Potentially Intent Spoofing

Description

The application is vulnerable to intent spoofing which could result in the access and exploitation of unauthorized components.

Recommendation

It is recommended to apply proper input validation and parameter filtering on intent action.

Technical details
[TAINT] String 'market://details?id=com.google.android.gms' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V', '1', 'IPC_SINK']' [[('Lplugin/google/maps/PluginEnvironment;', 'isAvailable', '(Lorg/json/JSONArray; Lorg/apache/cordova/CallbackContext;)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V')]]

Use of a string value market://details?id=com.google.android.gms to construct an Intent

Method plugin.google.maps.PluginEnvironment.isAvailable():


    public void isAvailable(org.json.JSONArray p9, org.apache.cordova.CallbackContext p10)
    {
        int v1 = com.google.android.gms.common.GoogleApiAvailability.getInstance().isGooglePlayServicesAvailable(this.cordova.getActivity());
        if (v1 == 0) {
            try {
                Class.forName("com.google.android.gms.maps.GoogleMap");
                p10.success();
            } catch (Exception v2) {
                android.util.Log.e("GoogleMaps", "Error", v2);
                p10.error(v2.getMessage());
            }
        } else {
            p10.error(com.google.android.gms.common.GoogleApiAvailability.getInstance().getErrorString(v1));
            try {
                this.cordova.getActivity().startActivity(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse("market://details?id=com.google.android.gms")));
            } catch (android.content.ActivityNotFoundException v0) {
                this.cordova.getActivity().startActivity(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse("http://play.google.com/store/apps/details?id=com.google.android.gms")));
            }
            this.cordova.getActivity().finish();
        }
        return;
    }

Method android.content.Intent.<init>() not found.

[TAINT] String 'com.android.vending' ==>>> Sink '['Landroid/content/Intent;', 'setPackage', '(Ljava/lang/String;)Landroid/content/Intent;', '0', 'IPC_SINK']' [[('Lplugin/google/maps/PluginStreetViewPanorama$1;', 'run', '()V'), ('Lcom/google/android/gms/maps/StreetViewPanoramaView;', 'onCreate', '(Landroid/os/Bundle;)V'), ('Lcom/google/android/gms/dynamic/DeferredLifecycleHelper;', 'showGooglePlayUnavailableMessage', '(Landroid/widget/FrameLayout;)V'), ('Lcom/google/android/gms/common/GoogleApiAvailabilityLight;', 'getErrorResolutionIntent', '(Landroid/content/Context; I Ljava/lang/String;)Landroid/content/Intent;'), ('Lcom/google/android/gms/common/internal/GmsIntents;', 'createPlayStoreIntent', '(Ljava/lang/String; Ljava/lang/String;)Landroid/content/Intent;'), ('Landroid/content/Intent;', 'setPackage', '(Ljava/lang/String;)Landroid/content/Intent;')]]

Use of a string value com.android.vending to construct an Intent

Method plugin.google.maps.PluginStreetViewPanorama$1.run():


    public void run()
    {
        plugin.google.maps.PluginStreetViewPanorama.access$000(this.this$0).onCreate(0);
        plugin.google.maps.PluginStreetViewPanorama.access$000(this.this$0).setTag(Integer.valueOf(this.this$0.getViewDepth()));
        plugin.google.maps.PluginStreetViewPanorama.access$000(this.this$0).getStreetViewPanoramaAsync(new plugin.google.maps.PluginStreetViewPanorama$1$1(this));
        return;
    }

Method com.google.android.gms.maps.StreetViewPanoramaView.onCreate():


    public final void onCreate(android.os.Bundle p3)
    {
        android.os.StrictMode$ThreadPolicy v1 = android.os.StrictMode.getThreadPolicy();
        android.os.StrictMode.setThreadPolicy(new android.os.StrictMode$ThreadPolicy$Builder(v1).permitAll().build());
        try {
            this.zzcc.onCreate(p3);
        } catch (Throwable v0_2) {
            android.os.StrictMode.setThreadPolicy(v1);
            throw v0_2;
        }
        if (this.zzcc.getDelegate() == null) {
            com.google.android.gms.dynamic.DeferredLifecycleHelper.showGooglePlayUnavailableMessage(this);
        }
        android.os.StrictMode.setThreadPolicy(v1);
        return;
    }

Method com.google.android.gms.dynamic.DeferredLifecycleHelper.showGooglePlayUnavailableMessage():


    public static void showGooglePlayUnavailableMessage(android.widget.FrameLayout p9)
    {
        android.content.Intent v0_0 = com.google.android.gms.common.GoogleApiAvailability.getInstance();
        android.content.Context v1 = p9.getContext();
        android.widget.Button v2_2 = v0_0.isGooglePlayServicesAvailable(v1);
        com.google.android.gms.dynamic.zze v3_6 = com.google.android.gms.common.internal.ConnectionErrorMessages.getErrorMessage(v1, v2_2);
        String v4 = com.google.android.gms.common.internal.ConnectionErrorMessages.getErrorDialogButtonMessage(v1, v2_2);
        android.widget.LinearLayout v5_1 = new android.widget.LinearLayout(p9.getContext());
        v5_1.setOrientation(1);
        v5_1.setLayoutParams(new android.widget.FrameLayout$LayoutParams(-2, -2));
        p9.addView(v5_1);
        android.widget.TextView v6_5 = new android.widget.TextView(p9.getContext());
        v6_5.setLayoutParams(new android.widget.FrameLayout$LayoutParams(-2, -2));
        v6_5.setText(v3_6);
        v5_1.addView(v6_5);
        android.content.Intent v0_1 = v0_0.getErrorResolutionIntent(v1, v2_2, 0);
        if (v0_1 != null) {
            android.widget.Button v2_1 = new android.widget.Button(v1);
            v2_1.setId(16908313);
            v2_1.setLayoutParams(new android.widget.FrameLayout$LayoutParams(-2, -2));
            v2_1.setText(v4);
            v5_1.addView(v2_1);
            v2_1.setOnClickListener(new com.google.android.gms.dynamic.zze(v1, v0_1));
        }
        return;
    }

Method com.google.android.gms.common.GoogleApiAvailabilityLight.getErrorResolutionIntent():


    public android.content.Intent getErrorResolutionIntent(android.content.Context p3, int p4, String p5)
    {
        android.content.Intent v0_1;
        switch (p4) {
            case 1:
            case 2:
                if ((p3 == null) || (!com.google.android.gms.common.util.DeviceProperties.isWearableWithoutPlayStore(p3))) {
                    v0_1 = com.google.android.gms.common.internal.GmsIntents.createPlayStoreIntent("com.google.android.gms", com.google.android.gms.common.GoogleApiAvailabilityLight.zza(p3, p5));
                } else {
                    v0_1 = com.google.android.gms.common.internal.GmsIntents.createAndroidWearUpdateIntent();
                }
                break;
            case 3:
                v0_1 = com.google.android.gms.common.internal.GmsIntents.createSettingsIntent("com.google.android.gms");
                break;
            default:
                v0_1 = 0;
        }
        return v0_1;
    }

Method com.google.android.gms.common.internal.GmsIntents.createPlayStoreIntent():


    public static android.content.Intent createPlayStoreIntent(String p3, String p4)
    {
        android.content.Intent v0_1 = new android.content.Intent("android.intent.action.VIEW");
        int v1_1 = android.net.Uri.parse("market://details").buildUpon().appendQueryParameter("id", p3);
        if (!android.text.TextUtils.isEmpty(p4)) {
            v1_1.appendQueryParameter("pcampaignid", p4);
        }
        v0_1.setData(v1_1.build());
        v0_1.setPackage("com.android.vending");
        v0_1.addFlags(524288);
        return v0_1;
    }

Method android.content.Intent.setPackage() not found.

[TAINT] String 'com.android.vending' ==>>> Sink '['Landroid/content/Intent;', 'setPackage', '(Ljava/lang/String;)Landroid/content/Intent;', '0', 'IPC_SINK']' [[('Lplugin/google/maps/PluginMap$1;', 'run', '()V'), ('Lcom/google/android/gms/maps/MapView;', 'onCreate', '(Landroid/os/Bundle;)V'), ('Lcom/google/android/gms/dynamic/DeferredLifecycleHelper;', 'showGooglePlayUnavailableMessage', '(Landroid/widget/FrameLayout;)V'), ('Lcom/google/android/gms/common/GoogleApiAvailabilityLight;', 'getErrorResolutionIntent', '(Landroid/content/Context; I Ljava/lang/String;)Landroid/content/Intent;'), ('Lcom/google/android/gms/common/internal/GmsIntents;', 'createPlayStoreIntent', '(Ljava/lang/String; Ljava/lang/String;)Landroid/content/Intent;'), ('Landroid/content/Intent;', 'setPackage', '(Ljava/lang/String;)Landroid/content/Intent;')]]

Use of a string value com.android.vending to construct an Intent

Method plugin.google.maps.PluginMap$1.run():


    public void run()
    {
        plugin.google.maps.PluginMap.access$000(this.this$0).onCreate(0);
        plugin.google.maps.PluginMap.access$000(this.this$0).setTag(Integer.valueOf(this.this$0.getViewDepth()));
        plugin.google.maps.PluginMap.access$000(this.this$0).getMapAsync(new plugin.google.maps.PluginMap$1$1(this));
        return;
    }

Method com.google.android.gms.maps.MapView.onCreate():


    public final void onCreate(android.os.Bundle p3)
    {
        android.os.StrictMode$ThreadPolicy v1 = android.os.StrictMode.getThreadPolicy();
        android.os.StrictMode.setThreadPolicy(new android.os.StrictMode$ThreadPolicy$Builder(v1).permitAll().build());
        try {
            this.zzbf.onCreate(p3);
        } catch (Throwable v0_2) {
            android.os.StrictMode.setThreadPolicy(v1);
            throw v0_2;
        }
        if (this.zzbf.getDelegate() == null) {
            com.google.android.gms.dynamic.DeferredLifecycleHelper.showGooglePlayUnavailableMessage(this);
        }
        android.os.StrictMode.setThreadPolicy(v1);
        return;
    }

Method com.google.android.gms.dynamic.DeferredLifecycleHelper.showGooglePlayUnavailableMessage():


    public static void showGooglePlayUnavailableMessage(android.widget.FrameLayout p9)
    {
        android.content.Intent v0_0 = com.google.android.gms.common.GoogleApiAvailability.getInstance();
        android.content.Context v1 = p9.getContext();
        android.widget.Button v2_2 = v0_0.isGooglePlayServicesAvailable(v1);
        com.google.android.gms.dynamic.zze v3_6 = com.google.android.gms.common.internal.ConnectionErrorMessages.getErrorMessage(v1, v2_2);
        String v4 = com.google.android.gms.common.internal.ConnectionErrorMessages.getErrorDialogButtonMessage(v1, v2_2);
        android.widget.LinearLayout v5_1 = new android.widget.LinearLayout(p9.getContext());
        v5_1.setOrientation(1);
        v5_1.setLayoutParams(new android.widget.FrameLayout$LayoutParams(-2, -2));
        p9.addView(v5_1);
        android.widget.TextView v6_5 = new android.widget.TextView(p9.getContext());
        v6_5.setLayoutParams(new android.widget.FrameLayout$LayoutParams(-2, -2));
        v6_5.setText(v3_6);
        v5_1.addView(v6_5);
        android.content.Intent v0_1 = v0_0.getErrorResolutionIntent(v1, v2_2, 0);
        if (v0_1 != null) {
            android.widget.Button v2_1 = new android.widget.Button(v1);
            v2_1.setId(16908313);
            v2_1.setLayoutParams(new android.widget.FrameLayout$LayoutParams(-2, -2));
            v2_1.setText(v4);
            v5_1.addView(v2_1);
            v2_1.setOnClickListener(new com.google.android.gms.dynamic.zze(v1, v0_1));
        }
        return;
    }

Method com.google.android.gms.common.GoogleApiAvailabilityLight.getErrorResolutionIntent():


    public android.content.Intent getErrorResolutionIntent(android.content.Context p3, int p4, String p5)
    {
        android.content.Intent v0_1;
        switch (p4) {
            case 1:
            case 2:
                if ((p3 == null) || (!com.google.android.gms.common.util.DeviceProperties.isWearableWithoutPlayStore(p3))) {
                    v0_1 = com.google.android.gms.common.internal.GmsIntents.createPlayStoreIntent("com.google.android.gms", com.google.android.gms.common.GoogleApiAvailabilityLight.zza(p3, p5));
                } else {
                    v0_1 = com.google.android.gms.common.internal.GmsIntents.createAndroidWearUpdateIntent();
                }
                break;
            case 3:
                v0_1 = com.google.android.gms.common.internal.GmsIntents.createSettingsIntent("com.google.android.gms");
                break;
            default:
                v0_1 = 0;
        }
        return v0_1;
    }

Method com.google.android.gms.common.internal.GmsIntents.createPlayStoreIntent():


    public static android.content.Intent createPlayStoreIntent(String p3, String p4)
    {
        android.content.Intent v0_1 = new android.content.Intent("android.intent.action.VIEW");
        int v1_1 = android.net.Uri.parse("market://details").buildUpon().appendQueryParameter("id", p3);
        if (!android.text.TextUtils.isEmpty(p4)) {
            v1_1.appendQueryParameter("pcampaignid", p4);
        }
        v0_1.setData(v1_1.build());
        v0_1.setPackage("com.android.vending");
        v0_1.addFlags(524288);
        return v0_1;
    }

Method android.content.Intent.setPackage() not found.

[TAINT] String 'market://details?id=com.google.android.gms' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V', '1', 'IPC_SINK']' [[('Lplugin/google/maps/CordovaGoogleMaps$1$1;', 'onClick', '(Landroid/content/DialogInterface; I)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V')]]

Use of a string value market://details?id=com.google.android.gms to construct an Intent

Method plugin.google.maps.CordovaGoogleMaps$1$1.onClick():


    public void onClick(android.content.DialogInterface p6, int p7)
    {
        p6.dismiss();
        if (this.val$finalIsNeedToUpdate) {
            try {
                plugin.google.maps.CordovaGoogleMaps.access$000(this.this$1.this$0).startActivity(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse("market://details?id=com.google.android.gms")));
            } catch (android.content.ActivityNotFoundException v0) {
                plugin.google.maps.CordovaGoogleMaps.access$000(this.this$1.this$0).startActivity(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse("http://play.google.com/store/apps/details?id=com.google.android.gms")));
            }
        }
        return;
    }

Method android.content.Intent.<init>() not found.