Groww Android Unsafe WebView URL Handling & Weak Client-Side App Lock Enforcement Analysis (CVE-2025-5154)

Vulnerability Overview Vulnerability Name: Groww Android Application – Unsafe WebView URL Handling & Weak Client-Side App Lock Enforcement CVE ID: CVE-2025-5154, CVE-2025-6748, CVE-2026-5682 Description: Security testing revealed that internal WebView activities within the Groww Android application load arbitrary external URLs when invoked from a privileged ADB/debug environment. This activity allows the rendering of externally controlled content within the app's WebView, successfully executing JavaScript and establishing outbound communication with external infrastructure. Additionally, weak enforcement of the client-side app lock allows navigation to certain sections of the application interface without re-validating the password. Scope Affected Components: - Internal WebView Activity - Client-side App Lock Verification Security Impact: - The following behaviors were observed in a privileged debugging/ADB environment: - Rendering of arbitrary external URLs within the app WebView - Execution of JavaScript in a trusted application context - Outbound communication with external infrastructure - Weak enforcement of local app lock/password verification Potential Security Impact: - UI Redirection - Phishing Abuse - User Deception within a trusted application context Attack Requirements: - Physical or debug access to the device - ADB-enabled environment - Existing authenticated user session Remediation Recommendations: - Restrict WebView URL loading to a trusted whitelist of domains - Enforce password verification before accessing sensitive application flows - Strengthen internal activity navigation validation - Minimize exposure of debugging behaviors in production builds Proof of Concept (PoC) 1. Launching the Internal WebView Activity Observation: The application navigates to the internal UI flow without triggering app lock re-verification. 2. Arbitrary WebView URL Loading Observation: Externally controlled content is successfully rendered within the app WebView. 3. JavaScript Execution and External Communication - A controlled demo page was loaded into the WebView. - The page executed JavaScript and transmitted non-sensitive user-provided input to an externally controlled endpoint. - Observed Request Headers: - This confirms outbound communication originating from the app WebView context. Root Cause Insufficient validation of externally provided WebView URLs Weak client-side app lock enforcement across activity transitions Accessibility of internal activity behavior under privileged debugging conditions Severity Assessment Severity: Low The issue is considered low severity under standard mobile threat models for the following reasons: - Requires privileged/ADB access - No externally triggerable attack paths demonstrated - No server-side authentication bypass identified - No direct account compromise observed Disclosure Timeline Vulnerability reported to the vendor Vendor reviewed and reproduced the behavior Vendor categorized the issue as requiring privileged/ADB access and outside the standard threat model Proof of Concept Video Google Drive PoC: Link Credits Researcher: Soyan Arya, "ethical hacker and security researcher" Alias: honest_corrupt Role: Ethical Hacker Disclaimer This research was conducted in a controlled testing environment and is intended solely for educational, defensive, and security research purposes. No real user credentials, financial information, or sensitive user data were used; none were targeted, accessed, or collected during testing.

Goal Reached Thanks to every supporter — we hit 100%!

Groww Android Unsafe WebView URL Handling & Weak Client-Side App Lock Enforcement Analysis (CVE-2025-5154)

More from this source