Nextcloud allows multi account within the android client app and relies on a single lock
Based on the (exposed) intent nc://login, it is possible to add a new account under attacker domain and open the Nextcloud without the lock check.
Proof of concept
- open the NC app with the lock displayed
- triggers the following intent adb shell am start -a android.intent.action.VIEW -d "nc://login/server:MY_SERVER\&user:ME\&password:PWD --es "ACCOUNT" "not_valid"
- if the "add an account" action fails, attacker can still add an account in the screen the app opens and attacker can check other accounts installed on the app.
note that the "adb shell" comamnds could also be trigger with an app, making adb access not required the "--es" option is required to prevent an app crash on
AuthenticatorActivity.java:303 mAccount = getIntent().getExtras().getParcelable(EXTRA_ACCOUNT);
Lock can be removed and then data can be retrieved / alter / uploaded