AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Granting URI Permissions With Intent Broadcasting

The malicious applications can get sensitive data by intercepting broadcasts without any required permissions

Severity

High

Fix Cost

Low

Trust Level

Medium

Components can be exported through Android configuration file. Exported components in an application can be activated/triggered by the outside applications through implicit or explicit Intents with broadcasting.

If an exported component doesn’t validate the Intent that it is triggered with, then it may take inappropriate actions.

A component is exported if any of the followings is true;

  • The value of the export attribute of the component definition in the configuration file (AndroidManifest.xml) is true
  • The component definition in the configuration file (AndroidManifest.xml) has Intent filters defined

A possible vulnerable configuration definition for a content provider follows;

            
<manifest …>
<provider android:name=".mydb" android:exported="true">
<intent-filter>
</intent-filter>    	 
</provider>
</manifest>
                
            

In the above configuration .mydb provider is exported.

As an another example, here’s a broadcast receiver configuration that is exported implicitly;

            
<manifest …>
<receiver android:name=".mysmssender">
<intent-filter>
<action android:name="android.intent.sendSMS"/>
</intent-filter>
</receiver>
</manifest>
              
          

In the above configuration .mysmssender broadcast receiver is exported since it registers an Intent for getting triggered. And lastly here’s an example with Activity that is exported through declaring an IntentFilter.

            
<activity android:name=".media.uploadDialog">      	 
<intent-filter>
<action android:name="jp.ACTION_UPLOAD" />           	 
<category android:name="android.intent.category.DEFAULT" />           	 
<data android:mimeType="image/*" />           	 
<data android:mimeType="video/*" />       	 
</intent-filter>   	 
</activity>
                 
           

n this type of attack, as long as the vulnerable components are exported, malicious applications can use either implicit or explicit Intents to trigger the vulnerable components in the target application.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!