CVE-2025-68709

Vulnerability

The SailingLab AppLock application (com.alpha.applock) version 4.3.8 for Android contains an unsafe navigation path in BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This design flaw allows a local attacker to trigger arbitrary JavaScript execution within the app's WebView context [2]. The affected component does not properly validate or sanitize the URI scheme, making the code path reachable by any application able to send intents to this activity.

Exploitation

An attacker with local access to the device (e.g., via a malicious app installed on the same device) can craft a VIEW intent with a javascript: URI pointing to arbitrary script code. By sending this intent to SailingLab AppLock's BrowserMainActivity, the attacker causes the app to load and execute the JavaScript in its WebView. No additional permissions or user interaction beyond launching the activity are required [1], [2].

Impact

Successful exploitation results in arbitrary JavaScript execution within the context of the AppLock application. Depending on the WebView configuration and exposed Android JavaScript bridges, this could lead to UI spoofing (e.g., displaying fake lock screens or permission prompts) or privilege escalation by accessing app-internal APIs and data [2]. The exact scope of compromise is determined by the JavaScript bridges available in the WebView.

Mitigation

As of the publication date (2026-05-26), no official patch from SailingLab has been released for AppLock 4.3.8. The vulnerability has a public proof-of-concept on GitHub [2]. Users should monitor the Google Play Store listing [1] for updates and consider removing the app or restricting its intent handling via third-party policy controls until a fix is provided. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.