Access Control

Published in

Mobile Penetration Testing

5 min readApr 6, 2019

Android has a very complex architecture. It has built on Linux kernel, Dalvik Virtual Machine and much more. but it has four vital components.

Activities: An activity is a single, focused thing that user can interact with.
Content Provider: Manages access to a central repository of data provided by an application.
Broadcast Receiver: Android apps broadcast messages to each other. The broadcast receiver process called Broadcast Receiver.
Services: Background processes to handle long term jobs.

Components of applications should not be accessed by other applications. In some cases an android application shares its resources with other applications. For example, we can make call by sending an intent. To give such an access:

The host application should declare a permission.
The shared component should not disclose any secret data.
The component should not threaten the user privacy.

Next three tasks in the DIVA application will show the threats of insecure access to the components. In this module we will use Drozer. If you don't know how to configure it, We recommend starting from section one in here.

09. Access Control Issues — Part 1

Application has an activity, That reveals some sensitive data. We can see the secrets activity by clicking on VIEW API CREDENTIALS.

This activity has sensitive data. Access to this activity should be restricted. Lets ignite Drozer to see is this activity accessible or not.

First we check application info:

The output shows permissions that application requires at installation time, data directory and etc. It seems this is the application we are looking for.

We need to test application and find attack surfaces, but we don't need to search because we have Drozer.

Drozer searches the application manifest file and finds the reachable components. Here are the found surfaces:

3 Activities
1 Content Provider

We don't know what are the names of publicly available activities. Lets find out:

None of the activities require permission. in other words we can call all of them by an intent. Drozer can simulate the intent for us. We can start the APICredsActivity by following command.

You’ll see the jakhar.aseem.APICredsActivity shows up in the emulator.

10. Access Control Issues — Part 2

The second task in access controlling division is the same as first one. Except, the situation differs based on the witch RadioButton you choose.

Register Now: Leads to registration activity.
Already Registered: Leads to API key activity.

If we send an intent to jakhar.aseem.diva.APICreds2Activity using Drozer, We’ll face the registration activity not the sensitive data page.

In the earlier task we didn’t decompile the application but now, we need to know what is going on. So lets look at the decompiled code:

It can be inferred from the source code that, Desired result needs an extra Boolean field in intent request called ‘check_point’ and the value should be ‘false’.

The string ‘check_pin’ can be found using ‘R.string.chk_pin’ and searching in resources.arsc/values/strings.xml file.

Lets send the customized intent and see what happens.

Finally, we could lunch an intent to run the activity with desired data.

11. Access Control Issues — Part 3

The next task in the DIVA access controlling series is a note application. with some simple features:

secret database to store notes
4 digit password to access the notes activity
We can’t use the earlier methods to see the notes activity because they are not accessible.

If you haven’t already remembered, we have seen a Content Provider in the attack surfaces.

Lets analyze the Content Providers in the DIVA application:

There is no permission required to access the Content Provider. We can communicate with it but first we need to find out the CONTENT URI and then communicate with provider to see what happens: