Description

Tested on Build87 of the Inure application. It was discovered that the application had an exported activity (.activities.association.TextViewerActivity) which accepted intent data via the file scheme + text/* mime type and opened the associated files from provided URI data string.

It is possible for a malicious application installed within the device to send an intent to this activity and supply a path to a file within the Inure application's private directory (/data/data/app.simple.inure) which the Inure application will then open.

Proof of Concept

PS C:\Users\Acer\Desktop\pwn-toolkit\apks\app.simple.inure> adb shell am start -n app.simple.inure/.activities.association.TextViewerActivity -d "file:///data/data/app.simple.inure/shared_prefs/Preferences.xml"  

Starting: Intent { dat=file:///data/data/app.simple.inure/shared_prefs/Preferences.xml cmp=app.simple.inure/.activities.association.TextViewerActivity }

This opens the Preferences.xml file which belongs to the Inure application's private directory. The impact of this vulnerability is constrained for now, since trying to Export this opened file crashes the whole application for some reason.

Impact

An application's internal directory and the files within it should never be accessible by other applications within a device. The vulnerability reported demonstrates that it is possible for malicious third-party applications to open/view arbitrary files belonging to the Inure app's private directory due to the lack of validation in the received intent data string.