At the time of writing there are approximately 2.6 million applications available on the Google play store and it should be no surprise that these apps enhance the overall user experience. From disabling your alarm to controlling your smart home devices, or checking the weather, apps have become part of our daily routine. However, because of their often-trivial nature, it can be easy to overlook potential security issues.
Both organisations, and recreational developers, aim to provide users with accessible and convenient functionality through apps. However, many developers do not fully understand their applications attack surface and may, therefore, pose a security risk to end-users.
To understand the attack surface of an application, we first need to understand the structure of an Android application:
- Activities – activities allow users to interact with the application by providing a user interface. An application can consist of many activities tied together to perform the desired functionality.
- Services – services can be described as the worker of the application; they ensure processes continue to function when the user navigates to other activities or applications. Additionally, if an action were to take a prolonged duration of time, a service would be used.
- Broadcast Receivers – broadcast receivers enable the system to send events to the application out with the regular user flow resulting in a system wide announcement. These can be delivered to the application even if it is not running.
- Content Providers – content providers help manage data that can be stored on the devices file system, within an SQLite database, or on the web.
- Manifest File – the manifest file is where all application components are listed, permissions are stated, aliases set, secret codes created, and determine what actions can be performed.
(Further information regarding these can be found from the official Android documentation)
We now need to understand what risk each component, if misconfigured, could introduce.
Example Misconfigurations
A threat actor would start by carrying out an analysis of the applications Manifest file. By performing this simple action, an understanding of the attack surface would be obtained. Whilst carrying out this, threat actors would be looking for misconfigurations such as, but not limited to:
- Secret Codes – string values that can be entered via the dial pad to launch activities.
- Exported Components – components can either be implicitly or explicitly exported. Exported components enable interaction from other applications and can be launched to bypass restrictions.
- Aliases – aliases, as they sound, give another name to activities. These can be used opposed to the official activity name and are defined within the <activity> tag.
- Debug Prevention – a specific element placed in the <application> tag to prevent debugging.
- Backup – another element within the <application> tag that can be used to allow, or prevent, users from backing up the application and the data associated.
Exported Components will be the focal point here and to demonstrate the risk, a vulnerable application, Sieve, will be used alongside Drozer to exploit misconfigurations.
Sieve behaves as a password manager and is deliberately misconfigured. These deliberate misconfigurations help demonstrate attack vectors a threat actor would use to exploit your application.
Drozer allows threat actors to impersonate an android application allowing interactions with the target application. This would replicate a malicious application on the user’s device, targeting your legitimate app. Further functionality is provided by Drozer such as executing custom payloads, or utilising pre-written exploit scripts, however, this will be outside the scope of this post.
Identification of Components
The first step in a threat actors’ methodology would be to start the enumeration process. Enumeration of the application would include identifying directories where data is written, application permissions and components exported.
Drozer can be leveraged to achieve this information with relative ease. The attack surface can be obtained by issuing the following command: