Penetrate the Protected Component in Android Part -2

Introduction

Phones have now become an integral part of everyday lives. You can’t go one day without using your phone. Now, this usage is directly proportional to the data that you feed into these devices. Every day, more and more data is being generated and stored in android devices, leading to an increase in the threat of vulnerabilities to the ecosystem of these devices.

This makes it highly imperative to understand the common vulnerabilities and how to remediate them.

Hello guys, Welcome back! I hope you have gone through the previous blog, where we discussed the working of Android application components and Intent Redirection. if you have not read previous blog on, then you can read it Penetrate the Protected Component in Android. In this blog, we will try to look into some Intent Based attack Vectors that often comes up on Android Applications. Also demonstrate the exploitation in the real Environment.
Intent Based Attack Vectors takes place when developer Not validating/filtering the intent data while communicating b/w Application Components.

Prerequisites

Before Starting with this Blog, it is assumed that the reader has prior knowledge of Java, and also has a basic understanding of Android Application Components lifecycle.

There are Two Intent Common Vulnerabilities:

• Intent Spoofing
• Intent Interception

Intent Spoofing

Intent Spoofing is a vulnerability where a malicious application can send arbitrary data to the application that induces undesired behaviour by forging an intent.
This vulnerability occurs when application components are not adequately secured.

Let’s Understand with a basic Vulnerable Application.

AndroidMainfest.xml

Fragment of the AndroidManifest.xml file

Activity Intercept

Application Simply Obtaining the “baseurl” extra string info from the intent. This activity is exported. So any third party application can access the exported activity with any arbitrary data in baseurl parameter. An attacker can load any evil Url in the application.

Exploit code

In the above given example we demonstrated the intent spoofing of an exported component.

Intent Interception

Intent interception involves a malicious application receiving an intent that was not intended for it. This can cause a leak of sensitive information, but more importantly it can result in the malicious component being activated instead of the legitimate component.

Means If an application component sends intent data to another component that is not secure enough, A malicious application can receive the application intent data.

Intent interception takes place in both kinds of intent (implicit or explicit).

We will look into implicit intent here.

One simple real-world example is deep link Interception. I’ll give a quick introduction to it here and deep dive into it in a separate blog.

Deep links are basically URLS that navigate users directly to specific content in the Mobile application.

For example: when you click on an email received by Amazon it opens the Amazon mobile application with specific content.

Let’s Examine with an example:

Application code

AndroidMainfest.xml

An attacker can create a malicious application with the same scheme and host,as you know that in deep link when a user clicks an URL, it opens a dialog which asks the user to select one of multiple apps handling the given URL.

Exploit Code

AndroidMainfest.xml

MainActivity

An attacker can send the intent data to their own server. This attack sometimes leads to account takeover by intercepting the password reset link.

Let us now discuss intent interception and intent spoofing both together.

we will learn about StartActivityforresult Android api 

How StartActivityforResult Call works

• Application Start the MainActivity .
• MainActivity call Activity2 and wait for result by startActivityforresult
• Activity2 has setresult Method defined that returns the result code and intent data to the Originating activity. Mean it return to That activity that calls setResult Activity . here originating Activity is MainActivity.
• After returning the result code and intent data. In MainActivity onActivityResult Method Called

What the hack ??

If the result returning activity is exported then we can call that activity. As we know that if any component is exported then we can launch that component directly.

Lets dig in a little deeper

As explained earlier that setresult method Return result to the Originating Activity. if the setresult defined activity is exported then a malware application can intercept /Spoof intent, send arbitrary intents and also steal/access application private data.

Before moving to the Demonstration part we have to know something interesting about intent

❗ there are two methods used for initializing intent

Intent intent = new Intent();
              and          
Intent intent = getIntent(); 

Both can give the same result but In the context of an Activity, getIntent() will return the Intent that was originally sent to the Activity. and new Intent() simply Inilitize the intent object. it not return anything . it used to start another activity.

1. if Intent intent = new Intent(); then we can only intercept the intent , we can’t access any other component because in this case the application not receiving attacker intent data.
2. if Intent intent = getIntent(); then we can intercept and also spoof the intent . By spoofing the intent we can access application protected component .Because getIntent return the Intent that was originally sent to the Activity

We will now discuss two different Use cases first intent interception when new intent() is used and another one of both intent interception and spoofing when getintent() is used.

Case 1 : Intent Interception

Let’s Understand with an Example

Application code

AndroidMainfest.xml

MainActivity

1. Using explicit intent application Activity is switched from MainActivity to MainActivity3
2. start the activity for result startActivityForResult method, from MainActivity3

Let have a look at MainActivity3 Code

MainActivity3

• adding data into the Intent object
  • Call this to set the result that your activity will return to its caller. Here caller is MainActivity
  • Finish the activity means this activity is not visible to the user.

1. onactivityresult API called to handle Result.

As you see in Above application code

• setResult is defined in MainActivity3 Activity
• MainActivity3 Activity is exported.
• New Intent() is used to Initializing Intent.

Looking at the above points it is confirmed that a malware application can only intercept the intent data, not spoof the intent.

Malware application code

Intent intent = new Intent();

intent.setClassName("com.sample.result1","com.sample.result1.MainActivity3")
startActivityForResult(intent, 0);

protected void onActivityResult(int requestCode, int resultCode, Intent data) {  
    super.onActivityResult(requestCode, resultCode, data);  
    // check if the request code is same as what is passed  here it is 2  

 String message = data.getStringExtra("MESSAGE");  
        Log.d("data4", message);  

}

1. Create an intent Object
2. set the classname of application which you want to call
3. startActivityForResult called means requires a result from the second activity (activity to be invoked
4. setresult method called from the victim app returns the result to the Attacker Application. because setresult return result to Originating Activity . Here Originating activity is attacker application activity.

Suggested Read – How to find and mitigate XML External Entity (XXE) Injection

Case2 : Intent Interception+Spoofing

For the demonstration we will take previous Application code the only change is getintent in place of new intent in MainActivity3 Activity.

MainActivity3

As we already discussed about getintent and new Intent() difference above. So let’s move to the exploitation part.

So An application can intercept and spoof the Intent of the application. and
A Malware application can access protected components like content provider, file provider etc. that we will discuss in next Part. Here we will see only how we can intercept and spoof the intent .

Exploit code

In the above figure it is shown that a malware application can send any arbitrary intent data to the application, also intercept the Application intent data. like that a malware application can send data Uri of content provider and file provider and able to access the application protected internal data,files .

Suggested Read : Wi-Fi Penetration Testing (PreConnection Attack)

Remediation

• Avoid the use of implicit intents for communication between the components of a single app. Explicit intents are a much better choice for this situation, because they are simpler and they leave no doubt about the recipient of an intent
• Explicitly set the value of android:exported for each component in your manifest. This eliminates the risk of having a component exported inadvertently if it declares an intent filter.
• Make use of permissions when appropriate.

Conclusion

We’ve covered the Intent Interception and Intent Spoofing Vulnerability and how to exploit these in real Environment.
Hope you like this post 😉 and let us know if you prefer other tools or techniques that I did not mention in this post.

References

• http://blog.palominolabs.com/2013/05/13/android-security/index.html
• https://www.researchgate.net/figure/Different-types-of-Intent-Spoofing-vulnerability_tbl4_328296509
• https://www.ripublication.com/acst17/acstv10n5_69.pdf

By Abusing Intent Misconfiguration an attacker can access Protected Content Provider/File Provider , Sensitive files. We will learn more about it in the next blog.

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.