A security researcher was able to compromise an Android application by invoking each of its exposed Activity components.
The issue, Trustwave’s Therese Mendoza explains, isn’t widespread, but it does exist and attackers could abuse it to cause Android apps to leak critical information that could then be abused for further compromise.
Activities, one of the three primary components of Android apps, are called using Intents, which are messaging objects that applications use to communicate with their different components (such as Activities, Services, or Broadcast Receivers).
Usually, an application’s AndroidManifest.xml also defines Intent Filters. These, Mendoza notes, are both Explicit (generally used to start a component within the application itself) and Implicit (declare a general action to perform, and a component from another app could handle it).
With every Android application having an AndroidManifest.xml, one can learn detailed information about the app from this file, including declared Intents.
While auditing an internal messaging application designed specifically for communication within a company, the security researcher noticed a series of exported Activities being used. Such exported Activities, Mendoza notes, are often abused for malicious activity, remote code execution, and fake notifications, among others.
By using a root ADB shell connected to a device where the application was running, the researcher was able to achieve authentication bypass by sending an Intent to each exposed Activity component.
In this specific case, the researcher was able to send an Intent to an Activity that acts as the user interface for authenticated users. This resulted in access to the “My groups” chat panel without having to provide credentials.
“By using information contained in the AndroidManifest.xml via an adb shell anyone can explore an Android app for unintended behavior. While the Authentication Bypass here is an extreme example of the type of insecurities that can be found, this technique has been used to find and exploit Android app vulnerabilities for years,” Mendoza points out.
To limit attack surface, application developers should only export components that need to be exposed to other applications, thus minimizing the number of Activities exposed in the AndroidManifest.xml. Validating all data received in Intents should also improve security, just as applying permissions when passing data from other applications would.