Sunday, December 18, 2016

ANDROID PT / Content Providers Vulnerabilities


- Layout for this exercise:

- Connecting from Linux Santoku to the mobile device Nexus 5:


- The purpose of a Content Provider is to manage access to a central repository of data. An application may have implemented many providers.

- For instance, Content Providers may be used to store data in the databases of the application, and also to query, retrieve or share that information afterwards. 

- Content Providers may allow attackers potential leakage of information if proper security controls are not enforced in the application.


- For the purpose of illustrating some vulnerabilities associated with Content Providers, in this exercise it will be used the application Catch Notes. It was a very popular application used to take and save notes. Catch Notes was available for Android devices up to recently , until the service was discontinued:

- Installing the application into the mobile device:

- Now, Catch is available at Nexus 5:

- Clicking the application icon:

- Adding a note:

- A private text is written and saved:

- The goal of this exercise will be to reveal the content of the previous note from outside the Nexus 5 mobile device, using Santoku Linux as the attacking platform, and exploiting the application in three different ways.


- Drozer is a security and attack framework for Android, by MWR InfoSecurity:

- In this exercise Drozer will be used to reveal the content of the note, previously entered by the user.

- The main feature of this framework is that using Drozer there is no need of rooting to perform a successful attack.

Drozer works into a client-server mode, so it must be installed both at the Android device (server) and Santoku (client).

- Downloading the application to Santoku:

- Downloading the Agent.apk to Nexus 5:

- Installing Drozer at Nexus 5:

- Drozer is now running at Nexus 5, working as a service at port 31415:

- From Santoku, port 31415 must be forwarded so that communication with Nexus 5 is enabled over TCP:

- Launching Drozer, a list of available commands is displayed:

- Starting the Drozer console:

- Running the list of all applications installed at the mobile device, the package corresponding to the Catch application is found, with name com.threebanana.notes:

- The app.package.attacksurface option shows some of the possible vector attacks present at the application, two of them related with Content Providers:

- Running the app.provider.finduri the /notes folder is found under .provider.Notepad:

- Querying what is inside the /notes folder, the text entered by the user is found:

- Let's notice that no special permission or privilege has been used to reach the text, meaning that it is actually a vulnerability because there is some leaking data as a result of using Drozer over a Content Provider.


- Also, the application can be exploited using directly the ADB debugger for looking up into the internal databases.

- However, in this case the key difference to perform this attack, in comparison with the Drozer's one, is the need of being root. It means that only with root privileges (or the user himself) will be possible to access the inner of the package:

- Searching with ADB into the data directory, inside the package of the applications there is a folder called databases:

- Listing the contents, a note_pad.db is found:

- Opening the note_pad.db Sqlite3 database:

- There  are four tables, one of them named notes:

- Selecting all the content from notes, the text is revealed again:


- Another way of exploiting the application stems of the analysis of the .apk binary.

- In the same way than happened at previous exercise, the attacker needs to hold root privileges to access the information stored in the file system using ADB.

- First, let's find the path where the package is stored:

- Pulling the .apk binary to Santoku:

- Let's decompile the application with Apktool and see its internal structure:

- As a result of the decompilation, a new folder is created:

- Listing the content of the new folder:

- Grepping with -iRn options (-i=ignoring case sensitive, -R=recursive, -n=numbering the lines) all starting with 'content://' a long list of all Contents Providers used by the application is displayed. However, the Content Provider of interest for us is that including the folder /notes:

- Again, querying what is inside /notes:

- The output shows the text entered by the user: