Critical Severity
🔴 Android Unsafe Code Execution
🧠 Description
Android apps allow code execution through exposed components, vulnerable WebViews, or improper deep link handling. Attackers can inject JavaScript or execute commands.
Impact: RCE, Data Theft, Session Hijacking, Device Compromise
🎯 Attack Surface
- WebView with JavaScript enabled
- Intent scheme URLs (deep links)
- Exported Activities/BroadcastReceivers
- PendingIntents with mutable flags
🔍 Detection
javascript:alert(document.cookie)
intent://evil#Intent;scheme=app
mjavascript:alert(1)
🛡️ Mitigation
✅ Disable JavaScript in WebView when possible
✅ Validate deep link URLs
✅ Set FLAG_SECURITY for PendingIntents
✅ Disable intent scheme in WebViewClient
✅ Validate deep link URLs
✅ Set FLAG_SECURITY for PendingIntents
✅ Disable intent scheme in WebViewClient