A security researcher was able to compromise an Android application by invoking every component of its exposed Activity.
The problem, explains Therese Mendoza of Trustwave, is not widespread, but it does exist and it could be exploited by attackers to cause Android apps to leak sensitive information that could then be misused for further compromise.
Activities are called using Intents, one of the three primary components of Android apps, which are messaging objects that apps use to communicate with their different components (such as Activities, Services, or Broadcast Receivers).
An AndroidManifest.xml framework typically also describes Purpose Filters. These, Mendoza says, are both Explicit (usually used to start a component within the application itself) and Implied (declare a general action to be performed, and could be done by a component from another app).
With every Android application that has an AndroidManifest.xml, from this file one can learn detailed information about the app, including declared Intents.
The security researcher found a series of exported activities being used when auditing an internal messaging framework explicitly designed for communication within a business. Such exported activities, notes from Mendoza, are often abused, among others, for malicious activity, remote execution of code and fake notifications.
The researcher was able to achieve authentication bypass by sending a Purpose to each exposed Activity variable by using a root ADB shell connected to a computer in which the application was running.
In this particular case , the researcher was able to submit an Purpose to an Operation that serves as the authenticated user interface. This led to access to the chat panel “My Groups” without the need to provide credentials.
“Anyone can explore an Android app for unintended behavior by using the information contained in the AndroidManifest.xml over an adb shell. While the Authentication Bypass here is an extreme example of what kind of insecurities can be found, this technique has been used for years to identify and exploit vulnerabilities in the Android app, “Mendoza points out.
Application developers can only export components that need to be exposed to other applications to reduce the surface of the attack, thereby reducing the amount of activities exposed in the AndroidManifest.xml. Validating all data obtained in Intents would also improve protection, just as it would be necessary to request permissions when transferring data from other applications.
