For a college class: Hacking Mobile Devices at CCSF Instructor: Sam Bowne More info: https://samsclass.info/128/128_S19.shtml

1. CNIT 128
Hacking Mobile Devices
5. Attacking Android Applications
Part 1

2. Topics
• Part 1
• Exposing Security Model Quirks
• Attacking Application Components
(to p. 271)
• Part 2
• Attacking Application Components (finishes)

3. Topics
• Part 3
• Accessing Storage and Logging
• Misusing Insecure Communications
• Exploiting Other Vectors
• Additional Testing Techniques

4. Three Main Components

5. Application Container
• Ways to defeat application sandbox
• Gain access to app data
• Malicious app on a device
• Physical access to device
• Other vulnerabilities in the app

6. Communications
• ARP poisoning
• Hosting a malicious wireless network
• Compromising upstream providers
• Intercept and modify traffic

7. Internet Server
• Server may have vulnerabilities
• Compromised server exposes all information
flowing to and from mobile apps

8. Exposing Security Model
Quirks

9. Interacting with App
Components

10. targetSdkVersion
• Determines default publishing of components
• Other values: compileSdkVersion and
minSdkVersion (link Ch 7a)

11. Android Distribution
Dashboard
• Link Ch 7b

13. Explicitly Exported
Components
• Explicitly
exported
• Unspecified; will be exported implicitly
if targetSdkVersion < 17

14. Implicitly Exported
• Any component using an <intent-filter> is
exported by default
• Like this activity

15. Finding Exported
Components
• Examine Manifest
• Drozer's attacksurface module shows
exported components

16. app.<component>.info
• Broadcast receivers exposed by the Android
browser

17. Intent Filters
• -i switch

18. Supreme User Contexts
• root and system users can interact with
application components
• Even when they are not exported
• Components that are not exported in the
manifest are private
• Limited to internal use by the app
• Only attackers with root privileges can attack
them

19. Permission Protection
Levels
• Best protection is a custom permission with
protection level signature
• Only apps with the same signature can have
that permission

20. Protection Level
Downgrade Attack
• The first app that sets a permission's
protection level wins
• Later apps can't change it
• A malicious app that defines a permission first
can downgrade its permission level, for
example to normal
• Fixed in Android 5.0
• Links Ch 7e, 7f

21. Attacking Application
Components (to p. 271)

22. Intents
• Intent is a data object that defines a task to
be performed
• To start an activity, call startActivity(Intent)
• sendBroadcast(Intent) sends to a broadcast
receiver
• startService(Intent) sends to a service
• Intent is generic, does not specify tye type of
component receiving it

23. Example
• Link Ch 7g

25. Explicit Intents
• State the component that must receive it
• Using setComponent() or setClass()
• Bypasses the intent resolution process in the
OS
• Directly delivers the intent to the specified
component

26. Implicit Intent
• Does not specify the component to be used
• Relies on the OS to determine the best
candidate to deliver it to
• Ex: "Play this MP3"
• Using whatever player is available
• A box may pop up asking the user which app
to use

27. Example
• This intent tells the Android system to display
a webpage
• All installed Web browsers should be
registered to via an intent filter

28. Intent Filters
• Defined by installed apps
• Filters can match
• Action
• Data
• Category
• Action is mandatory

29. Example Intent Filters

30. Example Intent Filters

31. am: Activity Manager
• Part of Android
• Lets you send intents to app components
• Link Ch 7h

32. • Sieve: vulnerable
password manager

33. Attack Surface

34. Activity Info
• No Permissions on them: they are unprotected
• Any app or user can launch them

35. PIN Bypass
• Reveals
usernames

36. Auditing Content Providers
• Only /Keys requires permissions

37. Finding URIs
• /Passwords requires no permissions

38. Password Exposure
• It's not in plaintext yet

39. SQL Injection
• SQL error indicates vulnerability
• Enumerate table names

40. Reveal Plaintext Password

41. Real-World Examples

43. Lock Screen Bypass
• adb shell am start -n com.android.settings/
com.android.settings.ChooseLockGeneric --ez
confirm_credentials false --ei
lockscreen.password_type 0 --activity-clear-task
•

44. Tapjacking
• Malicious app overlays a false UI on top of
buttons
• So taps activate something unexpected
• Using toasts --small graphic elements

46. Recently-Used App
Screenshots
• May contain sensitive info
• Stored in RAM
• Only available to privileged
users

47. Fragment Injection
• On Android 4.3 and earlier
• Using a "fragment", could change PIN without
knowing old PIN

48. Opens
this
screen
directly