to a file within the Inure application’s private directory (/data/data/app.simple.inure) which the Inure application will then open.

Proof of Concept

PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -n app.simple.inure/.activities.association.TextViewerActivity -d “file:///data//data/app.simple.inure/shared_prefs/Preferences.xml”
Please not the “data//data/app.simple.inure/” can bypass the check of “contains(“data/data/$packageName”)!!”

This opens the Preferences.xml file which belongs to the Inure application’s private directory. The impact of this vulnerability is constrained for now, since trying to Export this opened file crashes the whole application for some reason.