Hello, everyone. I'm a cyber security amateur. I have some programming skill in PHP, Python, and I learned a little App Inventor knowledge when I was 14. I know that developers who are good in Android, can build and compile their own App Inventor Extension, then load them into the App Inventor IDE Server. But, I have a question about this feature (load custom extension): can the developer inject malicious functions to the extension source code, such as Runtime.getRuntime.exec(), then trigger the malicious code when importing the aix file or compiling the APK packet, to receive the reverse shell from App Inventor Web Server? Thanks!
1 Like
From the App Inventor servers? No. The code in extensions runs on your Android device though and of course will have the same permissions as the host app (either the companion or compiled app). That is a risk inherent with using the extension mechanisms--it requires that the user trust the author of the extension to not do anything malicious. If someone is really paranoid, they should not use extensions and stick to the core App Inventor components.
1 Like