Skip to main content

Journey to eMAPT Part 2: Android Application Fundamentals

  1. Activity Lifecycle:

    • onCreate(): Called when the activity is created.
    • onStart(): Called when the activity becomes visible to the user.
    • onResume(): Called when the activity starts interacting with the user.
    • onPause(): Called when the activity is partially visible (but not in focus).
    • onStop(): Called when the activity is no longer visible.
    • onDestroy(): Called before the activity is destroyed.

  2. Layouts and Views:

    • Layouts define the structure of the user interface.
    • Views are widgets (buttons, text fields, etc.) that are placed inside layouts.

  3. Intents:

    • Intents are messages used to communicate between different components of an application or between different applications.
    • Explicit Intents: Specifies the target component directly.
    • Implicit Intents: Declares an action without a recipient, and the android system resolves the appropriate component to handle it. Data sent by the application could be stolen by a malicious app as it doesn’t specify a recipient.
    • An intent’s action is specified either by the setAction() method or within the intent constructor itself.
    • In the receiving app's AndroidManifest.xml file, a component with an intent-filter element must be present.
    • Broadcast Intents: These can be received by multiple apps. There are two types: Normal (processed by multiple apps simultaneously or in any order) and Ordered (executed one at a time, with priority defining the order). Another type is Sticky broadcast which provide zero security (Deprecated since API Level 21 (Lollipop))

    • Pending Intent: These allow other apps to take action on behalf of our application i.e. any action taken will be taken using our app's identity and permissions. Developers should use explicit intent with PendingIntent as implicit intent could be accessed by other apps and they can perform any function with the original's apps identity and permissions.

      Note: Pending Intents caused a privilege escalation vulnerability in Android versions before 5.0.0. The Settings app on Android, which runs with SYSTEM privileges, used a pending intent without a specific recipient or action. This allowed a malicious app to perform any action with SYSTEM privileges. CVE-2014-8609.

      CreatingImplicitIntent
      Intent email = new Intent(Intent.ACTION_SEND, Uri.parse("mailto:"));

      CreatingExplicitIntent
      Intent upload = new Intent(this, uploadFunction.class);

      ReceivingImplicitIntent(AppManifest)
      <activity android:name="ShareActivity"> <intent-filter> <action android:name="android.intent.action.SEND"/> <category android:name="android.intent.category.DEFAULT"/> #In order to receive any implicit intent (DEFAULT) </intent-filter> </activity>

  4. AndroidManifest.xml:

    • It's an essential configuration file for an Android application. Can't run the app without it.
    • Contains information about the application's components, permissions, and other crucial details.
    • Must include all activities, services, and broadcast receivers.

  5. Resources:

    • Android supports resources (strings, images, layouts) to be stored separately from the code.
    • This allows for localization and easier maintenance.

  6. Permissions:

    • Android applications must declare the permissions they require to access certain device features or data.
    • Users must grant these permissions during installation or runtime.
    • permissions element has 3 attributes which are directly related to security.
      • name attribute
      • protection-level attribute (Normal, Dangerous, Signature and SignatureOrSystem)
      • permission-group attribute

  7. Android Debug Bridge (ADB):

    • A command-line tool that allows communication with an Android device or emulator.
    • Used for debugging, installing apps, and other development tasks.

  8. Android Emulator:

    • Android provides emulators to test applications on virtual devices.
    • Allows developers to simulate various screen sizes, device configurations, and Android versions.

  9. Deep Links:

    • These allow us to trigger an Intent via URL, embedded in a website. They are used to start an app and pass data. Example: If you search for a LinkedIn profile on Google and the app is installed, clicking the link directly opens the profile in the app.
    • Configured in AndroidManifest.xml
    • The Intent filter must also include a category with android.intent.category.BROWSABLE
    • Any data carried by the URL should be validated or it can cause other vulnerabilities.
    • Caution: If multiple activities contain intent filters that resolve to the same verified Android App Link, then there's no guarantee as to which activity handles the link.

  10. AIDL (Android Interface Definition Language):

    • It is an Android specific IDL which essentially describes an API offered by a Service to external applications.
    • Services which use AIDL are referred as Bound Services.
    • onBind() method has been defined in the service's class which returns the service object to the client app, in the form of IBinder.
    • For security testing, we start with onBind() method and follow the app logic and subsequent steps taken by app.

  11. Messenger:

    • Another type of IPC mechanism in Android to share a service with other apps.
    • Client invoking a Messenger receives an IBinder that can be used to send data to service.
    • Messenger is also a Bound Service.
    • It also uses onBind() method, and security testing starts from this method.

  12. Binder:

    • It is a kernel level driver, which moves data from one process's memory to another's

  13. Components:

    • Includes activities, services, broadcast receivers and providers.

    • Activities:

      • Represent the UI and handle user interactions.
      • It is mostly exploited in situations where it returns data to a caller. Locate all setReult() method to this occurrence.
      • Check if data is passed into setResult() method Intent parameter.

    • Services:

      • Run in the background to perform long-running tasks independently.
      • They are defined in a service element in the AndroidManifest.xml file.
      • onStartCommand() method should be checked for Intents.

    • Broadcast Receivers:

      • They listen for Broadcast Intents.
      • They can be statically defined in AndroidManifest.xml using a receiver element or dynamically registered with the registerReceiver() method.
      • Content Providers:
        • Allow data sharing between applications.
        • Share structured data, like SQLite
        • Exported attribute is set within the provider element in the AndroidManifest.xml
        • readPermission and writePermission attributes specify which permission an app must have to query the DB.

  14. WebViews:

    • Effectively web browsers which are embedded into the Android app.
    • Two types of WebViews:
      • WebViewClient– Best for simple HTML rendering (does not execute JavaScript)
      • WebChromeClient– A full-featured browser with JavaScript support.

  15. Shared UID:

    • Apps signed with the same key can share the same UID and application sandbox.

    • Sharing a UID is dangerous; a vulnerability in one application can impact the other application sharing the same UID.

      android:sharedUserId="com.abc"
    • Shared UID is dangerous and has been deprecated since Android 10 (API Level 29). New apps targeting API 30+ cannot request a shared UID

Conclusion

This was an overview of Android fundamentals. Next, we'll explore security risks in Android applications using drozer. Stay tuned!

Have questions? Drop them in the comments below!

Labels:

Comments

Post a Comment

Popular posts from this blog

Journey to eMAPT Part 1: Android Basics

Note: Welcome to my journey of mastering Android security! As I prepare for the eMAPT certification, I'll be sharing insights, notes, and tested applications to help fellow learners navigate this exciting field. What is Android? Android is an open-source operating system developed by Google and the Open Handset Alliance. It is designed for mobile devices and offers a customizable platform for developers to create applications. It is based on the Linux kernel and supports features like a user-friendly interface, access to the Google Play Store, and integration with Google services. It is used in smartphones, tablets, smart TVs, smartwatches, and other devices, and has a large developer community contributing to its growth and availability of apps. Since it is used by almost all devices, that means that bug hunters have a huge scope. Android Architecture The Android architecture is composed of several layers that work together to provide a complete operating system for mob...
Post a Comment
Read more

Journey to eMAPT Part 3: Exploiting Static Vulnerabilities in Android Using Drozer

Introduction Drozer is a powerful Android security assessment tool used to identify and exploit vulnerabilities in Android applications. In this blog, we will focus on exploiting static vulnerabilities in Android apps using Drozer, covering misconfigured exported components, insecure content providers, broadcast receivers, services, and debuggable applications. Prerequisites A rooted Android device or an emulator (e.g., Genymotion or Android Studio AVD with root access) Drozer installed on both the host machine and Android device/emulator A vulnerable Android app (such as InsecureBank or a custom test app) ` Step 1: Setting Up Drozer Install Drozer on your machine: pip install drozer Install the Drozer agent APK on your Android device/emulator and start it: adb install drozer-agent.apk Forward the Drozer agent connection: adb forward tcp:31415 tcp:31415 Launch Drozer: drozer console connect Step 2: Identifying the App’s Attack Surface The first step in any as...
Post a Comment
Read more