CTF-Writeups/Android/InsecureBankV2-Intents.md
2022-01-22 17:37:46 +05:00

3.4 KiB

Android Pentesting-Intents

When doing a black box pentesting for android , apart for looking at root detection bypass and ssl pinning looking for intents are also important , intents are the screens or activity of android application for example this InsecureBankv2 application has an activity for a login page which after logging in will show us avaiable options that we can do and the activity that is spawned after the login activity is called intent. Intent not only lies with in the same application it can take you to another activity from different appllications , let's say there's a youtube video link in your applicaiton when you click that it will either open up your browser application or youtube application , this is also an intent.

Now to abuse intent , specifically for this InsecureBankv2 applicaiton we need to first look at how many activities are there

Using MobSF we can analyze the applicaiton and can see that there are 10 activities , to check which activities we can spawn withouit logging into application , there's a tool called Drozer which is similar to frida by working with the application during time but this has a feature to look which activites we can call explicitly

To do this we just need to setup drozer client on our host machine which I have previously showed in setting up the lab and install drozer agent on the android device

Using the list command we can see the modules that we can use

We can also see the activities manually or by using drozer by reading the manifest file

Notice that some of the activites have exported=True which means that we can spawn these activities explicitly and rest of the activites do not have this property so we can't launch them on our own , this is a security issue because we can sometime bypass an activity which requires some kind of authentication or it's not authorized unless we can login

Running app.package.attacksurface this can show number of activities that have exported set to true

run app.package.attacksurface com.android.insecurebankv2

We can check the activities that can be exported with this command

run app.activity.info -a com.android.insecurebankv2

But this didn't worked for me when I tried doing it with drozer as no activity was launched

An alternate to this is launching the activity through adb

adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.ChangePassword

We can lauch other activtiy which was for transfer amount

And with this we can launch activities which have exported property to true without being authorized and can abuse the flaw in the application however this can easily be mitigated by changing the exported=true to exported=false

References