Skip to content

v1.2
Compare
Choose a tag to compare
@banditVedant banditVedant released this 30 Apr 07:02
· 30 commits to master since this release
v1.2
464b7b5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's Changed?

New Vulnerabilities Added:

1. Fragment Injection

  • Added visible fragment into Refer-us activity.
  • Added hidden fragment for exploitation.

2. SQLi via exported content provider

  • Removed direct SQL queries which were fetching addresses from database.
  • Implemented a new content provider named AddressContentProvider which now fetches addresses from database.
  • This content provider is exported and extra data can be supplied via intent.

3. Unauthorized data Insertion via Insecure Content Provider

  • Implemented AddressContentProvider to write the user supplied data into database via content provider query.
  • Set this content provider as exported and allow data insertation via intent extra data.

Bugs Fixed:

  1. Deeplink not working
  2. Fixed the broken Deeplink feature.
  3. Restructured elements in manifest file and improved logic in java code for multiple components

Full Changelog: android...v1.2

Assets 3
Loading