Access Control Issues in Android Applications

Overview: Access control issues occur when an application does not properly authenticate or authorize users, allowing attackers with insufficient privileges to access protected resources.

Key Points:

1. Authentication and Authorization:

• Authentication: Verifies the identity of a user.

• Authorization: Determines what an authenticated user is allowed to do.

• Vulnerabilities arise when these processes are not implemented correctly, leading to potential exposure of sensitive information.

1. Example Scenario in DIVA App:

• The DIVA app has a challenge where clicking a button reveals API credentials (API key, username, and password).

1. Challenge:

• Access the sensitive API credentials without interacting with the button in the app.

Steps to Exploit:

1. Analyze Source Code:

• Decompile the APK file using jadx to inspect the source code.

• Navigate to the AndroidManifest.xml file to find activity entries and permissions.

• Identify the activity AccessControl1Activity which contains the button to view API credentials.

• Note the activity APICredsActivity which holds the sensitive information.

1. Invoke Activity Directly:

• Use the Android activity manager (am) to start the APICredsActivity directly without using the app interface.

• Example command: shell Copy code adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS

• This command bypasses the button click and directly opens the activity showing the sensitive information.

Summary:

• Access control issues can lead to unauthorized access to sensitive information.

• Proper implementation of authentication and authorization is crucial to prevent such vulnerabilities.

• In the DIVA app, using the activity manager to directly invoke an activity demonstrates how attackers can exploit weak access controls to access protected resources without proper authentication.

4o