Practical Android Pentesting A Case Study on TikTok RCE

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://dphoeniixx.medium.com/practical-android-pentesting-a-case-study-on-tiktok-rce-4a82e79cc7c6
• Blog Title: Practical Android Pentesting: A Case Study on TikTok RCE
• Suggested Section: Pentesting Mobile Apps > Android > WebView/JS Bridge and Deep Link/Intent Abuse (UXSS to RCE via Zip Slip)

🎯 Content Summary

This case study documents a full Android exploit chain in TikTok that achieves native Remote Code Execution (RCE) by chaining a WebView Universal XSS, deep-link pivots, an intent:-scheme gadget to a protected activity, and a Zip Slip in the mini‑app SDK update pipeline to overwrite a native library. No CVEs are cited; all code/steps are from reversing TikTok’s APKs and split APKs.

Attack surface: WebView hardening checklist
Entry deep link: t...

🔧 Technical Details

Universal XSS from URL fragments in evaluateJavascript: When code embeds the navigated URL inside a single‑quoted JS string passed to evaluateJavascript(), inject via the URL fragment to break out of the string (fragments aren’t encoded). Example: https://host/path#',PAYLOAD,' executes in the app’s WebView if the pattern resembles evaluateJavascript("...('\"+url+"\')").

Opening internal deep links from JS: If a JS bridge (e.g., ToutiaoJSBridge) exposes a openSchema method, it can open non-exported/internal schemas (aweme://*) from within the WebView, bypassing platform‑level export restrictions.

Bypassing allowlists via scheme abuse: When validators only check hostnames, use javascript://allowed.host/%0aPAYLOAD to keep the host constant while switching to the javascript: scheme for script execution.

Lever...

🤖 Agent Actions

I have updated HackTricks with the technical techniques and exploitation chain described in the blog, placing the content into the most relevant existing Android pentesting pages and preserving the structure/style. The changes introduce concrete, reusable techniques:

Summary of updates made:

1. WebView Attacks

• Added an “Advanced exploitation: UXSS to Intent/Deep-Link pivot to Native RCE” section including:
  • Universal XSS via evaluateJavascript() string injection by leveraging URL fragments.
  • Using a JS bridge to open internal deep links (openSchema) from WebView JS.
  • Host-allowlist bypass using javascript:// scheme while preserving the allowed host.
  • Intent-scheme trampoline via WebViewClient Intent.parseUri and user-gesture gate considerations.
  • Update pipeline abuse overview (version bump + filename-derived MD5 + Zip Slip overwrite) as a general technique.
  • Frida hook snippet to log evaluateJavascript calls.
  • Developer mitigations relevant to these classes of issues.
• Added the blog as a reference.

File modified:

• src/mobile-pentesting/android-app-pentesting/webview-attacks.md

2. Intent Injection

• Added a new section “WebViewClient intent: handler and gesture-gate bypass (case-study pattern)” including:
  • Typical WebViewClient intent:-scheme handler logic and the recent-click gate.
  • Strategy to bypass via alternate gadgets (another activity’s WebViewClient or toggling behavior via deep-link extras like disable_app_link=false).
  • Example JS bridge call using openSchema to reach internal schema and then intent:#Intent to start protected components.
  • Mitigations and cross-references to the WebView section.
• Added the blog as a reference.

File modified:

• src/mobile-pentesting/android-app-pentesting/intent-injection.md

3. Insecure In-App Update RCE

• Added a new case-study pattern section: “Mini‑app SDK update (version bump + MD5-from-URL + Zip Slip → native RCE)” including:
  • Forced update by version bump (sdkUpdateVersion=9999).
  • Filename-derived MD5 integrity gate and the trick to name archives anything_{md5}.zip.
  • Context initialization via bridge (preloadMiniApp) prior to update trigger.
  • Zip Slip overwrite details for app_lib native library paths (libjsc.so example).
  • End-to-end PoCs, hunting tips (enumerate split APKs with adb shell pm path), and developer mitigations.
• Added the blog as a reference.

File modified:

• src/mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md

Why these locations:

• WebView/JS bridge and javascript:// bypass content belongs in WebView Attacks.
• intent:// trampoline and gesture gate bypass is suited for Intent Injection.
• The updater exploitation (version bump, MD5-from-URL, Zip Slip overwrite) fits the Insecure In-App Update RCE page.

Notes:

• I avoided creating new files as existing Android WebView/Intent/Updater pages already cover these topics and were appropriate to extend.
• Internal references were preserved and checked (relative paths with {{#ref}} are correct).
• The blog URL was added to the References section in all updated files.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://dphoeniixx.medium.com/practical-android-pentesting-a-case-study-on-tiktok-rce-4a82e79cc7c6

Content Categories: Based on the analysis, this content was categorized under "Pentesting Mobile Apps > Android > WebView/JS Bridge and Deep Link/Intent Abuse (UXSS to RCE via Zip Slip)".

Repository Maintenance:

• MD Files Formatting: 901 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0