Hey everyone, welcome to pentestguy. I am back with another post on android penetration testing (dynamic analysis). In which we are focusing on exploiting android components.
We know that an android application contains different components like activities, content providers, services, and broadcast receivers. Each component has its own use according to their functionalities and here we are going to exploiting those android components. Learn about android components – https://developer.android.com/guide/components/fundamentals
What is ADB?
ADB – Android Debug Bridge is a command-line utility that helps talk with the device and performs several actions like installing applications. In this article, we are going to demonstrate all things using ADB only, we can download it separately or directly can use it in Appie(Android Pentesting Portable Integrated Environment) or Linux users can simply install it using the package manager.
Here I am using Appie with Genymotion, if you don’t know how to install and use genymotion you can follow the video link given below.
To perform the exploiting of android components, we are going to use DIVA (Damm Insecure and Vulnerable Application) and Insecure Bankv2.
Exploit Insecure Activity
An Intent is a messaging object we can use to request an action from the same app or another app component. The most significant use of intent is used to launch an activity. Here the vulnerable application I am using, which is DIVA uses an explicit intent filter to call another activity using action.
Doesn’t know where we got information about activities or intent filter? the answer is a really simple reverse engineer application and checks for the androidmanifest.xml file, if you don’t know how to do it follow this article – https://pentestguy.com/insecure-data-storage-dynamic-analysis/
Example – In this scenario, the insecure activity contains some sensitive information, using explicit intent to start that activity using an action button is there ‘VIEW API CREDENTIALS. If an attacker tries to start that activity it will directly expose the sensitive information.
In the above example, have an intent filter with action which will call another activity within the application
adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS
Exploit Insecure Activity with Extra value
Example – In this scenario, insecure activity but after trying to exploit, it asks for a pin. Dug into the source code and found it has boolean logic which has a value of check_pin.
Check for logic and there found chk_pin but the value of it present in /res/values/strings.xml
In the above example, we can see the login which checking chk_pin boolean value
In the above picture, able to find the value of chk_pin
adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS2 --ez check_pin false
Exploit Insecure Activity (exported true)
Example – In this Scenario, an insecure activity is present that can directly call/run without login into the application. This example is taken from InsecureBankV2
adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin
Exploit Content Provider
Content providers use to store the data of applications in a relational database, It’s like a central repository system which is data stored accessed, and modified based on the user requirements. Content URI(Uniform Resource Identifier) is the key concept of Content providers. To access the data from a content provider, URI is used as a query string.
Example – In this scenario, the application has a content provider which contains user data with proper permission from UI. To check whether the content provider is vulnerable or not check if there is any content provider present in the application or not and the check for URI by using it can access data.
In androidmanifest file, we can find provider is present or not
Content URI is present in NotesProvider class, it totally depends on application logic
adb shell content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes
Exploit Broadcast Receiver
Broadcast Receivers are used to respond to system-wide events. Broadcast Receivers allow us to register for the system and application events, and when that event happens, then the registered receivers get notified.
Example – In this scenario, the application has a broadcast receiver and it is exported and not protected by permission, meaning that any app can create an Intent that will result in this receiver being triggered.
according to the code, there are two string values that need to pass
adb shell am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastReceiver --es phonenumber 5554 --es newpass Hacker@123
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
References
https://github.com/dineshshetty/Android-InsecureBankv2
https://github.com/payatu/diva-android
