_IDENTIFIED_LOOKFOR : 0 with good intent-filter

[Neolex-Security]

Hello, Thanks for the tool.
I'm trying to make the filter works on an application created for that.
I use the default template for "JSbridgeBrowsable"
and I got this AndroidManifest.xml:

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    package="fr.neolexsecurity.myvulnapp">

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
            <activity android:name=".VulnActivity">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />

                <data android:scheme="http" />
                <data android:scheme="https" />
                <data android:scheme="about" />
                <category android:name="android.intent.category.BROWSABLE" />
            </intent-filter>
        </activity>
        <activity android:name=".MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

But I get : _IDENTIFIED_LOOKFOR : 0 :

DEBUG    Analysing <Element activity at 0x7f9b08414908> against template {'BASEPATH': 'manifest->application->activity OR manifest->application->activity-alias', 'SEARCHPATH': {'intent-filter': {'action': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.action.VIEW'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'category': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.category.BROWSABLE'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'data': {'RETURN': ['<NAMESPACE>:host AS @host', '<NAMESPACE>:scheme AS @scheme']}}}, 'RETURN': ['<smali>:<NAMESPACE>:name AS @activity_name']}.

and

DEBUG    Analysing <Element intent-filter at 0x7f9b08414e08> against template {'action': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.action.VIEW'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'category': {'LOOKFOR': {'TAGVALUEMATCH': '<NAMESPACE>:name=android.intent.category.BROWSABLE'}, '_EXPECTED_LOOKFOR': 1, '_IDENTIFIED_LOOKFOR': 0, '_SATISFIED_LOOKFOR': False}, 'data': {'RETURN': ['<NAMESPACE>:host AS @host', '<NAMESPACE>:scheme AS @scheme']}}.

Do you have an idea from where is the problem ?

Thank you.

app-release.apk.zip

[projectbtle]

I tried to convert the attached APK to smali (to analyse it), but apktool says it isn't readable. Could you please re-attach the APK, as generated by Android Studio?

[Neolex-Security]

Hi, I'm not sure what you want me to do. apktool works for me on this apk. And I don't have the android studio project anymore, sorry...

[projectbtle]

Could you let the code run fully (in debug mode) and post the entire trace here?

[Neolex-Security]

ok here is the trace attached.
output.txt

[Neolex-Security]

Hello, I made another android app, the output is attached below and the code is :
AndroidManifest.xml :

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.neolex.vuln_jsbridgebrowsable">

    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:supportsRtl="true"
        android:theme="@style/AppTheme">
        <activity android:name=".VulnActivity">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="vuln://" />
            </intent-filter>
        </activity>
        <activity android:name=".MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />

                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>

</manifest>

VulnActivity.java

package com.neolex.vuln_jsbridgebrowsable;

import androidx.appcompat.app.AppCompatActivity;

import android.os.Bundle;
import android.webkit.JavascriptInterface;
import android.webkit.WebView;

public class VulnActivity extends AppCompatActivity {

    class JsObject {
        @JavascriptInterface
        public String toString() { return "injectedObject"; }
    }

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_vuln);
        WebView webView = new WebView(this);
        webView.addJavascriptInterface(new JsObject(), "injectedObject");
        setContentView(webView);
        webView.loadUrl("http://www.google.com");

    }
}

output.txt