When doing a black box pen testing for android , apart for looking at root detection bypass and ssl pinning looking for intents are also important , intents are the screens or activity of android application for example this InsecureBankv2 application has an activity for a login page which after logging in will show us available options that we can do and the activity that is spawned after the login activity is called intent. Intent not only lies with in the same application it can take you to another activity from different applications , let’s say there’s a youtube video link in your application when you click that it will either open up your browser application or youtube application , this is also an intent.
Now to abuse intent , specifically for this InsecureBankv2 application we need to first look at how many activities are there
Using MobSF we can analyze the application and can see that there are 10 activities , to check which activities we can spawn withouit logging into application , there's a tool called Drozer which is similar to frida by working with the application during time but this has a feature to look which activities we can call explicitly
To do this we just need to setup drozer client on our host machine which I have previously showed in setting up the lab and install drozer agent on the android device
Using the list command we can see the modules that we can use
We can also see the activities manually or by using drozer by reading the manifest file
Notice that some of the activities have exported=True which means that we can spawn these activities explicitly and rest of the activities do not have this property so we can't launch them on our own , this is a security issue because we can sometime bypass an activity which requires some kind of authentication or it's not authorized unless we can login
Running app.package.attacksurface this can show number of activities that have exported set to true
run app.package.attacksurface com.android.insecurebankv2We can check the activities that can be exported with this command
run app.activity.info -a com.android.insecurebankv2But this didn’t worked for me when I tried doing it with drozer as no activity was launched
An alternate to this is launching the activity through adb
adb shell am start -n com.android.insecurebankv2/com.android.insecurebankv2.ChangePasswordWe can launch other activity which was for transfer amount
And with this we can launch activities which have exported property to true without being authorized and can abuse the flaw in the application however this can easily be mitigated by changing the exported=true to exported=false
