Get no result for even a obviously vulnerable application

[miaochiahao]

I got nothing on Jandroid output html. I'm sure that:

• all requirements are installed properly
• the target apk has obvious webview vulnerabilities and they can be found manually accourding to the template

But I got this message in the log: {'bug_obj': {'JSbridgeBrowsable': False}

I'm not sure that whether it is a bug, or the target apk just missed the template, or something else is wrong. It would be nice for you to provide a vulnerable apk which could be detected by Jandroid, in order to prove that Jandroid is working properly.

[projectbtle]

Does the APK definitely have browsable activities that call the vulnerable web views? (the activity must match the signature given in MANIFESTPARAMS)

[miaochiahao]

Does the APK definitely have browsable activities that call the vulnerable web views? (the activity must match the signature given in MANIFESTPARAMS)

Yes, I'm pretty sure. Or can you just provide a vulnerable app? I want to make sure that jandroid is running properly on my machine. I got no result from androidguard androguard while debugging.

[projectbtle]

Unfortunately, I don't have vulnerable apps that can be shared.

There have been some code changes recently. Can you try with the updated code?

[zoro3s]

<activity android:name=".WebviewActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:host="www.test.com"
android:scheme="www" />
</intent-filter>
</activity>

public class WebviewActivity extends AppCompatActivity {

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_webview);
    setTitle("WebViewActivity");
    EditText et = (EditText)findViewById(R.id.et1);
    WebView webView = (WebView)findViewById(R.id.webview);
    webView.addJavascriptInterface(new test(),"mmm");
    Intent intent = getIntent();
    Uri uri = intent.getData();
    String url=uri.getQueryParameter("url");
    webView.loadUrl(url);
}

}

DEBUG Finished analysing Webview-debug.apk with output {'bug_obj': {'JSbridgeBrowsable': False}, 'graph_list': []}.
got nothing！！！

[miaochiahao]

<activity android:name=".WebviewActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:host="www.test.com"
android:scheme="www" />
</intent-filter>
</activity>

public class WebviewActivity extends AppCompatActivity {

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_webview);
    setTitle("WebViewActivity");
    EditText et = (EditText)findViewById(R.id.et1);
    WebView webView = (WebView)findViewById(R.id.webview);
    webView.addJavascriptInterface(new test(),"mmm");
    Intent intent = getIntent();
    Uri uri = intent.getData();
    String url=uri.getQueryParameter("url");
    webView.loadUrl(url);
}

}

DEBUG Finished analysing Webview-debug.apk with output {'bug_obj': {'JSbridgeBrowsable': False}, 'graph_list': []}.
got nothing！！！

这个我和同事确认过了，他自带的实例规则写的有些问题，需要自己改动

[zoro3s]

哦哦，是写的规则有问题么，那我再看下，多谢多谢

[ExLuck]

<activity android:name=".WebviewActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.BROWSABLE" />
<data
android:host="www.test.com"
android:scheme="www" />
</intent-filter>
</activity>
public class WebviewActivity extends AppCompatActivity {

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_webview);
    setTitle("WebViewActivity");
    EditText et = (EditText)findViewById(R.id.et1);
    WebView webView = (WebView)findViewById(R.id.webview);
    webView.addJavascriptInterface(new test(),"mmm");
    Intent intent = getIntent();
    Uri uri = intent.getData();
    String url=uri.getQueryParameter("url");
    webView.loadUrl(url);
}

}
DEBUG Finished analysing Webview-debug.apk with output {'bug_obj': {'JSbridgeBrowsable': False}, 'graph_list': []}.
got nothing！！！

I confirmed this with my colleagues. There are some problems with the example rules that come with him, and I need to modify them myself.

Can you share the edited rule?