Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researcher Demonstrates Android App Hacking via Intents

A security researcher was able to compromise an Android application by invoking each of its exposed Activity components.

The issue, Trustwave’s Therese Mendoza explains, isn’t widespread, but it does exist and attackers could abuse it to cause Android apps to leak critical information that could then be abused for further compromise.

A security researcher was able to compromise an Android application by invoking each of its exposed Activity components.

The issue, Trustwave’s Therese Mendoza explains, isn’t widespread, but it does exist and attackers could abuse it to cause Android apps to leak critical information that could then be abused for further compromise.

Activities, one of the three primary components of Android apps, are called using Intents, which are messaging objects that applications use to communicate with their different components (such as Activities, Services, or Broadcast Receivers).

Usually, an application’s AndroidManifest.xml also defines Intent Filters. These, Mendoza notes, are both Explicit (generally used to start a component within the application itself) and Implicit (declare a general action to perform, and a component from another app could handle it).

With every Android application having an AndroidManifest.xml, one can learn detailed information about the app from this file, including declared Intents.

While auditing an internal messaging application designed specifically for communication within a company, the security researcher noticed a series of exported Activities being used. Such exported Activities, Mendoza notes, are often abused for malicious activity, remote code execution, and fake notifications, among others.

By using a root ADB shell connected to a device where the application was running, the researcher was able to achieve authentication bypass by sending an Intent to each exposed Activity component.

In this specific case, the researcher was able to send an Intent to an Activity that acts as the user interface for authenticated users. This resulted in access to the “My groups” chat panel without having to provide credentials.

“By using information contained in the AndroidManifest.xml via an adb shell anyone can explore an Android app for unintended behavior. While the Authentication Bypass here is an extreme example of the type of insecurities that can be found, this technique has been used to find and exploit Android app vulnerabilities for years,” Mendoza points out.

To limit attack surface, application developers should only export components that need to be exposed to other applications, thus minimizing the number of Activities exposed in the AndroidManifest.xml. Validating all data received in Intents should also improve security, just as applying permissions when passing data from other applications would.

Related: The Security of Your Android Device May Depend on Where You Live

Related: Firm’s MDM Server Abused to Deliver Android Malware to 75% of Its Devices

Related: StrandHogg 2.0 Vulnerability Allows Hackers to Hijack Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.