Android Apps developed using Yappli fails to restrict custom URL schemes properly


Yappli provided by Yappli, Inc. is an application development platform.
Android Apps that are developed with Yappli provide the function to access a requested URL using Custom URL Scheme.
The access to the function is not restricted properly (CWE-939) which may be exploited to direct the App to connect to unintended sites.

RyotaK reported and coordinated with the developer to fix this vulnerability.
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.5 (Medium) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Yappli, Inc.
  • Yappli Android Apps that are developed since v7.3.6 and prior to v9.30.0


When accessing a malicious website containing a specially crafted URL, the vulnerable app may be directed to connect to some unintended site.
As a result, the app's internal information may be leaked and/or altered.

[Solution for developers of affected applications]
Rebuild the application in the latest development environment. Until the rebuilt version is published, remove the affected version from an application store.

[Solution for users of affected applications]
Please inquire the application developer.
Vendor Information

Yappli, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20873

  1. JVN : JVN#66422035
Revision History

  • [2021/12/22]
      Web page was published