GitBook: [master] 449 pages modified
This commit is contained in:
parent
f935b7b937
commit
a9bd824352
@ -104,6 +104,11 @@ External storage can be **accessed** in `/storage/emulated/0` , `/sdcard` , `/mn
|
||||
Starting with Android 4.4 \(**API 17**\), the SD card has a directory structure which **limits access from an app to the directory which is specifically for that app**. This prevents malicious application from gaining read or write access to another app's files.
|
||||
{% endhint %}
|
||||
|
||||
#### Sensitive data stored in clear-text
|
||||
|
||||
* **Shared preferences**: Android allow to each application to easily save xml files in the path `/data/data/<packagename>/shared_prefs/` and sometimes it's possible to find sensitive information in clear-text in that folder.
|
||||
* Databases: Android allow to each application to easily save sqlite databases in the path `/data/data/<packagename>/databases/` and sometimes it's possible to find sensitive information in clear-text in that folder.
|
||||
|
||||
### Broken TLS
|
||||
|
||||
#### Accept All Certificates
|
||||
@ -230,9 +235,13 @@ Enumerate the tables using `.tables` and enumerate the columns of the tables doi
|
||||
**Drozer** allows you to **assume the role of an Android app** and interact with other apps. It can do **anything that an installed application can do**, such as make use of Android’s Inter-Process Communication \(IPC\) mechanism and interact with the underlying operating system. From [Drozer Guide](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf).
|
||||
Drozer is s useful tool to **exploit exported activities, exported services and Content Providers** as you will learn in the following sections.
|
||||
|
||||
### Exploiting exported Activities - Authorisation bypass
|
||||
### Exploiting exported Activities
|
||||
|
||||
\*\*\*\*[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)
|
||||
****Also remember that the code of an activity starts with the `onCreate` method.
|
||||
|
||||
#### Authorisation bypass
|
||||
|
||||
[Read this if you want to remind what is an Android Activity.](./#launcher-activity)
|
||||
When an Activity is exported you can invoke its screen from an external app. Therefore, if an activity with **sensitive information** is **exported** you could **bypass** the **authentication** mechanisms **to access it.**
|
||||
[**Learn how to exploit exported activities with Drozer.**](drozer-tutorial/#activities)\*\*\*\*
|
||||
|
||||
@ -247,21 +256,33 @@ adb shell am start -n com.example.demo/com.example.test.MainActivity
|
||||
|
||||
**NOTE**: MobSF will detect as malicious the use of _**singleTask/singleInstance**_ as `android:launchMode` in an activity, but due to [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750), apparently this is only dangerous on old versions \(API versions < 21\).
|
||||
|
||||
{% hint style="info" %}
|
||||
Note that an authorisation bypass is not always a vulnerability, it would depend on how the bypass works and which information is exposed.
|
||||
{% endhint %}
|
||||
|
||||
**Sensitive information leakage**
|
||||
|
||||
**Activities can also return results**. If you manage to find an exported and unprotected activity calling the **`setResult`** method and **returning sensitive information**, there is a sensitive information leakage.
|
||||
|
||||
### Exploiting Content Providers - Accessing and manipulating sensitive information
|
||||
|
||||
[Read this if you want to remind what is a Content Provider.](./#services)
|
||||
\*\*\*\*[**Read this if you want to remind what is a Content Provider.**](android-applications-basics.md#content-provider)
|
||||
Content providers are basically used to **share data**. If an app has available content providers you may be able to **extract sensitive** data from them. It also interesting to test possible **SQL injections** and **Path Traversals** as they could be vulnerable.
|
||||
[**Learn how to exploit Content Providers with Drozer.**](drozer-tutorial/#content-providers)\*\*\*\*
|
||||
|
||||
### **Exploiting Services**
|
||||
|
||||
[Read this if you want to remind what is a Service.](./#services-1)
|
||||
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)
|
||||
****Remember that a the actions of a Service start in the method `onStartCommand`.
|
||||
|
||||
As service is basically something that **can receive data**, **process** it and **returns** \(or not\) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...
|
||||
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)\*\*\*\*
|
||||
|
||||
### **Exploiting Broadcast Receivers**
|
||||
|
||||
\*\*\*\*[Read this if you want to remind what is a Broadcast Receiver.](./#broadcast-receivers)
|
||||
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)
|
||||
****Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
|
||||
|
||||
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.
|
||||
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
|
||||
|
||||
|
@ -275,6 +275,8 @@ Activities can be exported allowing other processes on the device to launch the
|
||||
Note that the ability to **bypass activity protections isn't always a vulnerability**, you need to check to which data you have obtained access.
|
||||
Also, **some activities returns data to a caller**. In these scenarios you need to search for the **`setResult`** method and check the data that is passed into the Intent parameter. **If it's sensitive data you may have an information leakage vulnerability** and it's exploitable with apps capable of communicating with the Activity.
|
||||
|
||||
**The code of an activity starts with the `onCreate` method.**
|
||||
|
||||
### Application Subclass
|
||||
|
||||
Android applications can define a **subclass** of [Application](https://developer.android.com/reference/android/app/Application). Applications can, but do not have to define a custom subclass of Application. If an Android app defines an Application subclass, t**his class is instantiated prior to any other class in the application**.
|
||||
|
Loading…
Reference in New Issue
Block a user