Potentially Intent Spoofing

Description

The application is vulnerable to intent spoofing which could result in the access and exploitation of unauthorized components.

Recommendation

It is recommended to apply proper input validation and parameter filtering on intent action.

Technical details
[TAINT] String 'com.google.zxing.client.android.SCAN' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V', '0', 'IPC_SINK']' [[('Lcom/google/appinventor/components/runtime/BarcodeScanner;', 'DoScan', '()V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V')]]

Use of a string value com.google.zxing.client.android.SCAN to construct an Intent

Method com.google.appinventor.components.runtime.BarcodeScanner.DoScan():


    public void DoScan()
    {
        android.content.Intent v1_1 = new android.content.Intent("com.google.zxing.client.android.SCAN");
        if ((this.useExternalScanner) || (com.google.appinventor.components.runtime.util.SdkLevel.getLevel() < 5)) {
            if (this.requestCode == 0) {
                this.requestCode = this.form.registerForActivityResult(this);
            }
            try {
                this.container.$context().startActivityForResult(v1_1, this.requestCode);
            } catch (android.content.ActivityNotFoundException v0) {
                v0.printStackTrace();
                com.google.appinventor.components.runtime.Form v3_12 = this.container.$form();
                Object[] v6_1 = new Object[1];
                v6_1[0] = "";
                v3_12.dispatchErrorOccurredEvent(this, "BarcodeScanner", 1501, v6_1);
            }
        } else {
            if (this.havePermission) {
                v1_1.setComponent(new android.content.ComponentName(this.container.$form().getPackageName(), "com.google.zxing.client.android.AppInvCaptureActivity"));
            } else {
                this.container.$form().askPermission("android.permission.CAMERA", new com.google.appinventor.components.runtime.BarcodeScanner$1(this));
            }
        }
        return;
    }

Method android.content.Intent.<init>() not found.

[TAINT] String 'com.google.tts.makeBagel' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V', '0', 'IPC_SINK']' [[('Lcom/google/appinventor/components/runtime/util/ExternalTextToSpeech;', 'speak', '(Ljava/lang/String; Ljava/util/Locale;)V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V')]]

Use of a string value com.google.tts.makeBagel to construct an Intent

Method com.google.appinventor.components.runtime.util.ExternalTextToSpeech.speak():


    public void speak(String p4, java.util.Locale p5)
    {
        android.content.Intent v0_1 = new android.content.Intent("com.google.tts.makeBagel");
        v0_1.setFlags(131072);
        v0_1.setFlags(8388608);
        v0_1.setFlags(1073741824);
        v0_1.putExtra("message", p4);
        v0_1.putExtra("language", p5.getISO3Language());
        v0_1.putExtra("country", p5.getISO3Country());
        if (this.requestCode == 0) {
            this.requestCode = this.container.$form().registerForActivityResult(this);
        }
        this.container.$context().startActivityForResult(v0_1, this.requestCode);
        return;
    }

Method android.content.Intent.<init>() not found.

[TAINT] String 'com.google.zxing.client.android.SCAN' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V', '0', 'IPC_SINK']' [[('Lcom/google/appinventor/components/runtime/BarcodeScanner$1;', 'HandlePermissionResponse', '(Ljava/lang/String; Z)V'), ('Lcom/google/appinventor/components/runtime/BarcodeScanner;', 'DoScan', '()V'), ('Landroid/content/Intent;', '<init>', '(Ljava/lang/String;)V')]]

Use of a string value com.google.zxing.client.android.SCAN to construct an Intent

Method com.google.appinventor.components.runtime.BarcodeScanner$1.HandlePermissionResponse():


    public void HandlePermissionResponse(String p5, boolean p6)
    {
        if (!p6) {
            this.this$0.form.dispatchPermissionDeniedEvent(this.this$0, "DoScan", "android.permission.CAMERA");
        } else {
            com.google.appinventor.components.runtime.BarcodeScanner.access$002(this.this$0, 1);
            this.this$0.DoScan();
        }
        return;
    }

Method com.google.appinventor.components.runtime.BarcodeScanner.DoScan():


    public void DoScan()
    {
        android.content.Intent v1_1 = new android.content.Intent("com.google.zxing.client.android.SCAN");
        if ((this.useExternalScanner) || (com.google.appinventor.components.runtime.util.SdkLevel.getLevel() < 5)) {
            if (this.requestCode == 0) {
                this.requestCode = this.form.registerForActivityResult(this);
            }
            try {
                this.container.$context().startActivityForResult(v1_1, this.requestCode);
            } catch (android.content.ActivityNotFoundException v0) {
                v0.printStackTrace();
                com.google.appinventor.components.runtime.Form v3_12 = this.container.$form();
                Object[] v6_1 = new Object[1];
                v6_1[0] = "";
                v3_12.dispatchErrorOccurredEvent(this, "BarcodeScanner", 1501, v6_1);
            }
        } else {
            if (this.havePermission) {
                v1_1.setComponent(new android.content.ComponentName(this.container.$form().getPackageName(), "com.google.zxing.client.android.AppInvCaptureActivity"));
            } else {
                this.container.$form().askPermission("android.permission.CAMERA", new com.google.appinventor.components.runtime.BarcodeScanner$1(this));
            }
        }
        return;
    }

Method android.content.Intent.<init>() not found.

[TAINT] String '.Screen1' ==>>> Sink '['Landroid/content/Intent;', '<init>', '(Landroid/content/Context; Ljava/lang/Class;)V', '1', 'IPC_SINK']' [[('Lcom/google/appinventor/components/runtime/util/SmsBroadcastReceiver;', 'sendNotification', '(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)V'), ('Landroid/content/Intent;', '<init>', '(Landroid/content/Context; Ljava/lang/Class;)V')]]

Use of a string value .Screen1 to construct an Intent

Method com.google.appinventor.components.runtime.util.SmsBroadcastReceiver.sendNotification():


    private void sendNotification(android.content.Context p13, String p14, String p15)
    {
        android.util.Log.i("SmsBroadcastReceiver", new StringBuilder().append("sendingNotification ").append(p14).append(":").append(p15).toString());
        String v7 = p13.getPackageName();
        android.util.Log.i("SmsBroadcastReceiver", new StringBuilder().append("Package name : ").append(v7).toString());
        try {
            String v1 = new StringBuilder().append(v7).append(".Screen1").toString();
            android.content.Intent v4_1 = new android.content.Intent(p13, Class.forName(v1));
            try {
                v4_1.setAction("android.intent.action.MAIN");
                v4_1.addCategory("android.intent.category.LAUNCHER");
                v4_1.addFlags(805306368);
                ((android.app.NotificationManager) p13.getSystemService("notification")).notify(0, 8647, new android.support.v4.app.NotificationCompat$Builder(p13).setSmallIcon(17301648).setTicker(new StringBuilder().append(p14).append(" : ").append(p15).toString()).setWhen(System.currentTimeMillis()).setAutoCancel(1).setDefaults(1).setContentTitle(new StringBuilder().append("Sms from ").append(p14).toString()).setContentText(p15).setContentIntent(android.app.PendingIntent.getActivity(p13, 0, v4_1, 134217728)).setNumber(com.google.appinventor.components.runtime.Texting.getCachedMsgCount()).build());
                android.util.Log.i("SmsBroadcastReceiver", new StringBuilder().append("Notification sent, classname: ").append(v1).toString());
            } catch (ClassNotFoundException v2) {
                v2.printStackTrace();
            }
            return;
        } catch (ClassNotFoundException v2) {
        }
    }

Method android.content.Intent.<init>() not found.