PdfViewerActivity is exported with no permission protection and accepts an arbitrary file path via the extra_path intent extra. The path is passed directly to ParcelFileDescriptor.open() with no validation, allowing any app on the device to make Origin open and render arbitrary files accessible to the app process.

CWE-926 — Improper Export of Android Application Component

CWE-73 — External Control of File Name or Path — Local attack vector, requires co-installed malicious app, no root required.

Vulnerable Code

AndroidManifest.xml:

<activity android:exported="true"
    android:name="com.cormac.originandroidpackage.PdfViewerActivity"
    android:label="Report"/>

PdfViewerActivity.java:

String stringExtra = getIntent().getStringExtra(EXTRA_PATH);
this.pfd = ParcelFileDescriptor.open(new File(stringExtra), 268435456);

Proof of Concept

Tested on API 28 (Android 9):

adb shell am start -n com.cormac.originandroidpackage/.PdfViewerActivity \
  --es extra_path "/sdcard/Download/poc.pdf"

External file renders successfully in the app UI.

Affected Versions

Confirmed on Android 9 (API 28). Scoped storage on Android 10+ partially mitigates external storage access, but the vulnerable code path remains present and the app is available to download on devices running older OS versions.