The Google AOSP Email App is vulnerable to HTML Injection on the email body. It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email. This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side.
In the following PoC we sent an email with the HTML tag meta using the attribute http-equiv refresh to redirect the user to the target URL.
As you can see from this PoC, this vulnerability has a dangerous potential for phishing attacks. With a bit of creativity, a convincing phishing scenario is plausible.
This app is available in all Android versions up to Kitkat(4.4.4). This application exists because up until Gmail for Android 5.0, it was the only way to configure other email providers (Exchange Servers, Yahoo,Hotmail,etc) on Android.
From Android Lolipop (5.0) upwards , the AOSP app no longer exists in the system.
Since probably that are still a lot of users using the AOSP Email App we decided to contact Google regarding this issue. After some interactions, Google gave us the feedback that they don't have plans for the fix of this vulnerability.
Written by Cláudio André