Introduction
In this blog, we will focus on two key components in the AndroidManifest.xml file: exported activities and intent filters. Understanding these elements is essential for identifying potential security vulnerabilities and exploitation techniques.Understanding Exported Activities
What are Activities in Android?
An Activity is a core component of an Android application that represents a single screen with a user interface. Activities interact with users and can be invoked by other components within or outside the application.What Does “Exported” Mean?
An exported activity is an activity that is accessible by other applications on the device. This is controlled by the android:exported attribute in the AndroidManifest.xml file. If set to true, the activity can be launched by external applications.Example:
<activity android:name=".ExportedActivity"
android:exported="true">
</activity>
Security Risks of Exported Activities
If an activity is marked as android:exported=”true” and does not have an intent filter, it becomes directly exploitable because any other application can launch it without restrictions. This can lead to:- Unauthorized access: Other applications can launch the activity without user consent.
- Data leakage: Sensitive information might be exposed.
- Privilege escalation: Attackers might exploit the activity to perform unauthorized actions.
Understanding Intent Filters
What is an Intent Filter?
An Intent Filter allows an application to specify the types of intents it can receive. Intent filters are defined in the AndroidManifest.xml file and help Android determine which applications can handle specific actions.Example:
<activity android:name=".ExampleActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<data android:scheme="http" android:host="example.com"/>
</intent-filter>
</activity>
In this case, ExampleActivity can be triggered when a user clicks on an http://example.com link.
Security Risks of Misconfigured Intent Filters
- Unintended execution: Malicious applications can send crafted intents to exploit activities.
- Deep-link hijacking: Attackers can intercept deep-link URLs to redirect users to malicious activities.
- Data theft: Sensitive data can be accessed or manipulated by external applications.
Exploiting Exported Activities and Intent Filters
How Attackers Identify Vulnerable Activities
If there is an exported activity in android manifest file we will exploit it using adb toolUsing ADB to Launch Exported Activities
- List all activities in the app:
- Launch an exported activity (if it has no intent filter, it can be explicitly launched):
adb shell dumpsys package target.app | grep -i activity
adb shell am start -n target.app/.ExportedActivity
Exploiting Intent Filters with Custom Intents
Attackers can send custom intents to misconfigured activities.- Example of launching an activity with an intent:
- Sending a broadcast intent (if the app has an exported broadcast receiver):
adb shell am start -a android.intent.action.VIEW -d "http://example.com" target.app
adb shell am broadcast -a target.intent.action.EXPLOIT Conclusion
Understanding exported activities and intent filters is crucial in Android penetration testing. The most critical takeaway is:
- If an activity is exported and has no intent filter, it is always exploitable.
- Properly configured intent filters and permissions can mitigate security risks.
Stay tuned for more articles on Android security testing!
Raghav Rajput
With a strong academic background, including an MCA and CEH certification, I bring over two years of hands-on experience in cybersecurity. In my role, I focus on Android, iOS, and web penetration testing, consistently applying advanced skills to safeguard digital landscapes. Outside of work, I enjoy the intellectual challenge of chess and find relaxation in listening to music, which balances my passion for cybersecurity with personal growth and creativity.
