This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.

1. CNIT 128
Hacking Mobile Devices
7. Attacking Android Applications
Part 1
Updated 9-26-22

2. Topics
• Part 1
• Exposing Security Model Quirks
• Attacking Application Components
(to p. 271)
• Part 2
• Attacking Application Components (finishes)

3. Topics
• Part 3
• Accessing Storage and Logging
• Misusing Insecure Communications
• Exploiting Other Vectors
• Additional Testing Techniques

4. Three Main Components

5. Application Container
• Ways to defeat application sandbox
• Gain access to app data
• Malicious app on a device
• Physical access to device
• Other vulnerabilities in the app

6. Communications
• Ways to intercept communications
• ARP poisoning
• Hosting a malicious wireless network
• Compromising upstream providers

7. Internet Server
• Server may have vulnerabilities
• Compromised server exposes all information
flowing to and from mobile apps

8. Exposing Security Model
Quirks

9. Interacting with App
Components

10. targetSdkVersion
• Determines default publishing of components
• Other values: compileSdkVersion and
minSdkVersion (link Ch 7a)

11. Android Versions in Use
• Link Ch 6c, from Sept 2022

12. Explicitly Exported
Components
• Explicitly
exported
• Unspecified; will be exported implicitly
if targetSdkVersion < 17

13. Implicitly Exported
• Any component using an <intent-filter> is
exported by default
• Like this activity

14. Finding Exported
Components
• Examine Manifest
• https://github.com/mwrlabs/drozer/releases/download/
2.3.4/sieve.apk
• Drag APK into center pane of Android Studio

15. An Activity in Sieve

16. Services in Sieve

17. Content Providers in Sieve

18. Supreme User Contexts
• root and system users can interact with
application components
• Even when they are not exported
• Components that are not exported in the
manifest are private
• Limited to internal use by the app
• Only attackers with root privileges can attack
them

19. Permission Protection
Levels
• Best protection is a custom permission with
protection level signature
• Only apps with the same signature can have
that permission

20. Protection Level
Downgrade Attack
• The first app that sets a permission's
protection level wins
• Later apps can't change it
• A malicious app that defines a permission first
can downgrade its permission level, for
example to normal
• Fixed in Android 5.0
• Links Ch 7e, 7f

21. Attacking Application
Components (to p. 271)

22. Intents
• Intent is a data object that defines a task to
be performed
• To start an activity, call startActivity(Intent)
• sendBroadcast(Intent) sends to a broadcast
receiver
• startService(Intent) sends to a service
• Intent is generic, does not specify tye type of
component receiving it

23. Example
• Link Ch 7g

25. Explicit Intents
• State the component that must receive it
• Using setComponent() or setClass()
• Bypasses the intent resolution process in the
OS
• Directly delivers the intent to the specified
component

26. Implicit Intent
• Does not specify the component to be used
• Relies on the OS to determine the best
candidate to deliver it to
• Ex: "Play this MP3"
• Using whatever player is available
• A box may pop up asking the user which app
to use

27. Example
• This intent tells the Android system to display
a webpage
• All installed Web browsers should be
registered to via an intent filter

28. Intent Filters
• Defined by installed apps
• Filters can match
• Action
• Data
• Category
• Action is mandatory

29. Example Intent Filters

30. Example Intent Filters

31. am: Activity Manager
• Part of Android
• Lets you send intents to app components
• Link Ch 7a

32. • Skip for now, being
updated to eliminate
drozer
M 501: Drozer

33. Real-World Examples

35. Lock Screen Bypass
• On Android < version 4.4
• Sending this intent would disable the lock screen
mechanism
• adb shell am start -n com.android.settings/
com.android.settings.ChooseLockGeneric --ez
confirm_credentials false --ei
lockscreen.password_type 0 --activity-clear-task

36. Tapjacking
• Malicious app overlays a false UI on top of
buttons
• So taps activate something unexpected
• Using toasts --small graphic elements

38. Recently-Used App
Screenshots
• May contain sensitive info
• Stored in RAM
• Only available to privileged
users

39. Fragment Injection
• On Android 4.3 and earlier
• Using a "fragment", could change PIN without
knowing old PIN

40. Opens
this
screen
directly