v1.

MODULE 7

eLearnSecurity © 2014
2
7. Android Dynamic/Runtime Analysis

HOME PARENT REFERENCES VIDEO

 3
7. Android Dynamic/Runtime Analysis

If, on the one side, we have Static Analysis (Reverse

Engineering, App Decompiling, etc.), then on the
other side we have Dynamic (Runtime) Analysis.
Both techniques should be used in conjunction to
obtain better results and cover all necessary tests.

HOME PARENT REFERENCES VIDEO

 4
7. Android Dynamic/Runtime Analysis

What is Dynamic Analysis?

Dynamic Analysis is a technique that aims to

understand software behavior as it executes. This
does not just include analysis but also the device
itself (memory, CPU, performance, threads).
For security testing, some of these behaviors do
not really need a thorough analysis.

HOME PARENT REFERENCES VIDEO

 5
7. Android Dynamic/Runtime Analysis

Dynamic Analysis finds possible vulnerabilities by:

• Debugging application behavior
• Accessing runtime information
• Processes
• Memory
• Reading logs and crash reports
• Changing application behavior and observing the
results

HOME PARENT REFERENCES VIDEO

 6
7. Android Dynamic/Runtime Analysis

The first technique we are going to look at is

debugging. Debugging helps us to understand the
app’s behavior when it runs on the device and how
it interacts as different actions are performed.
Whether we have the source code to inspect or not
will determine our approach.

HOME PARENT REFERENCES VIDEO

 7
7. Android Dynamic/Runtime Analysis

If we have the project or app source, we can run it

on an emulated device or a physical device. As we
do, we can use breakpoints to analyze, step by
step, the application and device behavior. If we do
not have the source, we need to focus on what the
app does and what operations the device performs:
checking other called applications, intents,
functions, etc.

HOME PARENT REFERENCES VIDEO

8
7.1. Debugging

HOME PARENT REFERENCES VIDEO

 9
7.1. Debugging

If we have the opportunity to load and run the app

in ADT we can open the perspective: Window->
Open Perspective -> Debug.

HOME PARENT REFERENCES VIDEO

 10
7.1. Debugging
This will open a new view that allows us to inspect
the code step by step as it runs on the device. Once
we are in the Debug view, we can click on the
debug button and choose the app to run.

HOME PARENT REFERENCES VIDEO

 11
7.1. Debugging

While debugging, we can set breakpoints, inspect

variables, functions and so on.

HOME PARENT REFERENCES VIDEO

 12
7.1. Debugging

In the top bar, we can run typical operations that

can be performed while debugging an application:
things like resuming after a breakpoint, skipping
breakpoints, and stepping into/over/returning.

HOME PARENT REFERENCES VIDEO

13
7.2. LogCat

HOME PARENT REFERENCES VIDEO

 14
7.2. LogCat
A very useful feature that can be used while
performing dynamic analysis (either with or
without the source code) is LogCat. You can see the
LogCat pane in both the Debug view and DDMS
view (or you can run the monitor command).

HOME PARENT REFERENCES VIDEO

 15
7.2. LogCat
If you do not want to start ADT, you can run the
monitor command. This will open the Android
Debug Monitor window:

HOME PARENT REFERENCES VIDEO

 16
7.2. LogCat

As stated on the Android web site, logcat is the

Android logging system and it provides a
mechanism for collecting and viewing system
debug data. By default, Android logs activities and
tasks. In addition, some poorly-coded applications
might leave critical information in these logs.
These debug and log messages can be filtered and
organized for easier reading.

HOME PARENT REFERENCES VIDEO

 17
7.2. LogCat

Here, for example, we can see the logs generated

when a call is performed:

HOME PARENT REFERENCES VIDEO

 18
7.2. LogCat
Note that you can also read logs without starting
ADT, by running the adb logcat command from a
command shell (with or without root privileges).

HOME PARENT REFERENCES VIDEO

 19
7.2. LogCat

The logs are a very important source of

information. We can see how applications behave
when specific actions are performed and we can
find useful information that developers may have
logged. This type of information leakage can lead a
malicious user or app with
android.permission.READ_LOGS to gather sensitive
information and then build more powerful attacks.

HOME PARENT REFERENCES VIDEO

 20
7.2. LogCat
Here we can see that while surfing the web with
the default browser application, we are able to see
the list of websites that the user visited.

HOME PARENT REFERENCES VIDEO

 21
7.2. LogCat

Many applications log information such as account

names, URLs, filenames, etc. For example, Evernote
logs users accounts and messages.

HOME PARENT REFERENCES VIDEO

 22
7.2. LogCat

Let us suppose that the target application (or any

app, for that matter) executes a specific operation
when a text message is received. We could be able
to detect it by inspecting logcat entries. So, if we
are able to install our app on a device that can read
the logs, we can easily access this information.

HOME PARENT REFERENCES VIDEO

23
7.3. DDMS

HOME PARENT REFERENCES VIDEO

 24
7.3. DDMS

DDMS is a very powerful tool for us to use while

performing our tests on Android devices (or
emulators). It offers many features that we can use
for testing such as thread and heap inspection, file
system access, sending SMS messages, starting calls
and more.

HOME PARENT REFERENCES VIDEO

 25
7.3. DDMS

With our device attached, let us open the DDMS

view and then open the tab, ‘Emulator Controller’.
From here we can perform operations like changing
the phone status, sending SMS messages, starting a
call or changing location information.

HOME PARENT REFERENCES VIDEO

 26
7.3. DDMS

These operations are useful when testing the

device’s behavior. We could, for instance, see what
happens as an SMS is sent to or from the device.
Many applications (and malware) use SMS to
interact with the device, so it might be useful to
see how the device itself acts when an SMS is sent
or received.

HOME PARENT REFERENCES VIDEO

 27
7.3. DDMS

To send an SMS just enter the incoming number,

type the message and click ‘Send’.

HOME PARENT REFERENCES VIDEO

 28
7.3. DDMS

In the same way, we can start a call or send a GPS

location.

HOME PARENT REFERENCES VIDEO

 29
7.3. DDMS

Depending on which tab we select in the DDMS

view, we can also explore the device or analyze
memory and threads.

HOME PARENT REFERENCES VIDEO

30
7.4. Memory Analysis

HOME PARENT REFERENCES VIDEO

 31
7.4. Memory Analysis

From a developer’s point of view, the ability to

dump and analyze memory is very handy. It helps
to understand strange behavior like application
crashes.
From a security point of view, dumping and
analyzing memory is very useful because it can
quickly reveal critical information.

HOME PARENT REFERENCES VIDEO

 32
7.4.1. DDMS
We know that DDMS can be used to dump memory
information from the device. To do this, we can
simply select a process from the device list and
then click the button 'Dump HPROF file’.

HOME PARENT REFERENCES VIDEO

 33
7.4.2. HPROF
In Java, HPROF is a tool for heap and CPU profiling.
Android profiling is similar to the Java tool, but we
need to convert the .hprof file before we are able
to inspect it with an Android tool like MAT.
After saving the dump from DDMS, we have to use
a tool called hprof-conv (available in the Android
SDK/tools folder) to convert the file:
>> hprof-conv <original.hprof> <converted.hprof>

HOME PARENT REFERENCES VIDEO

 34
7.4.3. Strings

We can now inspect this file. The easiest tool to use

is strings. It allows us to extract all the strings from
the file. Note that this tool is also available for
Windows and can be download here.

Tip: you can copy the executable file to your C:\Windows\System32

folder in order to execute it from any location.

HOME PARENT REFERENCES VIDEO

 35
7.4.4. Inspect the HPROF dump

Let us see the entire process from beginning to

end: dumping and inspecting an HPROF file.
The target application for our tests will be the
Android native email client application: Email.
The first step is to select the process from the
DDMS view and then click on dump HPROF file.

HOME PARENT REFERENCES VIDEO

 36
7.4.4. Inspect the HPROF dump

Our target process will be com.android.email:

Once we click on Dump HPROF file, let us wait a

few seconds until the HPROF dump completes.

HOME PARENT REFERENCES VIDEO

 37
7.4.4. Inspect the HPROF dump
When the dump is complete, we will have a file
with the extension .hprof. Since we are going to
use strings, we do not need to convert the file. We
only need to convert it if we want to inspect the file
with a tool like MAT (Eclipse Memory Analyzer).

HOME PARENT REFERENCES VIDEO

 38
7.4.4. Inspect the HPROF dump

Now, run strings against this file and save the

results into a new .txt file. To do that, run the
following command:

HOME PARENT REFERENCES VIDEO

 39
7.4.4. Inspect the HPROF dump

Now you can inspect the file with any text editor.

HOME PARENT REFERENCES VIDEO

 40
7.4.4. Inspect the HPROF dump

What can we do with this file?

The information in it is just a part of the whole but
it may be enough for now. Since we are inspecting
the email client process, one of the tasks we could
perform is to search for email addresses. To do
that, use an email regex like the following (yes, it is
complicated!):

[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}

HOME PARENT REFERENCES VIDEO

 41
7.4.4. Inspect the HPROF dump

The result of this search is below:

HOME PARENT REFERENCES VIDEO

 42
7.4.4. Inspect the HPROF dump
If we continue to investigate the file we may find
more email addresses or other more useful
information like account passwords.

HOME PARENT REFERENCES VIDEO

 43
7.4.4. Inspect the HPROF dump
Sometimes, we find information about inbox
emails or queries performed by the tool:

HOME PARENT REFERENCES VIDEO

 44
7.4.4. Inspect the HPROF dump

So, this is all valuable information for us.

Just think what a penetration tester could do with

full access to his target organization’s email
accounts!

HOME PARENT REFERENCES VIDEO

 45
7.4.4. Inspect the HPROF dump

The Email app is obviously not the only app from

which we can extract information. Many apps need
to store credentials, keys, or cookies.
Let us investigate the Evernote app and see what
we can find in its dump.

HOME PARENT REFERENCES VIDEO

 46
7.4.4. Inspect the HPROF dump

Inspecting the file produced with strings, we can

see a few HTTP requests with relative session
cookies, usernames and email addresses.
What we can do, then, is to copy these cookies into
our browser and see if we are able to authenticate
with them. Would not that be an interesting hole?!

HOME PARENT REFERENCES VIDEO

 47
7.4.4. Inspect the HPROF dump

The following is the file contents including the

relative cookies:

HOME PARENT REFERENCES VIDEO

 48
7.4.4. Inspect the HPROF dump
First of all, let us log in via a browser from our PC
with our attacker’s account (atkuser), as shown
below:

HOME PARENT REFERENCES VIDEO

 49
7.4.4. Inspect the HPROF dump
Now, edit your cookies and use the values from the
cookies found in the HPROF dump:

Cookies dumped

atkuser cookies

HOME PARENT REFERENCES VIDEO

 50
7.4.4. Inspect the HPROF dump
Once edited, reload the page. No way! As we can
see, we are now logged in as elsandrouser:

HOME PARENT REFERENCES VIDEO

 51
7.4.5. MAT

We can also use MAT to perform similar analyses.

The first step is to convert the dump so that we can
open it with MAT. In this case, we will use the email
app dump again, so the command would be:

HOME PARENT REFERENCES VIDEO

 52
7.4.5. MAT

We can now open this converted file with MAT.

HOME PARENT REFERENCES VIDEO

 53
7.4.5. MAT
MAT will automatically produce an overview of the
dump, but we are most interested in the
Dominator Tree feature.

HOME PARENT REFERENCES VIDEO

 54
7.4.5. MAT
The Dominator Tree view is useful for us to see
where the bulk of our memory is leaking, but it is
also really useful to simply inspect the dump.

Classes

Regex

Value

HOME PARENT REFERENCES VIDEO

 55
7.4.5. MAT

Another useful tool that we can use from within

MAT is the OQL (Object Query Language) tab. This
feature allows us to query the heap dump with
custom SQL queries.

HOME PARENT REFERENCES VIDEO

 56
7.4.5. MAT
From this view we can execute queries to search
and get information from the dump. For example,
we could select all the elements from the class
java.lang.String:
Execute the query

HOME PARENT REFERENCES VIDEO

 57
7.4.5. MAT

We can perform more advanced queries using SQL

statements and operations like:

HOME PARENT REFERENCES VIDEO

58
7.5. IPC Mechanisms and App Components

HOME PARENT REFERENCES VIDEO

 59
7.5. IPC Mechanisms and App Components

Android applications can communicate with

Android IPC mechanisms such as Intents. These
mechanisms allow applications to call Activities or
communicate through services or broadcasts. If
they are not well-implemented, they can lead to
information leakage or worse.
Let us first see how they work and then how we
can use them to access protected information.

HOME PARENT REFERENCES VIDEO

 60
7.5.1. Intents
An intent is a facility for binding components within
the same app or between different ones. The intent
object contains a description of the operation to
perform or that is being announced (in the case of
broadcasts) and can be used for:
• Launch, get or return information from an
Activity
• Initiate a Service or deliver new instructions
• Deliver messages to all Broadcast receivers

HOME PARENT REFERENCES VIDEO

 61
7.5.1. Intents
An Intent typically contains:
Component name
• The name of the component that should handle the intent (class name of the target component +
package name in the manifest)
Action
• The action that should be performed

Data
• The URI of the data and the MIME type

Category
• Additional information about the component that should handle the intent

Extras
• Key-value pairs for additional information that should be delivered to the component

HOME PARENT REFERENCES VIDEO

 62
7.5.1. Intents

Let us see a typical example of how an intent might

be used to start new activities and send messages
to them. We want to create a simple application
with two activities, where the first activity calls the
second and passes it a message.
Intents are the only objects that provide a binding
between separate components. So, to start a new
activity we have to create an intent.

HOME PARENT REFERENCES VIDEO

63
7.5.1. Intents

This is what our first activity

looks like. We just have a
button that will be used to call
the intent, which will start the
second activity and pass a
message to it.

HOME PARENT REFERENCES VIDEO

 64
7.5.1. Intents

The code associated with the button is below. (This

is the code that will be executed when we click on
the button.) You already know how to set this up.

HOME PARENT REFERENCES VIDEO

 65
7.5.1. Intents

On the first line (1 ) we create a new intent that will

be used to start the activity named SecondActivity.
On the second line (2 ) we create a new string with
the message that we are going to send to the new
activity.

HOME PARENT REFERENCES VIDEO

 66
7.5.1. Intents

On the third line (3 ) we use the putExtra method

to add extended data to the intent. In this case, we
add the message defined in line 2 to the intent
object created on line 1.

HOME PARENT REFERENCES VIDEO

 67
7.5.1. Intents

On the fourth line ( 4 ) we call the method

startActivity (which launches new activities) and
pass it the intent created earlier.

HOME PARENT REFERENCES VIDEO

 68
7.5.1. Intents

This is the most important piece of code contained

in our first activity.
Let us have a look at how the second activity can
get the message from the intent received and print
the message into a TextView object.

HOME PARENT REFERENCES VIDEO

 69
7.5.1. Intents

The following is the code for the second Activity.

In the first two lines, we get the intent received and

then we extract the message from it. Then, in the
third and fourth lines, we assign the message to a
TextView object.

HOME PARENT REFERENCES VIDEO

 70
7.5.1. Intents
If we run the application, this is what we will get
when we click the button in the first activity:

If you want to test this app, you can download the

DOWNLOAD TestIntents.rar file from the members area (Labs tab).

HOME PARENT REFERENCES VIDEO

 71
7.5.1. Intents

In a different way, an intent might be sent to any of

the broadcast methods (such as sendBroadcast)
and delivered to all of the interested broadcast
receivers.

HOME PARENT REFERENCES VIDEO

 72
7.5.1. Intents

A typical example of an intent that is passed

through a broadcast method is battery status:
(ACTION_BATTERY_LOW).
Every application that defines this receiver in its
AndroidManifest will be informed of battery status
when it reaches the low level threshold.

HOME PARENT REFERENCES VIDEO

 73
7.5.1. Intents

Now that we know how intents work, let us dig a

little more deeply into Intents and Intent Filters.
The application that we will use in the next few
slides is contained in the Android SDK. You can find
it in the following folder:

<path_to_sdk>\sdk\samples\android-<version>\NotePad

HOME PARENT REFERENCES VIDEO

 74
7.5.1. Intents

To inform the system about intents they are

interested in, activities, services and broadcast
receivers can specify one or more intent filters.

These describe the component’s capability and a

set of intents that the component may want to
receive.

HOME PARENT REFERENCES VIDEO

 75
7.5.1. Intents

Since the Android Operating System must know in

advance which capabilities a component might
provide, intent filters are specified in the
AndroidManifest.

HOME PARENT REFERENCES VIDEO

 76
7.5.1. Intents

The activity named NotesList describes several

intent filters. The first is standard for all
applications and sets the main entry point for the
app, while the LAUNCHER category says that the
app should be displayed in the device application
launcher.

HOME PARENT REFERENCES VIDEO

 77
7.5.1. Intents

This filter sets the actions that the activity can

perform (VIEW, EDIT, PICK) on the notes. The
mimeType indicates the type of data required for
these actions.

HOME PARENT REFERENCES VIDEO

 78
7.5.1. Intents

Let us see an example that will help us to

understand what an intent filter does.
In the previous slide, we learned that an
application defines an intent filter with the action
element set to android.intent.action.MAIN in one
of their activity components.

HOME PARENT REFERENCES VIDEO

 79
7.5.1. Intents

This intent filter tells the Android Operating System

to register that specific activity as the activity that
initiates the application. So, every time we call the
android.intent.action.MAIN (without specifying any
other properties), this activity will be triggered.

HOME PARENT REFERENCES VIDEO

 80
7.5.1. Intents

Since almost all applications have this intent filter

set in their manifest, whenever we call this intent,
the Operating System may not know which app
should handle the request.
In that case, it will ask us to choose the application
that we want to use to complete the action.

HOME PARENT REFERENCES VIDEO

 81
7.5.1. Intents

So, when the following code is

executed, Android will display all
the applications that define in their
manifest an activity with the action
android.intent.action.MAIN set in
the intent filter.

HOME PARENT REFERENCES VIDEO

 82
7.5.1. Intents

Another example of intent filters is defined in Web

Browsers. Every web browser wants to handle the
action when a user clicks on a link.
To do this, they need to define an intent filter to
tell the Operating System that they can handle the
action.

HOME PARENT REFERENCES VIDEO

 83
7.5.1. Intents

In summary, this is what will happen:

HOME PARENT REFERENCES VIDEO

 84
7.5.1. Intents

Note that everything specified within an intent

filter can be used by any other application. This
means that, using the previous configuration of
intent filters, any application can view, edit or pick
a note, as well as start the NotePad application.

HOME PARENT REFERENCES VIDEO

 85
7.5.1. Intents

Also, while an intent filter declares a component to

be able to receive only certain kinds of implicit
intents, it does not prevent the app from sending
explicit intents to the component. This means that
someone could always put together an explicit
intent with a different action and data source, and
name their own component as the target.

HOME PARENT REFERENCES VIDEO

 86
7.5.1. Intents

Another way to open activities, services, content

providers or broadcast receivers to other apps is by
using the attribute android:exported=true|false.
Activity Service Provider Receiver

True Can be launched by Can be invoked by Available to Can receive

other app other apps other apps messages from
other apps
False Only components of Only components Limit access to Can receive
the same app or of the same app or applications with messages only
with the same UID with the same UID the same UID from apps with the
same UID

HOME PARENT REFERENCES VIDEO

 87
7.5.1. Intents

As you can imagine, if this attribute is not well-

implemented, a malicious app could get private
information or even bypass security checks.
Before seeing how, let us have a look at some other
useful tools provided with the Android SDK.

HOME PARENT REFERENCES VIDEO

 88
7.5.2. Android tools

You already know that the Android SDK offers many

tools that can be used for testing.
Many of these allow us to automatically run events,
start applications, call or send broadcast intents. All
of these operations can be useful in testing our
device or application. Before seeing them, let us
clarify some concepts on IPC Mechanisms and
Intents.

HOME PARENT REFERENCES VIDEO

 89
7.5.2.1. Monkey

A very useful tool that allow us to inspect device or

app behavior is monkey. Monkey is a command-line
tool that can run on emulators and physical devices
and is mainly used for stress tests.
It basically act like a monkey pounding on your
device: sending a pseudo-random stream of user
events. It could be very useful for us during our
dynamic analysis.

HOME PARENT REFERENCES VIDEO

 90
7.5.2.1. Monkey

Monkey can be configured using:

• Basic options such as the number of events,
• Operational constraints (restrict the test to a
single packet),
• Event types and frequencies, and
• Debugging options.

HOME PARENT REFERENCES VIDEO

 91
7.5.2.1. Monkey

Let us see how to run it. Suppose we want to

execute our tests against the application Dropbox.
We run the following command:

adb -s emulator-5554 shell monkey -p com.dropbox.android -v 500

where -p indicates the packages that will be tested,

-v is the verbosity option and 500 is the number of
events to send.

HOME PARENT REFERENCES VIDEO

 92
7.5.2.1. Monkey
The following snapshot shows the results of the
previous command. Here, we can see some of the
operations performed by the tool:

HOME PARENT REFERENCES VIDEO

 93
7.5.2.1. Monkey

Monkey is especially useful if we attach a debugger.

For example, we could run monkey while the device
is attached to the DDMS, so that we had the ability
to inspect logcat events or dump an HPROF file.

HOME PARENT REFERENCES VIDEO

 94
7.5.2.2. Activity Manager

If we want to manually execute similar operations,

we can use a tool called Activity Manager (am).
Like monkey, am is a command-line tool and it is
available in the Android SDK.
This tool allows us to perform various operations:
start an activity, stop a process, broadcast intents,
etc.

HOME PARENT REFERENCES VIDEO

 95
7.5.2.2. Activity Manager

To see the Activity Manager options let us start an

adb shell and run the am command :

HOME PARENT REFERENCES VIDEO

 96
7.5.2.2. Activity Manager

As we can see from the help menu, we can run

with many different options: start an activity, send
broadcast intents or monitor the interaction the
system has with the application with the
Instrumentation option.
Let us look at some examples of how we can start a
specific activity. This could be useful later on in
order to bypass or access an app specific activity.

HOME PARENT REFERENCES VIDEO

 97
7.5.2.2. Activity Manager

Let us suppose that our target application is the

NotePad application we saw earlier. From the app
AndroidManifest, we can see several activities and
intent filters.
Let us try to run an intent to start the application in
the same way Android does when we tap on the
app icon in the launcher.

HOME PARENT REFERENCES VIDEO

 98
7.5.2.2. Activity Manager
From the AndroidManifest we know that the
activity named NotesList has the action MAIN (the
default intent that will be called if we tap the icon
in the launcher). This is what we want to run.

HOME PARENT REFERENCES VIDEO

 99
7.5.2.2. Activity Manager

Let us execute the command that runs the app. We

need the activity name, the action name and the
package name:
• Activity name: NotesList
• Action name: android.intent.action.MAIN
• Package: com.example.android.notepad

HOME PARENT REFERENCES VIDEO

 100
7.5.2.2. Activity Manager

We can then run the following command:

ACTION
am start -a android.intent.action.MAIN
-n com.example.android.notepad/.NotesList

PACKAGE ACTIVITY

HOME PARENT REFERENCES VIDEO

 101
7.5.2.2. Activity Manager
The previous
command will
open and display
the main activity
on the device
(NotesList).

HOME PARENT REFERENCES VIDEO

 102
7.5.2.2. Activity Manager

In a similar way, we could run any other activity

specified in the intent profile. Let us suppose we
wanted to run the activity that allows us to edit a
note.
If we inspect the manifest we can see that there is
an action named EDIT declared in the activity
“NoteEditor”.

HOME PARENT REFERENCES VIDEO

 103
7.5.2.2. Activity Manager

Note that the <data> element specifies the

mimeType and the URI to use with the intent filter.
Note also that the type is ‘vnd.android.cursor.item’
instead of dir.
HOME PARENT REFERENCES VIDEO
 104
7.5.2.2. Activity Manager

This indicates a particular item. The cursor will

contain one item.

This indicates multiple items (a directory). The

cursor will contain from 0 to x items.

HOME PARENT REFERENCES VIDEO

 105
7.5.2.2. Activity Manager

This information is useful in understanding what

data we need to send to the activity. In our case it
is useful so that we may specify whether we want
to view or edit the list of notes or a specific note.
Let us see how to create the command to start an
activity to edit a specific note.

HOME PARENT REFERENCES VIDEO

 106
7.5.2.2. Activity Manager

This time, we have to use the activity named

NoteEditor, and use the action EDIT. Since we want
to edit a note, we need to provide the data (URI) of
the note as follows:

am start -a android.intent.action.EDIT
-n com.example.android.notepad/.NoteEditor
-d content://com.google.provider.NotePad/notes/1

HOME PARENT REFERENCES VIDEO

 107
7.5.2.2. Activity Manager

With the –d option we specify the DATA_URI to

send:
content://com.google.provider.NotePad/notes/1

Scheme Authority Path ID

Scheme Authority Path ID

Scheme portion A string that Zero or more segments, A unique numeric
of the URI. identifies the separated by a forward identifier for a single
entire content slash (/), that identify a row in the subset of
provider. subset of the provider data identified by the
data. preceding path part.

HOME PARENT REFERENCES VIDEO

 108
7.5.2.2. Activity Manager

The previous
command will
open the
following activity.

HOME PARENT REFERENCES VIDEO

 109
7.5.2.3. LAB: Bypass Security Checks

Now that you know how to start a specific activity,

try to bypass the first screen of the following
Android application. Note that you do not need to
debug or inspect the source code. All the
information that you need is stored in the
AndroidManifest.
The archive (securenotes.rar) contains the source code of
DOWNLOAD the app and its installer (securenotes.apk). You can
download it from the members area (Labs tab).

HOME PARENT REFERENCES VIDEO

110
7.5.2.3.1. LAB: Solution

SOLUTION
Please continue only if you have completed your lab.

HOME PARENT REFERENCES VIDEO

 111
7.5.2.3.1. LAB: Solution

The first thing to do is to

download the application
and then install it to your
device. This is what we will
see when we start the app.

HOME PARENT REFERENCES VIDEO

 112
7.5.2.3.1. LAB: Solution

There are many ways that we can try to bypass this

screen. We could try to bruteforce the access code,
we could decompile the app and try to find any
useful information that could allow us to get the
passcode, or we can try to call the next activity
with the ActivityManger tool and see if there are,
perhaps, missing security checks.

HOME PARENT REFERENCES VIDEO

 113
7.5.2.3.1. LAB: Solution

In our case we want to test whether the next

activity can be accessed without entering the
passcode. What we have to do is inspect the
application AndroidManifest and see if we can find
the name of the activity to run. We can use the
AndroidManifest provided in the archive, or we can
decompile the application and extract the manifest
from there.

HOME PARENT REFERENCES VIDEO

 114
7.5.2.3.1. LAB: Solution

Once we have
the manifest
open, we
should see
something like
this.

HOME PARENT REFERENCES VIDEO

 115
7.5.2.3.1. LAB: Solution

If we inspect the AndroidManifest.xml we see that

the application has at least 3 activities and 2 of
them have the node ‘intent-filter’. With this
information we can try to use the Activity Manager
tool to bypass the Login activity and the secure
code itself.

HOME PARENT REFERENCES VIDEO

 116
7.5.2.3.1. LAB: Solution

The activity we want to start is

‘com.els.securenotes.Notes’, so you would run the
following command:

am start -n com.els.securenotes/.Notes

HOME PARENT REFERENCES VIDEO

 117
7.5.2.3.1. LAB: Solution

As expected, the application

does not verify whether we
have entered the correct code
in the previous activity,
because it trusts that this
activity has been started by
the main activity (something
that can be done only if we
enter the correct code).

HOME PARENT REFERENCES VIDEO

 118
7.5.2.3.1. LAB: Solution

Using the same technique,

we can also start the activity
named AddNote:

am start -n com.els.securenotes/.AddNote

HOME PARENT REFERENCES VIDEO

119
VIDEO: Android Runtime Analysis

Click on the image to open the video.

HOME PARENT REFERENCES VIDEO

 120
7.5.3. Content Providers

Now that we know more about activities and

intents, let us look at another very important
android component: the content provider.
As stated in the official Android documentation:

Content providers manage access to a structured set of

data. They encapsulate the data, and provide mechanisms
for defining data security. Content providers are the
standard interface that connects data in one process with
code running in another process.

HOME PARENT REFERENCES VIDEO

 121
7.5.3. Content Providers

If, on one hand, the application that exports a

content provider uses its own user interface to
access and work with data, on the other hand the
content provider has its own job: to export that
data to other applications.
A couple of examples of content providers
implemented in Android are calendar and contacts.

HOME PARENT REFERENCES VIDEO

 122
7.5.3. Content Providers

Data contained in the content providers are

organized like tables in relational databases. The
following is an example of how the data might be
stored in the table:

_ID Title Comment

1 My first note Note comment
2 Meeting 09:00 @ Sarah H.
… … …
… … …

HOME PARENT REFERENCES VIDEO

 123
7.5.3. Content Providers

In order to access the data contained in content

providers, other applications must use a
ContentResolver object.
From our security point of view, it is important to
know that to access a content provider, another
application usually has to request specific
permissions in its AndroidManifest.xml.

HOME PARENT REFERENCES VIDEO

 124
7.5.3. Content Providers

For example, if an application needs to access the

Contacts Provider, it must specify this in its
manifest. Here, there are two permission requests,
one for read permissions and one for write
permissions:

HOME PARENT REFERENCES VIDEO

 125
7.5.3. Content Providers
This is required only if the application that offers
the content provider specifies the permission in its
AndroidManifest. With the following code, the app
protects its own components (activities, services,
broadcast receivers, or content providers) with the
permission READ_NOTE.

HOME PARENT REFERENCES VIDEO

 126
7.5.3. Content Providers

Note that there are other options that the

application could use to export its content provider.
For example, the app can use options such as
android:exported or android:protectionLevel to
improve its security or manage which apps can
access the provider.

HOME PARENT REFERENCES VIDEO

 127
7.5.3. Content Providers

The android:exported option indicates whether a

content provider (activity, service or receiver) is
available for other applications.

It is important to know that for applications that

set android:minSdkVersion or
android:targetSdkVersion to "16" or lower, the
default value is true!

HOME PARENT REFERENCES VIDEO

 128
7.5.3. Content Providers

When we talk about security, this behavior is very

important to note, because if content providers
and permissions are not well-implemented, we
might be able to access application information
without any permission checking at all.

HOME PARENT REFERENCES VIDEO

 129
7.5.3. Content Providers

This has happened many times in the last few

years, such as for the application Message
GOWidget (version 2.3/17) which is a desktop
widget that displays SMSs.
In this version, the application database cached all
incoming SMS information but it was not properly
configured and the cache could be accessed by any
app using its content provider: .DataProvider.

HOME PARENT REFERENCES VIDEO

 130
7.5.3. Content Providers

This misconfiguration allowed malicious users to

get all SMS information from the device without
needing permission.

HOME PARENT REFERENCES VIDEO

 131
7.5.3. Content Providers

In order to better understand how content

providers work and how permissions are managed,
let us pull out a few examples that show how to
access this information, both with and without
permissions.

HOME PARENT REFERENCES VIDEO

 132
7.5.3.1. Example 1
In this first example, we want our application to
export data, but we also want other apps to be
sure to ask for a specific permission. This is what
we need in our application AndroidManifest.
OUR APPLICATION MANIFEST (VICTIM APP)

HOME PARENT REFERENCES VIDEO

 133
7.5.3.1. Example 1

With the previous configuration, any application

that wants to access our content provider must
define the uses-permission element in its own
manifest. So, other apps must have something like
this in their manifest:
MALICIOUS APP

HOME PARENT REFERENCES VIDEO

 134
7.5.3.1. Example 1
Here we see that a malicious app is able to query
our database and print the results on the screen.

TARGET APP
MALICIOUS APP

HOME PARENT REFERENCES VIDEO

 135
7.5.3.2. Example 2

Let us see what happens if we delete the element

uses-permission from the malicious app.

If the permission works as intended, we now

should not be able to access the target app
information.

HOME PARENT REFERENCES VIDEO

 136
7.5.3.2. Example 2

We see that if we run the malicious app again

(without permissions), our app crashes and we can
see a permissions error by using LogCat:

HOME PARENT REFERENCES VIDEO

 137
7.5.3.3. Example 3

Let us see what happens when content providers

and permissions are not properly implemented.
The only thing that we will define in our app
manifest is the content provider:

As you can see, there is no permission element.

HOME PARENT REFERENCES VIDEO

 138
7.5.3.3. Example 3
With this configuration, the malicious app does not
require permission to access our data; we are able
to access all information stored in the target app:

TARGET APP
MALICIOUS APP

No permission defined
in the manifest

HOME PARENT REFERENCES VIDEO

 139
7.5.3.4. Query a content provider

You may remember that we need to use a

ContentResolver object in order to access and
retrieve data from content providers. This object
has methods that call identically-named methods
in the provider object and provide basic "CRUD"
(create, read, update, and delete) functionality.

HOME PARENT REFERENCES VIDEO

 140
7.5.3.4. Query a content provider

For example, if we want to get data we can use the

method query() to perform our select query against
the content provider, while if we want to insert
data we can use the insert() method.
In order to understand how this works, let us look
at some simple code that allows us to get
information from the contacts stored on the
device.

HOME PARENT REFERENCES VIDEO

 141
7.5.3.4. Query a content provider
All of the methods of the provider object (query,
insert, update, delete) have the same arguments as
(and are similar to) a SQL query. The arguments
are:
Argument Android SQL query
URI Table in the provider named table_name FROM table
projection An array of columns to retrieve column, column, …
selection The criteria for selecting rows WHERE
selectionArgs Selection arguments replace ? placeholders in the
selection clause
sortOrder The order in which rows appear in the return ORDER BY

HOME PARENT REFERENCES VIDEO

 142
7.5.3.4. Query a content provider

Remember that the URI identifies data in the

provider and is composed as follows:
content://com.google.provider.NotePad/notes/1

Scheme Authority Path ID

where path is generally the table we want to access

and ID is the id in the table (note that ID is not
required).

HOME PARENT REFERENCES VIDEO

 143
7.5.3.4. Query a content provider

Now that we know how the URI is composed, let us

write a simple app that tries to get all the contacts
stored on the device. The only information we
need is the URI. In this case, it will be:
content://com.android.contacts/contacts/
or we can use the constant for the contact table
provided by Android:
ContactsContract.Contacts.CONTENT_URI

HOME PARENT REFERENCES VIDEO

 144
7.5.3.4. Query a content provider

So, let us create a new app

named GetContacts and add
a text field to the main
activity.
We will drop the results of
the query into this field.

HOME PARENT REFERENCES VIDEO

 145
7.5.3.4. Query a content provider
Now we can enter our code in the main activity and add
the permission android.permission.READ_CONTACTS to the
android manifest.

URI

Run the query

Dump the results of the query and write it to the TextView created earlier

HOME PARENT REFERENCES VIDEO

 146
7.5.3.4. Query a content provider

In this example we
have specified just
the URI without any
arguments in the
query() method. This
allows us to get all of
the information from
the contacts table.

HOME PARENT REFERENCES VIDEO

 147
7.5.3.4. Query a content provider
Let us change the query up now to get only the
name (display_name) of the contact with _ID = 1:

This code will run something like the following query:

SELECT display_name FROM contacts WHERE _ID = 1;

HOME PARENT REFERENCES VIDEO

 148
7.5.3.4. Query a content provider

With the previous code, we

will see something like this:

HOME PARENT REFERENCES VIDEO

 149
7.5.3.4. Query a content provider

DOWNLOAD

You can download the application GetContacts

from the members area (Labs tab).
Also, if you want to know more about content
providers, the Android documentation is a great
resource to use.

HOME PARENT REFERENCES VIDEO

 150
7.5.3.5. Find the correct URI

To exploit this kind of vulnerability, we must know

the correct URI of the content provider we want to
query. For public content providers, the URIs are
usually provided by the apps themselves; if we
want to discover the content providers and the
URIs for a specific app, we have to decompile the
app and inspect the AndroidManifest.xml and the
classes.dex file.

HOME PARENT REFERENCES VIDEO

 151
7.5.3.5. Find the correct URI
We have already seen how to decompile an .apk
file to extract the AndroidManifest.xml. So, once
we have the manifest, we need to search for
provider elements:

HOME PARENT REFERENCES VIDEO

 152
7.5.3.5. Find the correct URI
If we want to find possible URIs, we have to extract
the file classes.dex from the .apk and then search
for strings like ‘content://’. The first step is to
change the extension of the app from .apk to .zip
and then extract the file classes.dex.

HOME PARENT REFERENCES VIDEO

 153
7.5.3.5. Find the correct URI

Now that we have the classes.dex file we can use

the strings tool to extract all the strings.

strings classes.dex > classes.txt

Now, we can open the file we just created

(classes.txt) and search for the string ‘content://’.

HOME PARENT REFERENCES VIDEO

 154
7.5.3.5. Find the correct URI
The following screenshot shows us all possible URIs
that we can use:

HOME PARENT REFERENCES VIDEO

 155
7.5.3.6. Lab: Content providers leakage

Now that you know how to find content providers,

correct URIs and how they can be exploited,
download and install to your device the SimpleNote
application and write your own app to leak
information from the app database.

You can download the SimpleNote.rar file from the

DOWNLOAD members area (Labs tab).

HOME PARENT REFERENCES VIDEO

156
7.5.3.6.1. Lab Solution: Content providers leakage

SOLUTION
Please continue only if you have completed your lab.

HOME PARENT REFERENCES VIDEO

 157
7.5.3.6.1. Lab Solution: Content providers leakage

The first thing to do is to

install the application on the
device and see how it works.
The application name is
SimpleNote and it allows us
to write and edit notes.

HOME PARENT REFERENCES VIDEO

 158
7.5.3.6.1. Lab Solution: Content providers leakage
We want to verify whether we are able to get notes
from external applications, so the first thing we
have to check is whether there are content
providers available for this application. So, let us
decompile the application and extract the
AndroidManifest.xml.
We have learned a few different methods for that.
Let us use apktool:
>>apktool.bat d C:\SimpleNote.ap C:\simplenote

HOME PARENT REFERENCES VIDEO

 159
7.5.3.6.1. Lab Solution: Content providers leakage

Now that we have the AndroidManifest, let us

inspect its content and check for a provider
element:

HOME PARENT REFERENCES VIDEO

 160
7.5.3.6.1. Lab Solution: Content providers leakage

We now know that the application implements a

content provider and that there are no restrictions
or permissions.
With this information, our next step is to extract
information from the app to get the correct URI. If
this works, we should be able to retrieve
information from the application database.

HOME PARENT REFERENCES VIDEO

 161
7.5.3.6.1. Lab Solution: Content providers leakage
In order to find the URI, we change the .apk
extension of the app to .zip and then extract the
file classes.dex. Then we can use the strings tool to
find all the strings starting with ‘content://’.

HOME PARENT REFERENCES VIDEO

 162
7.5.3.6.1. Lab Solution: Content providers leakage

As we can see from the screenshot above, we are

able to find the following URI:

content://com.els.simplenote.contentprovider/notes

HOME PARENT REFERENCES VIDEO

 163
7.5.3.6.1. Lab Solution: Content providers leakage

With this information, we should now be able to

easily write a simple attack application that tries to
leak data from the SimpleNote content provider.

HOME PARENT REFERENCES VIDEO

 164
7.5.3.6.1. Lab Solution: Content providers leakage

Our code will look like this:

URI discovered earlier

Get the result of the query

Iterate the cursor and print

each row to the TextView

HOME PARENT REFERENCES VIDEO

 165
7.5.3.6.1. Lab Solution: Content providers leakage
And, as we can see from the following screenshot,
we are able to steal data from the SimpleNote DB.

HOME PARENT REFERENCES VIDEO

 166
7.5.3.6.1. Lab Solution: Content providers leakage

You can download the malicious app

SimpleNoteLeak from the members area (Labs
tab).

The package SimpleNoteLeak.rar contains the source code

DOWNLOAD for the malicious application.

HOME PARENT REFERENCES VIDEO

167
Video: Android Content Provider

Click on the image to open the video.

HOME PARENT REFERENCES VIDEO

 168
7.5.3.7. SQL Injection

As you can imagine, since content providers allow

data retrieval via SQL queries, if they are not well
implemented, they can lead to SQL Injection
vulnerabilities.
Before we look at how to exploit a possible SQL
injection vulnerability, let us see a few examples
that will help us understand how to create queries.

HOME PARENT REFERENCES VIDEO

 169
7.5.3.7. SQL Injection

With the code above, the SQL query that will be

executed is the following:

“ SELECT _id, summary FROM notes WHERE _id = 1

projection selection
”
HOME PARENT REFERENCES VIDEO
 170
7.5.3.7. SQL Injection

As you can see there are a few possible injection

points that we can use. Both projection and
selection can be edited in order to inject our
custom query (sortOrder, too is affected).
Note that the code shown in the previous slide is
not the app implementation of the query, it is our
attacker app code that will query the target content
provider.

HOME PARENT REFERENCES VIDEO

 171
7.5.3.7. SQL Injection

Usually, a much safer and more correct

implementation of the query looks like this:

User input is not used to

select columns from the table

? is a replaceable parameter
and a separate array of
selection arguments. Since it is
not treated as SQL, the input
cannot inject malicious SQL

HOME PARENT REFERENCES VIDEO

 172
7.5.3.7. SQL Injection

Let us see how we can test for and eventually

exploit a possible SQL injection. To do this we will
use the app we used for the previous Lab:
SimpleNote.
We already know the URI of the content provider
app and we also know that the app does not
require permissions to query. So, we can reuse our
attacker application.

HOME PARENT REFERENCES VIDEO

 173
7.5.3.7. SQL Injection

Our first attempt to test the content provider for

SQL injection weakness is to edit the selection
clause. Let us try to get all the values of the
element with _ID = 1. We will insert something like
this into our query:

“
String selection = "_id = 1";
Cursor curs = getContentResolver().query(targURI,null,selection,null,null);

”
HOME PARENT REFERENCES VIDEO
 174
7.5.3.7. SQL Injection

When we issue this query,

we will get the following
result:

HOME PARENT REFERENCES VIDEO

 175
7.5.3.7. SQL Injection

This means that we can customize the query that

the app will execute. We can then try to run a
simple SQL injection to see whether it is
vulnerable. Let us try to get all elements by using
the following selection:

“ String selection = "_id = 1 or 1 = 1";

”
HOME PARENT REFERENCES VIDEO
 176
7.5.3.7. SQL Injection

As we can see from the

results, we were able to get
all elements from the table.
The content provider does
seem to be vulnerable to SQL
injections.

HOME PARENT REFERENCES VIDEO

 177
7.5.3.7. SQL Injection

Let us now test whether the projection field is also

vulnerable to SQL injection. Instead of injecting to
the WHERE clause, let us try to inject to the table
that the query returns (projection). Once again, let
us first try a correct query that will display only the
‘_ID’ column:
String[] Projection = {"_ID"};
Cursor curs = getContentResolver().query(
targURI,Projection,null,null,null);

HOME PARENT REFERENCES VIDEO

 178
7.5.3.7. SQL Injection

Here we can see that the

content provider created the
query using our parameters.
So, we are able to get only the
_ID columns:

HOME PARENT REFERENCES VIDEO

 179
7.5.3.7. SQL Injection
Now we have to test if the projection string is
vulnerable, too. Since our code will be used in the
first part of the query (columns), we can try to
inject the following code:
* FROM sqlite_master;

With this code, we will execute something like the

following query:
SELECT * FROM sqlite_master;

HOME PARENT REFERENCES VIDEO

 180
7.5.3.7. SQL Injection
Note that the ‘;’ (semicolon) at the end of our
injection string tells the DBMS that the query is
finished and can be executed (it is the statement
terminator). Let us see what happens when we run
the code.

SELECT projection FROM ….

SELECT * FROM sqlite_master;
* FROM sqlite_master;

HOME PARENT REFERENCES VIDEO

 181
7.5.3.7. SQL Injection

As we can see, we are able to

execute the query and get
the contents of the table
sqlite_master. Note that
sqlite_master defines the
schema of the database.

HOME PARENT REFERENCES VIDEO

 182
7.5.3.8. SQL Injection

Now that you know how to find and exploit SQL

injection vulnerabilities, download and install the
application eLSNotePro. Your goal is to create an
app that is able to steal information from the
eLSNotePro database.

You can download the eLSNotePro.rar file from the

DOWNLOAD members area (Labs tab).

HOME PARENT REFERENCES VIDEO

183
7.5.3.8.1. LAB Solution: SQL Injection

SOLUTION
Please continue only if you have completed your lab.

HOME PARENT REFERENCES VIDEO

 184
7.5.3.8.1. LAB Solution: SQL Injection

Once we install the app, we can see that if we click

the top menu and then select the secure option, a
new activity is started. This activity is protected by
a code and, unless we enter the correct code, we
are not able to see any data.
What we want to do is to create an app that is able
to read this data.

HOME PARENT REFERENCES VIDEO

 185
7.5.3.8.1. LAB Solution: SQL Injection

In the same manner as for the previous lab, we

have to find the app content providers and the
URIs. Once we have them, we can continue our
investigation to find possible injection points. For
this app, the URI of the content provider is:

content://com.els.notepro.contentprovider/notes

HOME PARENT REFERENCES VIDEO

 186
7.5.3.8.1. LAB Solution: SQL Injection

We can then start writing our attacker app to

interact with the target content provider.
If we try to query the content provider without any
parameters, we will be able to get all the notes
stored in the database, but these are the same
notes that we can read from the main activity of
the app.

HOME PARENT REFERENCES VIDEO

 187
7.5.3.8.1. LAB Solution: SQL Injection

The following code allows us

to get data from the
database:

HOME PARENT REFERENCES VIDEO

 188
7.5.3.8.1. LAB Solution: SQL Injection
But, we want to get private data that is accessible
only if we provide the correct code in the
application activity. We can test the content
provider against SQL injections, and if it is
vulnerable, we will try to get all the data. The first
step is to get all the data contained in the current
database. We can do that by injecting the following
string in the WHERE clause:
_ID = 1 or 1 = 1

HOME PARENT REFERENCES VIDEO

 189
7.5.3.8.1. LAB Solution: SQL Injection

But, as we can see from the

results, the data is the same
as before. This could mean
that the data might be stored
in another table. So, let us edit
our query to get the database
schema.

HOME PARENT REFERENCES VIDEO

 190
7.5.3.8.1. LAB Solution: SQL Injection

In order to get the schema, we can test if

projection is also vulnerable to SQL injection and
then retrieve all the tables defined in the database.
We can do this by injecting the following code:

* FROM sqlite_master WHERE type = 'table';

HOME PARENT REFERENCES VIDEO

 191
7.5.3.8.1. LAB Solution: SQL Injection

From the results, we can see that projection is

vulnerable to SQL injection and we are also able to
obtain the name of another table named
‘noteprosecure’.

HOME PARENT REFERENCES VIDEO

 192
7.5.3.8.1. LAB Solution: SQL Injection

Note that if projection is not

vulnerable, we are still able to
get this information by
injecting the selection clause
with a more complicated SQL
injection:

HOME PARENT REFERENCES VIDEO

 193
7.5.3.8.1. LAB Solution: SQL Injection
Now that we know the name of the other table, we
can edit our injection to retrieve this new table
content. We can get it by injecting either projection
or selection:

1 = 0 returns false. This is used to display only the results of the second
query (UNION SELECT * from noteprosecure)

HOME PARENT REFERENCES VIDEO

194
7.5.3.8.1. LAB Solution: SQL Injection

HOME PARENT REFERENCES VIDEO

 195
7.5.3.8.1. LAB Solution: SQL Injection

You can download the malicious app NoteProSQLi

from the members area (Labs tab).

The package NoteProSQLi.rar contains the source code of

DOWNLOAD the malicious application.

HOME PARENT REFERENCES VIDEO

 196
7.5.3.9. Directory Traversal

Another kind of vulnerability that affects content

providers (as well as services) is the directory
traversal vulnerability.
If the app allows file reads without specifying
permissions, other apps can exploit this
vulnerability to read data from the vulnerable app.

HOME PARENT REFERENCES VIDEO

 197
7.5.3.9. Directory Traversal

An app affected by this vulnerability was the Adobe

Reader app. The app exposed a content provider
(com.adobe.reader.fileprovider) that allowed other
apps to read files. Since the input is not properly
sanitized and the method has no permissions set, a
malicious user might be able to read files by
exploiting a directory traversal:

content://com.adobe.reader.fileprovider/../../../file_to_read

HOME PARENT REFERENCES VIDEO

 198
7.5.3.9. Directory Traversal

The following application (FileBrowser) is

vulnerable to directory traversal. Let us inspect its
source code to better understand how this
vulnerability can be implemented and exploited.

You can download the FileBrowser.rar file from the

DOWNLOAD members area (Labs tab).

HOME PARENT REFERENCES VIDEO

 199
7.5.3.9. Directory Traversal

In order to offer file operations, an app can

implement content providers that, given a URI,
allow file access to the app itself (or other apps). To
do this, the content provider needs to implement
the openFile method.
Methods like query, insert, update, etc. are not
suitable for these kinds of operations; they are best
for interacting with databases, obviously.

HOME PARENT REFERENCES VIDEO

 200
7.5.3.9. Directory Traversal

A very simple implementation of the openFile

method is the following:

Get the file starting from

path /sdcard + URI

If the file exists, return it

HOME PARENT REFERENCES VIDEO

 201
7.5.3.9. Directory Traversal

Given a URI, the previous method will return a

ParcelFileDescriptor file object.
The app can then operate on this object to handle
the file. Once again, if the content provider is not
well-implemented, any app can request a file using
this method by simply passing a URI.

HOME PARENT REFERENCES VIDEO

 202
7.5.3.9. Directory Traversal

Here is the code used by the app itself to open and

read a file:
Open a stream to the content
associated with a content URI
File URI

Open the file, read it line by line and

append it to the TextView component

HOME PARENT REFERENCES VIDEO

 203
7.5.3.9. Directory Traversal
With this code, the app is able to get the contents
of a file stored on the SD card:

HOME PARENT REFERENCES VIDEO

 204
7.5.3.9. Directory Traversal

Since the content provider is exported to external

applications, a malicious app could use it to read
files using the FileBrowser app context. Further,
there are no security checks or input sanitization
on the URI. This weakness can allow an external
app to use a directory traversal attack to read other
files, and it can be done by adding and repeating
the characters ‘../’ in the URI, followed by the
names of the files it wants to read.

HOME PARENT REFERENCES VIDEO

 205
7.5.3.9. Directory Traversal

Let us see how the attack app could use the target
content provider to read a file, and then see how to
exploit directory traversal. You can download the
attacker application from the members area (Labs
tab).

The package FileExplorerExploit.rar contains the source

DOWNLOAD code for the malicious application.

HOME PARENT REFERENCES VIDEO

 206
7.5.3.9. Directory Traversal

This is the app main function:

URI of the file we want to read

Open the file, read it line by line and

append it to the TextView component

HOME PARENT REFERENCES VIDEO

 207
7.5.3.9. Directory Traversal

The image shows the

application running.
As you can imagine, if we do
not know the name of the file
to read, this operation will
fail; in this case we are more
interested in the directory
traversal vulnerability.

HOME PARENT REFERENCES VIDEO

 208
7.5.3.9. Directory Traversal

To test whether the app is vulnerable, we must try

to read a well-known file outside the application
context. While for web applications, we use well-
know paths such as “../../../boot.ini” (Windows), in
Android, we use something like the following:

../../../../../etc/hosts

HOME PARENT REFERENCES VIDEO

 209
7.5.3.9. Directory Traversal
In the same way as with a Web Application, we
need to add several ‘../’ until we reach the root
folder. Let us try to change the URI of our attacker
application to test whether the target app is
vulnerable:

HOME PARENT REFERENCES VIDEO

 210
7.5.3.9. Directory Traversal

As we can see from the

results, it seems that we are
able to read the content of
the file hosts. Now that we
know that the application is
vulnerable to Directory
Traversal, we can use it to
retrieve information with the
application context.

HOME PARENT REFERENCES VIDEO

211
Video: Android Runtime Analysis part II

Click on the image to open the video.

HOME PARENT REFERENCES VIDEO

 212
7.5.4. Broadcast Receivers

Similar to Content Providers, Broadcast Receivers

may also be vulnerable. As we have already stated,
an application can define its own receivers in the
Android manifest. This allows the application to
receive intents that are broadcast by the system or
by other applications.

HOME PARENT REFERENCES VIDEO

 213
7.5.4. Broadcast Receivers

If not properly configured, applications can send an

intent to the target application receiver and force
the target application itself to perform some kind
of action. To explain how broadcast receivers work,
let us see the code of the application called
HandlePhoneCalls.

The package HandlePhoneCalls.rar contains the source

DOWNLOAD code of the vulnerable application.

HOME PARENT REFERENCES VIDEO

 214
7.5.4. Broadcast Receivers

The application is very trivial. In

the main activity we can type a
phone number and then start the
call by clicking the Call button.

HOME PARENT REFERENCES VIDEO

 215
7.5.4. Broadcast Receivers

The application defines its broadcast receiver in the

Android manifest. Note that no permission is set,
meaning that other apps may use it.
Name of the class that implements
the broadcast receiver

Name of the action

HOME PARENT REFERENCES VIDEO

 216
7.5.4. Broadcast Receivers

Also, note that to allow the application to start a

call, the application must define the permission
CALL_PHONE in the manifest.

HOME PARENT REFERENCES VIDEO

 217
7.5.4. Broadcast Receivers
The following snippet is the implementation of the
broadcast receiver. This code simply gets the phone
number from the intent passed and creates a new
intent to start a call.

HOME PARENT REFERENCES VIDEO

 218
7.5.4. Broadcast Receivers

Now that we know how the application is

implemented, let us see how a malicious app can
exploit this weakness. Since the receiver of the
target intent does not set any permissions, any
application can send a broadcast intent to it and
force the application to perform the operations
defined in the class HandleCallPhone (the code
from the previous slide).

HOME PARENT REFERENCES VIDEO

 219
7.5.4. Broadcast Receivers

The malicious application is called ExploitBroadcast

and can be downloaded from the Members Area
(Labs tab).

The package ExploitBroadcast.rar contains the source

DOWNLOAD code of the attacker application.

HOME PARENT REFERENCES VIDEO

220
7.5.4. Broadcast Receivers
As we can see in
the manifest of the
attacker
application, no
permissions are
set. Therefore, this
application cannot
make phone calls
or anything else
that requires
permissions
HOME PARENT REFERENCES VIDEO
 221
7.5.4. Broadcast Receivers

This means that we should not be able to create

and run an intent that starts a phone call, but we
can use the vulnerable receiver of the target app to
do just this.

HOME PARENT REFERENCES VIDEO

 222
7.5.4. Broadcast Receivers
The malicious app code is very simple. We create a
new intent, we set the action defined in the
vulnerable app and the phone_number to call and
then we call the function sendBroadcast.

HOME PARENT REFERENCES VIDEO

 223
7.5.4. Broadcast Receivers

When code runs on the device, the operating

system knows that the action must be handled by
the receiver that has defined the action
com.els.handlephonecalls.HANDLECALLPHONE

Target package name Action name

HOME PARENT REFERENCES VIDEO

 224
7.5.4. Broadcast Receivers

Indeed, as soon as the malicious

app runs, the phone call starts.

HOME PARENT REFERENCES VIDEO

 225
7.5.4. Broadcast Receivers

Exploiting these broadcast receiver weaknesses

may be very useful to execute operations without
setting permissions, as well as to access restricted
data or force application behaviors.

HOME PARENT REFERENCES VIDEO

 226
7.5.5. Shared UID

As you already know every application must be

signed to identify the application author and allow
the developer to update or edit his applications.
Also, applications signed with the same key can
share the same UID (User ID) and Application
Sandbox.

HOME PARENT REFERENCES VIDEO

 227
7.5.5. Shared UID

While using the same UID may be useful to share

data between applications of the same author, if
not properly configured, this configuration may be
dangerous. For example, if two applications (A and
B) share the same UID, and the app B exposes a
service, a receiver or it is vulnerable to code
execution, directory traversal, etc., B may be
exploited to access files of application A.

HOME PARENT REFERENCES VIDEO

 228
7.5.5. Shared UID

To share the same UID, applications must define

the same ‘android:sharedUserId’ value in their
manifests. Here for example, the application A
defines it as follow:
App A

HOME PARENT REFERENCES VIDEO

 229
7.5.5. Shared UID

In the same way, application B must declare the

same sharedUserID in its manifest. The following
screenshot shows the AndroidManifest.xml of the
application B.
App B

HOME PARENT REFERENCES VIDEO

 230
7.5.5. Shared UID

The following code creates a new file named

‘myfile’ in the application A sandbox.
APP A

HOME PARENT REFERENCES VIDEO

 231
7.5.5. Shared UID

Indeed if we navigate the application folder

/data/data/com.els.app.a/files, we can see that the
file is created with the following permissions.

HOME PARENT REFERENCES VIDEO

 232
7.5.5. Shared UID

The code (next slide) implemented in the

application B, simply opens the file at the path
‘/data/data/com.els.app.a/files/myfile’ and copies
its content in the TextView object defined in the
application.

HOME PARENT REFERENCES VIDEO

233
7.5.5. Shared UID

APP B

HOME PARENT REFERENCES VIDEO

 234
7.5.5. Shared UID

Since both applications share the UID, every file

stored in the application A folder, is accessible to
application B and vice versa. Indeed if we run app
B, we are able to access the file created by
application A and read its content.

HOME PARENT REFERENCES VIDEO

 235
7.5.5. Shared UID

Here we can see that B is able to read the content

of the file stored in the application A context.

HOME PARENT REFERENCES VIDEO

 236
7.5.5. Shared UID

As you can imagine, if we delete the sharedUserID

entry from one of the two applications manifests,
the application B is not able to read the file
anymore and we get a permission denied error:

HOME PARENT REFERENCES VIDEO

 237
7.5.5. Shared UID

If you want to test the two applications, you can

download them in the Members Area (Labs tab).

The package SharedUID.rar contains the App_A and

DOWNLOAD App_B source code and .apk files.

HOME PARENT REFERENCES VIDEO

 238
7.5.5. Shared UID

This concludes the Android Dynamic - Runtime

Analysis modules.
We advice you to go through all the labs and the
attacks explained in the module.

HOME PARENT REFERENCES VIDEO

239
References

Dalvik Debug
Logcat Monitor Server

Memory Analyzer Tool

Strings (MAT)

Monkey Content Providers

Content Resolver Permissions

Continue…

HOME PARENT REFERENCES VIDEO

240
References
Contacts ParcelFileDesciptor
COONTENT_URI

HOME PARENT REFERENCES VIDEO

241
Video

HOME PARENT REFERENCES VIDEO