IMCAFS

 Home

android component security

Posted by fierce at 2020-03-27
all

Component is a crucial building block of Android program. Android has four different application components: activity, service, content provider, and broadcast receiver. The security of components cannot be ignored for Android applications. The following describes the commonly used testing methods for Android component security.

Tools: drozer, Android killer, ADB

Example APK: sieve.apk, goatdroid.apk

Activity component exposure

Activity provides a separate interface for a user interaction. If the components are exposed and the application controls the permissions improperly, you can bypass the login interface to directly access the post login interface.

test method

Generally, there are two ways to detect this problem: one is to decompile APK in reverse, view the contents of Android manifest.xml, and the other is to use ADB debugging to view.

Decompile apk

After decompiling APK, check the contents of Android manifest.xml, and find the activity tag of Android: exported = "true", as follows:

<activity android:clearTaskOnLaunch="true" android:excludeFromRecents="true" android:exported="true" android:finishOnTaskLaunch="true" android:label="@string/title_activity_pwlist" android:name=".PWList"/>

或者配置了intent-filter而未设置android:exported=“false”的activity标签。 如下:

<activity android:excludeFromRecents="true" android:label="@string/app_name" android:launchMode="singleTask" android:name=".MainLoginActivity" android:windowSoftInputMode="adjustResize|stateVisible">            <intent-filter>                <action android:name="android.intent.action.MAIN"/>                <category android:name="android.intent.category.LAUNCHER"/>            </intent-filter> </activity>

Explain that there is a problem with these activity components (com.mwr.example.sieve.pwlist, com.mwr.example.sieve. Mainloginactivity).

ADB debugging

Using the tool drozer, execute the following command at its command line:

dz> run app.activity.info -a com.mwr.example.sieve

Utilization mode

Using ADB
adb shell am start -a action -n com.mwr.example.sieve/com.mwr.example.sieve.PWList
Using Drozer
dz> run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList

Bypass the landing page, and directly start the landing page:

How to repair

1. If the activity component of the app does not need to be exported, or the component is configured with the intentfilter label, set the "Android: exported" property of the component to false

2. If the component needs to be used by external applications, the component should be controlled by permission

Content provider component exposure

The content provider is responsible for managing the application's data sharing set. You can store data through file systems, SQLite databases, websites, or other persistent storage locations that your application can access. With content provider, other applications can query or even modify your data (if the content provider allows them to do so). Each content provider corresponds to a specific URI starting with "content: / /", through which any application can operate the database of the content provider application. If the application controls permissions improperly, it will cause information disclosure.

test method

Similar to the previous problem detection method.

Decompile apk

Find the provider tag of Android: exported = "true" in the Android manifest.xml file, or the provider tag with intent filter configured and Android: exported = "false" not set, for example:

<provider android:authorities="com.mwr.example.sieve.DBContentProvider" android:exported="true" android:multiprocess="true" android:name=".DBContentProvider">        <path-permission android:path="/Keys" android:readPermission="com.mwr.example.sieve.READ_KEYS" android:writePermission="com.mwr.example.sieve.WRITE_KEYS"/> </provider> <provider android:authorities="com.mwr.example.sieve.FileBackupProvider" android:exported="true" android:multiprocess="true" android:name=".FileBackupProvider"/>
Using Drozer

Using the tool drozer, execute the following command at its command line:

dz> run app.provider.info -a  com.mwr.example.sieve

Content provider注入

dz> run scanner.provider.injection -a com.mwr.example.sieve dz> run app.provider.query content:

How to repair

1. Set the content provider component that does not need to be exported to Android: exported = "false"

2. Effectively judge the path of the accessed target file

Broadcast receiver component exposure

Broadcast receiver is a component that responds to system wide broadcasts. Many broadcasts come from the system itself.

For example, to notify a broadcast that the screen has been turned off, the battery is low, and photos have been taken. The application can also initiate a broadcast.

For example, inform other programs that some data has been downloaded to the device and is available to them. Although broadcasts do not provide a user interface, they can also create a status bar notification to alert the user that a broadcast event has occurred. More often, though, a broadcast is just a "gateway" to other components and tries to do a little bit of work. If the components are exposed and there is improper configuration, other applications can send broadcast in disguise, which may cause information disclosure, denial of service attack, etc.

test method

Decompile apk

Look for the receiver tag of Android: exported = "true" in the Android manifest.xml file, or the receiver tag with intent filter configured and Android: exported = "false" not set. For example:

<receiver android:label="Send SMS" android:name=".broadcastreceivers.SendSMSNowReceiver"><intent-filter>      <action android:name="org.owasp.goatdroid.fourgoats.SOCIAL_SMS"/>
</intent-filter></receiver>
Using Drozer
dz> run app.broadcast.info -a org.owasp.goatdroid.fourgoats

Utilization mode

Using ADB
adb shell am broadcast -a org.owasp.goatdroid.fourgoats.SOCIAL_SMS -e phoneNumber 123456 -e message hehe! dz> run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --extra string phoneNumber 123456 --extra string message hehe!

How to repair

1. If the applied content provider component does not need to be exported, it is recommended to explicitly set the "Android: exported" property of the component to false

2. If data must be provided to external applications, it is recommended to control the permissions of components

Service component exposure

Service is a component running in the background. It is used to perform time-consuming operations or remote processes. A service does not provide a user interface. If the component is exposed and the application controls the permission improperly, other applications can start the service of the application under test.

test method

Decompile apk

Find the service tag of Android: exported = "true" in the Android manifest.xml file, for example:

<service android:name=".services.LocationService"><intent-filter>    <action android:name="org.owasp.goatdroid.fourgoats.services.LocationService"/></intent-filter></service>
Using Drozer
dz> run app.service.info -a com.mwr.example.sieve

Service denial of service

Using ADB
adb shell am startservice -a org.owasp.goatdroid.fourgoats.services.LocationService
Using Drozer
dz> run app.service.start --action org.owasp.goatdroid.fourgoats.services.LocationService
© 2023