Potentially Intent Spoofing

Description

The application is vulnerable to intent spoofing which could result in the access and exploitation of unauthorized components.

Recommendation

It is recommended to apply proper input validation and parameter filtering on intent action.

Technical details
[TAINT] String 'https://www.facebook.com/Turbo-Inc-251066022448019/' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V', '1', 'IPC_SINK']' [[('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment$9;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment;', 'access$1500', '(Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment; Ljava/lang/String;)V'), ('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment;', 'startLink', '(Ljava/lang/String;)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V')]]

Use of a string value https://www.facebook.com/Turbo-Inc-251066022448019/ to construct an Intent

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment$9.onClick():


    public void onClick(android.view.View p3)
    {
        com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.access$1500(this.this$0, "https://www.facebook.com/Turbo-Inc-251066022448019/");
        return;
    }

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.access$1500():


    static synthetic void access$1500(com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment p0, String p1)
    {
        p0.startLink(p1);
        return;
    }

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.startLink():


    private void startLink(String p4)
    {
        this.startActivity(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse(p4)));
        return;
    }

Method android.content.Intent.<init>() not found.

[TAINT] String 'https://www.instagram.com/turbocarapp/' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V', '1', 'IPC_SINK']' [[('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment$11;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment;', 'access$1500', '(Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment; Ljava/lang/String;)V'), ('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment;', 'startLink', '(Ljava/lang/String;)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V')]]

Use of a string value https://www.instagram.com/turbocarapp/ to construct an Intent

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment$11.onClick():


    public void onClick(android.view.View p3)
    {
        com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.access$1500(this.this$0, "https://www.instagram.com/turbocarapp/");
        return;
    }

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.access$1500():


    static synthetic void access$1500(com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment p0, String p1)
    {
        p0.startLink(p1);
        return;
    }

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.startLink():


    private void startLink(String p4)
    {
        this.startActivity(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse(p4)));
        return;
    }

Method android.content.Intent.<init>() not found.

[TAINT] String 'https://twitter.com/TurboInc3' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V', '1', 'IPC_SINK']' [[('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment$10;', 'onClick', '(Landroid/view/View;)V'), ('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment;', 'access$1500', '(Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment; Ljava/lang/String;)V'), ('Lcom/example/diegosantiago/turbo/Fragmentos/BusquedaFragment;', 'startLink', '(Ljava/lang/String;)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String; Landroid/net/Uri;)V')]]

Use of a string value https://twitter.com/TurboInc3 to construct an Intent

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment$10.onClick():


    public void onClick(android.view.View p3)
    {
        com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.access$1500(this.this$0, "https://twitter.com/TurboInc3");
        return;
    }

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.access$1500():


    static synthetic void access$1500(com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment p0, String p1)
    {
        p0.startLink(p1);
        return;
    }

Method com.example.diegosantiago.turbo.Fragmentos.BusquedaFragment.startLink():


    private void startLink(String p4)
    {
        this.startActivity(new android.content.Intent("android.intent.action.VIEW", android.net.Uri.parse(p4)));
        return;
    }

Method android.content.Intent.<init>() not found.