バグバウンティにおけるモバイルアプリの脆弱性報告の事例まとめ - blog of morioka12

blog of morioka12

morioka12のブログ (Security Blog)

バグバウンティにおけるモバイルアプリの脆弱性報告の事例まとめ

BugBounty・BugHunt Mobile Security

1. 始めに

こんにちは、morioka12 です。

本稿では、バグバウンティにおけるモバイルアプリケーションの脆弱性報告の事例についてまとめて紹介します。

1. 始めに
- 免責事項
- 想定読者
2. Mobile Security Top 10
- OWASP Mobile Top 10 2023 (初期リリース)
- JSSEC Mobile Top 10 2023
3. 脆弱性報告の事例
4. その他
5. 終わりに

免責事項

本稿の内容は、セキュリティに関する知見を広く共有する目的で執筆されており、悪用行為を推奨するものではありません。

想定読者

セキュリティ初学者・学生
- 特に Mobile Security に興味がある方
モバイルアプリケーションの開発者
バグバウンティに興味がある方
(脆弱性調査をしている方)

2. Mobile Security Top 10

OWASP Mobile Top 10 2023 (初期リリース)

不適切な資格情報の利用
不十分なサプライチェーンセキュリティ
安全でない認証・承認
不十分な入出力の検証
安全でない通信
不十分なプライバシー管理
不十分なバイナリ保護
セキュリティ設定の不備
安全でないデータ管理
不十分な暗号化

coky-t.gitbook.io

JSSEC Mobile Top 10 2023

プラットフォームの不適切な利用
不適切なクレデンシャルの利用
クライアントコードの品質と安全性
安全でない通信
安全でない認証
不十分な暗号化
安全でない認可制御
コード改ざん
安全でないデータストレージ
余計な機能

https://www.jssec.org/wp-content/uploads/20230301-jssec-mobile-top10.pdf

3. 脆弱性報告の事例

バグバウンティにおいて、モバイルアプリケーションは、主に以下にようなタイプ(Asset Type)で提供されます。

Android
- APK file
- Play Store
iOS
- IPA file
- App Store
- TestFlight

XSS (Cross-site Scripting)

Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506
- Bounty: $560

Blind Stored XSS on iOS App due to Unsanitized Webview
- Bounty: $100

[Grab Android/iOS] Insecure deeplink leads to sensitive information disclosure

[Lark Android] Vulnerability in exported activity WebView
- Bounty: $1,000

UXss on brave browser via scan QR Code
- Bounty: $500

XSS via message subject - mobile application

[Android] HTML Injection in BatterySaveArticleRenderer WebView
- Bounty: $150

[Android] XSS via start ContentActivity

SQL Injection

GitHub Security Lab (GHSL) Vulnerability Report: SQLInjection in FileContentProvider.kt (GHSL-2022-059)
- Bounty: $300

SQL Injection found in NextCloud Android App Content Provider
- Bounty: $150

https://hackerone.com/reports/291764hackerone.com

Local SQL Injection in Content Provider (ru.mail.data.contact.ContactsProvider) of Mail.ru for Android, version 12.2.0.29734

SQLi allow query restriction bypass on exposed FileContentProvider
- Bounty: $100

CSRF (Cross-site Request Forgery)

Periscope iOS app CSRF in follow action due to deeplink
- Bounty: $2,940

URL Scheme misconfiguration on TikTok for IOS
- Bounty: $500

CSRF when unlocking lenses leads to lenses being forcefully installed without user interaction
- $250

Periscope android app deeplink leads to CSRF in follow action

Path Traversal

Path Traversal в iOS приложении

Path traversal in ZIP extract routine on LINE Android
- Bounty: $475

Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app
- $250

Path traversal allows tricking the Talk Android app into writing files into it's root directory

Path traversal allows tricking the Talk Android app into writing files into it's root directory

Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app
- Bounty: $250

Download attachments with traversal path into any sdcard directory (incomplete fix 106097)

Improper Access Control

Default Nextcloud Server and Android Client leak sharee searches to Nextcloud
- Bounty: $750

Webview in LINE client for iOS will render application/octet-stream files as HTML
- Bounty: $500

Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate

Theft of arbitrary files in LINE Lite client for Android

1 click Account takeover via deeplink in [com.kayak.android]

Sensitive files/ data exists post deletion of user account
- Bounty: $150

IDOR (Insecure Direct Object Reference)

read new emails from any inbox IOS APP in notification center

IDOR for changing privacy settings on any memories

Business Suite "Get Leads" Resulting in Revealing User Email & Phone

Improper Authentication

Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)
- Bounty: $500

Weak user aunthentication on mobile application - I just broken userKey secret password
- Bounty: $5,000

App pin of the Android app can be bypassed via 3rdparty apps generating deep links
- Bounty: $150

Able to steal bearer token from deep link
- Bounty: $6,337

Two-factor authentication bypass on Grab Android App

Authorization bypass using login by phone option+horizontal escalation possible on Grab Android App

Bypassing lock protection
- Bounty: $50

Vine - overwrite account associated with email via android application

Privilege Escalation

Access of Android protected components via embedded intent

Bypass pin(4 digit passcode on your android app)
- Bounty: $100

Android MailRu Email: Thirdparty can access private data files with small user interaction

Information Disclosure

AWS bucket leading to iOS test build code and configuration exposure
- Bounty: $1,500

Possible to steal any protected files on Android
- Bounty: $750

Android content provider exposes password-protected share password hashes
- Bounty: $75

Notification implicit PendingIntent in com.nextcloud.client allows to access contacts
- Bounty: $250

Starbucks China Android app cloud storage service leaks a credential.

[Quora Android] Possible to steal arbitrary files from mobile device

Extremly simple way to bypass Nextcloud-Client PIN/Fingerprint lock

Information Exposure Through Debug Information

Grammarly Keyboard for Android <4.1 leaks user input through logs (except for sensitive input fields)

Stealing Private Information in VK Android App through PlayerProxy Port Remotely

Starbucks China Android app cloud storage service leaks a credential.

Use of Hard-coded Credentials

[█████████] Hardcoded credentials in Android App
- Bounty: $500

Hardcoded credentials in Android App

Disclosure of all uploads to Cloudinary via hardcoded api secret in Android app

Improper Export of Android Application Components

Multiple bugs leads to RCE on TikTok for Android

Launch Any Activity in MyMail App

DoS

url that twitter mobile site can not load
- Bounty: $1,120

iOS group chat denial of service
- Bounty: $300

DoS of LINE client for Android via message containing multiple unicode characters (0x0e & 0x0f)

iOS app crashed by specially crafted direct message reactions
- Bounty: $560

DoS in Brave browser for iOS
- Bounty: $80

https://hackerone.com/reports/357665hackerone.com

Privacy Violation

Changing email address on Twitter for Android unsets "Protect your Tweets"
- Bounty: $2,940

Mail.ru for Android - Theft of sensitive data

https://hackerone.com/reports/910398hackerone.com

[IRCCloud Android] Theft of arbitrary files leading to token leakage

Cryptographic Issues

Twitter iOS fails to validate server certificate and sends oauth token
- Bounty: $2,100

Insecure Data Storage in Vine Android App
- Bounty: $140

Violation of Secure Design Principles

Phishing/Malware site blocking on Brave iOS can be bypassed with trailing dot in hostname
- Bounty: $250

ByPassing the email Validation Email on Sign up process in mobile apps
- Bounty: $100

4. その他

モバイルアプリの報告が多いプログラム(会社)

おすすめの学習コンテンツ

コンテンツ

TryHackMe
- Android Hacking 101
- Mobile Malware Analysis
Hacker101 CTF
- Android: H1 Thermostat, Intentional Exercise, Oauthbreaker, Mobile Webdev (4問)
Hack The Box
- Challenges: Mobile (11問)

やられアプリ

YouTube

Advanced Android Bug Bounty skills - Ben Actis, Bugcrowd's LevelUp 2017

www.youtube.com

Android App Bug Bounty Secrets

www.youtube.com

Android Bug Bounty / Android Application Pentest

www.youtube.com

Udemy

公式ドキュメント

OWASP Mobile Application Security Testing Guide (MASTG)

coky-t.gitbook.io

OWASP Mobile Application Security Testing Guide ja

Androidアプリのセキュア設計・セキュアコーディングガイド

ツール

bugbountyforum.com

参考ドキュメント (おすすめ系)

book.hacktricks.xyz

book.hacktricks.xyz

バグバウンティ入門(始め方)

バグバウンティの始め方については、以下のブログで紹介しているため、こちらもぜひご覧ください。

scgajge12.hatenablog.com

5. 終わりに

本稿では、バグバウンティにおけるモバイルアプリケーションの脆弱性報告の事例についてまとめて紹介しました。

モバイルアプリの開発をしている方でセキュリティに興味のある方は、ぜひ参考にしてみてください。

ここまでお読みいただきありがとうございました。