first of all i have to admit that im a newbie in Android, but we know that in android we can't start private activities of applications by another application . unless they're set to android:exported=true in their intent-filter or they are made for implicit calls .
but we should be able to start private Activities from withing the application . and when it comes to browsers (specially in android) we can use Intent URLs to start a private Activity of the browser .
i found some Activities in Opera Mobile, and the problem is i just cant run them using Intent URL, and i have no idea what am i doing wrong in this .
for example there is a Activity in opera called OperaMainActivity (or another called OperaStartActivity) im trying to start them like this :
intent:#Intent;component=com.opera.browser/com.opera.android.OperaMainActivity;end
or
intent:#Intent;component=com.opera.browser/com.opera.android.OperaStartActivity;end
but none of these will start the Activity Called.
though i can still start AdMarvelActivity which is a private as well :
"intent:#Intent;S.url=https://google.com;component=com.opera.browser/com.admarvel.android.ads.AdMarvelActivity;end";
here is how OperaMain Activity defined in AndroidManifest :
<activity ns0:label="@string/app_name_title" ns0:name="com.opera.android.OperaMainActivity" ns0:launchMode="singleTask" ns0:configChanges="keyboard|keyboardHidden|orientation|screenSize" ns0:windowSoftInputMode="10" />
and there is no intent-filter for it .
and this is how AdMarvelActivity defined in AndroidManifest:
<activity ns0:theme="@*ns0:style/Theme.NoTitleBar.Fullscreen" ns0:name="com.admarvel.android.ads.AdMarvelActivity" ns0:process=":helper" ns0:configChanges="keyboard|keyboardHidden|orientation" />
i see no major difference between these two . what am i doing wrong ?!
Vulnerable Handling of Intent URL Scheme has been known since a long time and most of the popular browsers (like chrome, opera) have fixed this bug. However alternative android browsers still have this vulnerability.
I tried the attack on the current version of Opera Mobile (v37) and thankfully its not working. You must be running it on an older apk.
If you are interested in testing this attack on alternative browsers, you can follow this talk : All Your Browsers Belong To Us; which demostrates this attack on Dolphin Browser and Mercury Browser.