Skip to main content

Exploitation of Improper Export of Activities In Android Application


In android You know that every GUI interface is an  separate activity. An activity represents a single screen with a user interface just like window or frame of Java. In An application there are many activities depend on application functionalities. Let's take a example :
An application that have  three modules login , register and  dashboard . For that there are there are three different activities for all these modules.



What is export Means Here?
In Android Application there is an attribute android: exported =true or false . This attribute is used in android  to provide an access to  other third party application to start their service , activities  and receive broadcast  messages.

Like for an Example : If an application   have broadcast receiver to receive any events or message , if in that application exported attribute is set to true then this   broadcast message  can also receive by other third party application installed in device.
If an activity have exported true then  we can launch activity directly without any error this can leads to login bypass or other bypass depend on application.

What is  Improper Export of  Activities In Android Application ??
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains. Exported Activities are those activities which can be accessed by other application on the same device.
If an application  activity dashboard that should be launched after registering or after login ,but due to exported true in activity dashboard activity may be launched before login and registration that is bypassing the real behavior of application and it can bypass the extra layer security in application like pass code  protection, pin protection ,2fa protection.

KNOW WHEN ACTIVITY IS EXPORTED OR  NOT?
  1.  if an activity have attribute exported=true then that activity is exported by any other app can launch that activity.
  2. If an activity have no any attribute exported then that activity is default set exported false.
  3. An activity have no any attribute but in that activity intent filter  is used, using an intent filter an activity becomes default becomes exported true.
  4. If you are using application an rooted device then all activities can be  launched by other applications.

                                                 Exploitation:

  1. PASSCODE/PIN PROTECTION BYPASS : for this please read my bug bounty writeup : https://negativewives.blogspot.com/2020/04/passcode-protection-bypass-by-brute.html
  1. Bypass PIN/Fingerprint lockhttps://hackerone.com/reports/331489,https://hackerone.com/reports/490946.
  2. Steal files  : https://hackerone.com/reports/161710


                                                         MITIGATION:
  1. In application all activities should be exported false
  2. If any intent filter is used in application use custom permission
  3. Application should not run on  rooted device.

For root check  implement root bear library : https://github.com/scottyab/rootbeer

For custom permission:

<!-- define a permission -->
<permission
    android:protectionLevel="signature"
    android:name="com.mypackage.MYPERMISSION"/>
<uses-permission android:name="com.mypackage.MYPERMISSION" />
<!-- define an activity which can only be started through internal code -->
<activity android:name="..."
          android:permission="com.mypackage.MYPERMISSION" >
    ...
</activity>

Labels:

Comments

Post a Comment

Popular posts from this blog

Passcode Protection Bypass By Brute Forcing On zoho (Cliq Application)

First We discuss about what is passcode and Why it is Implemented in  Mobile Applications. PASSCODE Implemented in Mobile Application to protect Applications from an Unauthorized Access.like for example your cliq or any application account is logged in mobile phone .any your friend ask you to give phone , your friend try to open cliq application to see your message, but your friend cant open the application without entering passcode . he have to enter passcode for open, so it is an extra layer security in  applications. Passcode protection implemented in Android Application is an extra layer security to protect an unauthorized access. How Passcode Protection is bypassed by Bruteforcing? You know that passcode protection or pin protection in mobile applications have some attempt to enter passcode , if you enter  wrong passcode more than 5 times or 10 times based on application security , User logged out automatically and redirected to login page.but due to some ...
3 comments
Read more

A New Way Of Brute force Passcode/Pin Protection By deep link

DESCRIPTION : AS you know already that what is passcode protection and why it is applied ? And how it is bypassed normally ? If you don’t know please read my previous blog:   https://negativewives.blogspot.com/2020/04/passcode-protection-bypass-by-brute.html                                                                                When any passcode protection is implemented first check any activity is exported or not ? Here we  only talking the scenario where no activity is exported in application   PROCEDURE : Open Application after implementing passcode protection. You see that passcode activity is launched first Go to AndroidMainfest.xml file and check launch mode of passcode activity . Question Arises in your mind   - ...
Post a Comment
Read more