JVN#66422035
Android Apps developed using Yappli fails to restrict custom URL schemes properly
Overview
Android Apps developed using Yappli fails to restrict custom URL schemes properly.
Products Affected
- Android Apps that are developed in Yappli since v7.3.6 and prior to v9.30.0
Description
Yappli provided by Yappli, Inc. is an application development platform.
Android Apps that are developed with Yappli provide the function to access a requested URL using Custom URL Scheme.
The access to the function is not restricted properly (CWE-939) which may be exploited to direct the App to connect to unintended sites.
Impact
When accessing a malicious website containing a specially crafted URL, the vulnerable app may be directed to connect to some unintended site.
As a result, the app's internal information may be leaked and/or altered.
Solution
Solution for developers of affected applications
Rebuild the application in the latest development environment. Until the rebuilt version is published, remove the affected version from an application store.
Solution for users of affected applications
Please inquire the application developer.
Vendor Status
| Vendor | Link |
| Yappli, Inc. | Vulnerability Notice in Android Application (Text in japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
"Integrity(I)" is the primary impact, alteration of the application's access destination,
whereas "Confidentiality(C)" and "Availability(A)" are the secondary impacts.
Credit
RyotaK reported and coordinated with the developer to fix this vulnerability.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20873 |
| JVN iPedia |
JVNDB-2021-000112 |