Android Broadcast Exploit

How to exploit the exported broadcast receiver in an Android Application?

Before we proceed, below are some of the basic terminology that we needs to be aware off.

Basic Terminology:

Broadcast — It is component runs in the background without UI. Example: Music Playing Service in the Background.

Exported — Attribute which says wether the service can be accessed by other application or not

Intent — Intents allows to interact with other android components

Introduction:

When an broadcast receiver is exported without any permission restriction, any application can send broadcast message to the exported receiver. we will try to create two android application to understand this better.

How to identify Broadcast Receiver is Exported or not:

Reverse engineer the application using APKTOOL. Check the manifest file for receiver tag and the exported attribute if it is True and if there is no other permission is set. It can be exploited.

Scenario Overview:

Create 2 android applications. In the 1st application we will create a receiver and export it. With the 2nd Application we will send the broadcast message to the exported receiver

1. Create Broadcast Receiver Application [Android Application 1]
2. Export the Receiver
3. Install the Broadcast Receiver Application in the Phone/Emulator
4. Create Client Application [Android Application 2]
5. Send the Broadcast message with additional parameters.

Requirements (Current Setup):

1. Android Studio Any Version [3.1]
2. Emulator or Any Android Phone [Pixel API 25]

Broadcast Receiver Application Details: [Application 1]

Package Name: com.example_broadcast

MainActivity Class Name: MainActivity

MainActivity Function Name: changewifistate

Receiver Class Name: MyReceiver

Create Broadcast Receiver Application:

1. Create new project with Empty Activity
2. Create a function in the MainActivity (changewifistate) with 1 boolean parameter
3. Write the code to change the wifi state
4. Right click the project (New->others->Broadcast Receiver)
5. Write the code to receive the parameters from intent
6. Call the function(changewifistate) with the received parameter
7. Now Build the Signed/Unsigned APK [Build->Build APK/Generate Signed APK]
8. If it is signed APK it will be created in “PROJECTFOLDER/app/release/app-release.apk]
9. Install the application and Open the application
10. Just an empty activity with Hello string will be there

Explanation of code:

Create instance for the class so that we can access the function from any other java class with the instance object.

[Code snippet: MainActivity.java]

"Changewifistate" function is created and code to change the wifi state is implemented. It accepts the boolean parameter to change the wifi state

[Code snippet: MainActivity.java]

Code snippet from AndroidManifest file confirms that Broadcast receiver is exported.

[Code Snippet: AndroidManifest.xml]

When the Broadcast receiver receives the broadcast message. Those details can be retrieved from onReceive function. Receive the parameter and call the function "changewifistate" with the received parameter. Display the message in the screen stating “Wifi is off”.

[Code Snippet: MyReceiver.java]

Step 1 to 3 is completed. Broadcast Receiver is created, exported and running in the emulator

Client Application Details: [Application 2]

Package Name: com.example_broadcast_sender

Class Name: MainActivity

Function Name: send_broadcast

Client Application Overview:

Create an client application with a button. By clicking on the button, it will send the broadcast message with a boolean parameter.

Client Application Details:

1. Create New Project (with Basic Activity)
2. Create a function send_broadcast(View v) and leaves the function empty as of now
3. Create New Button (res->layout->activity_main.xml->Design Tab)
4. Drag and Drop the button and edit the text as you prefer “Click_here”
5. Go to onclick property and select the “send_broadcast” function from the dropdown list
6. Create a new intent with the Broadcast Receiver Name
7. Assign the value for the boolean parameter using putExtra method
8. Send the broadcast method with the created intent object
9. Now Build the Signed/Unsigned APK [Build->Build APK/Generate Signed APK]
10. If it is signed APK it will be created in “PROJECTFOLDER/app/release/app-release.apk]
11. Install the application in the Mobile/Emulator [adb install app-release.apk]
12. Click the button “Click_here” and the result will be displayed in the screen and the wifi state will be off.

Explanation of code:

Create the function send_broadcast and implement the code to send the broadcast message. Create the new intent with the Broadcast Receiver and put the required parameters and send the broadcast message

[Code Snippet: MainActivity.java]

Code of button which we created and used to call the “Click_here” function on click. Property of the button is present below

[Code Snippet: activity_main.xml]

MainActivity of the application which is the user interface when the application is launched

[Code Snippet: AndroidManifest.xml]

Source Code:

Broadcast_Exploit.zip