During last spring (2019) I started to “open and read” the Android applications before installing them. Reversing an APK file can be interesting to understand how an app works, how it manages the permissions and my data, if there are vulnerabilities. I was looking for a different Android mail client, so I started to reverse them and I found many mail clients on Play Store were - maybe are - vulnerable to Javascript injection. I found eight important apps vulnerable to cross-site scripting: Newton Mail 10.0.23, Nine Email 4.5.3a, Blue Mail 1.9.5.36, Edison Email 1.7.1, Email TypeApp 1.9.5.35 and Spark 2.0.2 + two apps I can’t disclose now. In April and May 2019 I wrote to vendors of these apps, but only someone replied to me.
Javascript Injection in Android Webview
Javascript injection in Android WebView is a serious vulnerability because in some scenario it was possible to execute code remotely by injecting a malicious Javascript code in the WebView (CVE-2012-6636, CVE-2013-4710). These vulnerabilities were fixed by Google, but Javascript injection in the WebView is yet a common bug, also for this reason Google have created a support page to explain how to use Javascript interfaces in the WebView. Although Javascript injection usually doesn’t lead to code execution, it is still a serious vulnerability because can be used to steal data (similar to CVE-2019-11730 PoC) if setAllowUniversalAccessFromFileURLs is set True.
Newton Mail
App: Newton Mail
Version: 10.0.23
Downloads: +1.000.000
Has vendor replied? Yes
CVE: 2019-12365
In Netwon Mail 10.0.23 setAllowUniversalAccessFromFileURLs is set True.
Edison Mail
App: Edison Mail
Version: 1.7.1
Downloads: +1.000.000
Has vendor replied? Yes
CVE: 2019-12368
In Edison Mail 1.7.1 setAllowUniversalAccessFromFileURLs is set True.
Nine - Email & Calendar
App: Nine - Email & Calendar
Version: 4.5.3a
Downloads: +1.000.000
Has vendor replied? No
CVE: 2019-12366
Spark
App: Spark
Version: 2.0.2
Downloads: +500.000
Has vendor replied? Yes
CVE: 2019-12370
Blue Mail
App: Blue Mail
Version: 1.9.5.36
Downloads: +5.000.000
Has vendor replied? No
CVE: 2019-12367
TypeApp Email
App: TypeApp Email
Version: 1.9.5.35
Downloads: +1.000.000
Has vendor replied? No
CVE: 2019-12369