Javascript Injection in six Android mail clients

During last spring (2019) I started to “open and read” the Android applications before installing them. Reversing an APK file can be interesting to understand how an app works, how it manages the permissions and my data, if there are vulnerabilities. I was looking for a different Android mail client, so I started to reverse them and I found many mail clients on Play Store were – maybe are – vulnerable to Javascript injection. I found eight important apps vulnerable to cross-site scripting: Newton Mail 10.0.23, Nine Email 4.5.3a, Blue Mail 1.9.5.36, Edison Email 1.7.1, Email TypeApp 1.9.5.35 and Spark 2.0.2 + two apps I can’t disclose now. In April and May 2019 I wrote to vendors of these apps, but only someone replied to me.

JAVASCRIPT INJECTION IN ANDROID WEBVIEW

Javascript injection in Android WebView is a serious vulnerability because in some scenario it was possible to execute code remotely by injecting a malicious Javascript code in the WebView (CVE-2012-6636, CVE-2013-4710). These vulnerabilities were fixed by Google, but Javascript injection in the WebView is yet a common bug, also for this reason Google have created a support page to explain how to use Javascript interfaces in the WebView. Although Javascript injection usually doesn’t lead to code execution, it is still a serious vulnerability because can be used to steal data (similar to CVE-2019-11730 PoC) if setAllowUniversalAccessFromFileURLs is set True.

Newton Mail

App: Newton Mail
Version: 10.0.23
Downloads: + 1.000.000
Has vendor replied? Yes
CVE: 2019-12365


In Netwon Mail 10.0.23 setAllowUniversalAccessFromFileURLs is set True.
Edison Mail

App: Edison Mail
Version: 1.7.1
Downloads: + 1.000.000
Has vendor replied? Yes
CVE: 2019-12368


In Edison Mail 1.7.1 setAllowUniversalAccessFromFileURLs is set True.
Nine – Email & Calendar

App: Nine – Email & Calendar
Version: 4.5.3a
Downloads: + 1.000.000
Has vendor replied? No
CVE: 2019-12366

 
Spark

App: Spark
Version: 2.0.2
Downloads: + 500.000
Has vendor replied? Yes
CVE: 2019-12370

 
Blue Mail

App: Blue Mail
Version: 1.9.5.36
Downloads: + 5.000.000
Has vendor replied? No
CVE: 2019-12367

 
TypeApp Email

App: TypeApp Email
Version: 1.9.5.35
Downloads: + 1.000.000
Has vendor replied? No
CVE: 2019-12369