Android Hacking Part 1: Attack and Defense (serialization) of Application Components)

Android Hacking Part 1: Attack and Defense (serialization) of Application Components)

With the rapid growth of mobile apps, mobile app security has become the hottest topic in the security field. In this article, let's take a look at how to attack Android app components.

What is an android application component?

Application components are a key part of an android application. Each application is composed of one or more components, and each is called independently. There are four main components as follows:

Activity: An application component that provides a screen for users to interact with each other to complete a task (such as making a call or sending a text message)

Service: provides continuous services in the background without a user interface.

Content Providers (Content provider): displays data to external applications in the form of tables. In other words, Content Providers can be considered an interface connecting two processors.

Broadcast Receivers (Broadcast receiver): A Broadcast receiver is a component that accepts system-level broadcasts (for example, low power usage, restart, and headphone insertion). Although most broadcasts are Broadcast by the system, the application itself can also initiate a broadcast.

Background:

####################

Download related code (http://yunpan.cn/cfs8zHiW8rf5g extract code: 20c3)

 

As shown in, this application has two activities. The first Activity receives a password input. If the user enters the correct password, he can enter the "private region". Otherwise, he will receive a warning that the password is incorrect. The password used in this article is "password ". Here we use the black box testing method to try to break through password protection.

 

Preparations:

Install Android SDK

An Android phone without root

Information collection:

1. decompile applications using APK tool

2. Analyze the Activity component in the AndroidManifest. xml file

Each Android app has a package name and each Activity has a corresponding class name. The first step is to find the package name and the sensitive class name. Although there are other methods to obtain this information, AndroidManifest. xml is one of the good methods. We can obtain this file by decompiling the application.

1. Download APKTOOL (https://code.google.com/p/android-apktool/downloads/list)

2. Place the program in the same directory as APKTOOL.

 

3. Run the following command to decompile the apk file:

 

Apktool d testapp.apk

 

Now we need to search for the package name and Activity component

All activities are displayed in the <Activity> </activity> label. Therefore, the content in these labels is an activity. To view the AndroidManifest. xml file, we can find two Activity components:

By analyzing AndroidManifest. xml, we obtain the following information.

Com. isi. testapp is the package name

Com. isi. testapp. Welcome is the correct logon interface.

Attack vulnerable Activity components:

Our goal is to bypass the password to enter the logon interface.

 

There are several ways to achieve this:

1. Use Activity Manager to start sensitive activities

2. Use a malicious application to call the Activity of other applications

3. Use the Mercury framework to launch such attacks. This framework will be used in subsequent articles.

Use Activity Manager to start sensitive activities

Activity Manager is a tool attached to the android SDK. It can be used to call the Activity or service of an application. We can also use it to bypass.

1. Connect the device to your computer and use "adb shell" to obtain a shell.

2. Use "am start-n com. isi. testapp/. Welcome" to start the Welcome Activity.

Now we can see that the Welcome Activity does not require a password.

Use a malicious application to call the Activity of other applications

Another way to call the Activity of other applications is to write a malicious application and use the package name and Activity name to call it. Shows some code of the program. In this case, malicious programs do not need to apply for additional permissions to call the Welcome Activity.

 

Use the Mercury framework

 

This attack can also be implemented using the Mercury framework, which will be introduced in subsequent courses.

Protect application components

1. Set the android: exported attribute to false.

In the AndroidManifest. xml file, we should set the following attributes to protect the application. In our case, com. isi. testapp. Welcome is the Activity we want to protect.

The code above limits other applications or system components to call this Activity. Only the user id of the application can access the Activity.

2. Restrict access through permission Control

Android: the exported attribute is not the only restriction. We can also customize the permissions of an Activity through permission-based methods. This can restrict access permissions between applications.

Note: The security measures discussed above apply to other Android Application Components.