Learning Android Application Security Testing from scratch (Part3)
In this section, we will look at how to conduct attack tests on components in Android applications. Read the first two sections ( http://www.bkjia.com/Article/201504/388673.html , http://www.bkjia.com/Article/201504/388674.html ) Before that, you understand where the components in Android apps are sacred. Android components constitute the basis of Android applications. These components can be configured in the android manifest. xml file. Here we will briefly introduce four of the more important components. The component description Activities controls the user UI and processes the interactive Services on the smartphone screen without the need for visual interfaces, the function Broadcast Receivers provides a long-running background function to Process Communication Between Android applications and Android systems. Content Providers processes management issues between data and databases. Activities an Activity component represents a simple user interface. For example, the Email application may have an Activity component to display the New Mail list, an Activity component to write emails, and an Activity component to read emails. An Activity is an interface, and multiple activities represent multiple interfaces. An Activity is executed as a subclass of the Activity class. The following public class MainActivity extends Activity {} Services is a component that provides a long-running background. For example, when you listen to music, you can still use other applications normally, or you can also enable the Internet connection without affecting user interaction. A Service is executed as a subclass of Services Class. The following public class MyService extends Service {} Broadcast Receivers Broadcast only responds to Broadcast messages from the system or other applications. For example, an application can start a broadcast to notify other application devices of existing data and available data. A Broadcast Receivers is executed as a subclass of the Broadcast Receivers Class. The following public class MyReceiver extends BroadcastReceiver {} Content Providers component stores and retrieves data and makes it visible to all applications. Android has compiled a lot of content providers for public data types (audio, video, images, contact information, and so on ). A Content Providers is executed as a subclass of Content Providers Class. You must use a standard API so that other applications can execute the Protocol public class MyContentProvider extends ContentProvider {}. We may also use the following components. Here is a brief introduction. The Fragment component describes a behavior or part of the user interface in the Activity. Views is the most basic UI class. Basically, all the advanced UI components are implemented by integrating the child View class. Layouts Layout is a container with horizontal and vertical Layout. Intents Intent itself is a data carrier. It can describe the operation to be executed, the data used for this operation, and other external elements of Resources attributes, such as strings, constants, and images. The most important attribute of the Manifest application configuration file Android: exported is android: exported, this attribute is used to indicate whether the service can be called or interacted with by other application components. If it is set to true, it can be called or interacted. Otherwise, it cannot. If it is set to false, only components of the same application or applications with the same user ID can start or bind the service. Its default value depends on the filter contained in the service. Without a filter, the service can only be called by specifying a specific class name. This means that the service can only be used within the application (because other external users do not know the class name of the Service ), therefore, the default value of this attribute is false. On the other hand, if at least one filter is included, it means that the service can provide services to other external applications, so the default value is true.
This attribute is not the only method that limits the exposure of services to other applications. You can also use permissions to restrict external entities that can interact with the service. Therefore, if an Activity attribute is exported, it can call an external application. To test the Activity in the InsecureBank application, we first open the InsecureBank application in the Genymotion simulator and start the backend service. Once we start this application, we can see this logon interface. If the attribute of the activity is exported after successful login, we can directly call the activity and then let's look at the manifest file. Maybe we can find the relevant activity. As shown in, first use apktool to extract the manifest file. As you can see, there is a name named. the Activity Component Attribute of PostLogin is exported. We can use the activity manager tool in the simulator to directly call this activity. Let's take a look at using am tool to start an activity. The command is adb shellam start-n com. package. name/com. package. name. activityName in this example, we can see in the manifest file that the package name is com. android. insecurebankv2. Therefore, we use the following command to call PostLogin activity. In this application, you can see that you have successfully bypassed the logon page. You can also use drozer to call Activity or other components, next we will introduce drozer. There are several ways to prevent such vulnerabilities. First, unless necessary, set the android: exported attribute to FALSE. Second, if the application needs to call a specific external application, you can add custom permissions to the activity component, only allow applications to request permissions to call the activity component. Before starting the next section, you can preview the android manifest file and different components in the Android Application.