0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [master] 449 pages modified

This commit is contained in:
CPol 2021-04-22 12:26:30 +00:00 committed by gitbook-bot
parent f935b7b937
commit a9bd824352
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
mobile-apps-pentesting/android-app-pentesting/README.md
View File

@ -104,6 +104,11 @@ External storage can be **accessed** in `/storage/emulated/0` , `/sdcard` , `/mn
Starting with Android 4.4 \(**API 17**\), the SD card has a directory structure which **limits access from an app to the directory which is specifically for that app**. This prevents malicious application from gaining read or write access to another app's files.
{% endhint %}
#### Sensitive data stored in clear-text
* **Shared preferences**: Android allow to each application to easily save xml files in the path `/data/data/<packagename>/shared_prefs/` and sometimes it's possible to find sensitive information in clear-text in that folder.
* Databases: Android allow to each application to easily save sqlite databases in the path `/data/data/<packagename>/databases/` and sometimes it's possible to find sensitive information in clear-text in that folder.
### Broken TLS
#### Accept All Certificates
@ -230,9 +235,13 @@ Enumerate the tables using `.tables` and enumerate the columns of the tables doi
**Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Androids Inter-Process Communication \(IPC\) mechanism and interact with the underlying operating system. From [Drozer Guide](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf).
Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
### Exploiting exported Activities - Authorisation bypass
### Exploiting exported Activities
\*\*\*\*[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)
****Also remember that the code of an activity starts with the `onCreate` method.
#### Authorisation bypass
[Read this if you want to remind what is an Android Activity.](./#launcher-activity)
When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities)\*\*\*\*
@ -247,21 +256,33 @@ adb shell am start -n com.example.demo/com.example.test.MainActivity
**NOTE**: MobSF will detect as malicious the use of _**singleTask/singleInstance**_ as `android:launchMode` in an activity, but due to [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), apparently this is only dangerous on old versions \(API versions &lt; 21\).
{% hint style="info" %}
Note that an authorisation bypass is not always a vulnerability, it would depend on how the bypass works and which information is exposed.
{% endhint %}
**Sensitive information leakage**
**Activities can also return results**. If you manage to find an exported and unprotected activity calling the **`setResult`** method and **returning sensitive information**, there is a sensitive information leakage.
### Exploiting Content Providers - Accessing and manipulating sensitive information
[Read this if you want to remind what is a Content Provider.](./#services)
\*\*\*\*[**Read this if you want to remind what is a Content Provider.**](android-applications-basics.md#content-provider)
Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)\*\*\*\*
### **Exploiting Services**
[Read this if you want to remind what is a Service.](./#services-1)
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)
****Remember that a the actions of a Service start in the method `onStartCommand`.
As service is basically something that **can receive data**, **process** it and **returns** \(or not\) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)\*\*\*\*
### **Exploiting Broadcast Receivers**
\*\*\*\*[Read this if you want to remind what is a Broadcast Receiver.](./#broadcast-receivers)
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)
****Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)

2
mobile-apps-pentesting/android-app-pentesting/android-applications-basics.md
View File

@ -275,6 +275,8 @@ Activities can be exported allowing other processes on the device to launch the
Note that the ability to **bypass activity protections isn't always a vulnerability**, you need to check to which data you have obtained access.
Also, **some activities returns data to a caller**. In these scenarios you need to search for the **`setResult`** method and check the data that is passed into the Intent parameter. **If it's sensitive data you may have an information leakage vulnerability** and it's exploitable with apps capable of communicating with the Activity.
**The code of an activity starts with the `onCreate` method.**
### Application Subclass
Android applications can define a **subclass** of [Application](https://developer.android.com/reference/android/app/Application). Applications can, but do not have to define a custom subclass of Application. If an Android app defines an Application subclass, t**his class is instantiated prior to any other class in the application**.