A security researcher compromised an Android application by exploiting through Intents. Read on to know more…
Android users often face cybersecurity risks due to vulnerabilities in the internal components of popular apps. Recently, one such vulnerability was identified in the internal component called ‘Intents’. Technically speaking, Android Apps can be Hacked by Exploiting its Internal Messaging Components.
Activities, one of the three primary components of Android apps, are called using Intents, which are messaging objects that applications use to communicate with their different components such as Activities, Services, or Broadcast Receivers.
Usually, an application’s AndroidManifest.xml also defines Intent Filters. These, Mendoza – the security researcher notes that both Explicit (generally used to start a component within the application itself) and Implicit (declare a general action to perform, and a component from another app could handle it).
With every Android application having an AndroidManifest.xml, one can learn detailed information about the app from this file, including declared Intents.
While auditing an internal messaging application designed specifically for communication within a company, the security researcher noticed a series of exported Activities being used. Such exported Activities, the security researcher notes, are often abused for malicious activity, remote code execution, and fake notifications, among others.
By using a root ADB shell connected to a device where the application was running, the researcher was able to achieve authentication bypass by sending an Intent to each exposed Activity component.
Researchers were able to demonstrate that an Android application can be hacked by invoking its exposed Activity components by using ‘Intent’.
In June 2020, researchers were able to hack sensitive data from Android apps via Android’s inter-process communication objects called ‘Intent’.
Detailed information about any Android Application (including the declared Intents) can be obtained via the file AndroidManifest.xml (an application manifest file). With this, an attacker can obtain information about the series of exported Activities happening within the application.
After knowing about the exported Activities, it is possible to send an ‘Intent’ to the exposed ‘Activity’ components (by using a root ADB shell), which would bypass the authentication requirements, thus leading to authentication bypass attacks.
Previous ‘Intent’ flaws
Previously, there have been several occasions when bugs were found in Android app ‘Intent’. In November 2018, a flaw, tracked as CVE-2018-9581, was identified in Android app ‘Intents’, which could allow an attacker with physical proximity to a WiFi router to track the location of users within the router’s range.
In August 2018, an API-breaking bug, CVE-2018-9489, was discovered in the Android app ‘Intents’, that could allow hackers to covertly capture Wi-Fi broadcast data in order to track users.
To limit attack surface, application developers should only export components that need to be exposed to other applications, thus minimizing the number of Activities exposed in the AndroidManifest.xml. Validating all data received in Intents should also improve security, just as applying permissions when passing data from other applications would.
According to security experts, applications should be developed using only export components, that are required to be exposed to other applications. These will help reduce the number of ‘Activities’ exposed in the application’s manifest file. Also, there must be a validation of all data received by the ‘Intents’ when communicating with other applications.