top of page
Search

Access Control Issues in Android Applications

  • Writer: Abhilasha
    Abhilasha
  • Jul 12, 2024
  • 2 min read

Overview: Access control issues arise when an application does not properly authenticate or authorize users, leading to unauthorized access to sensitive information.

Key Components of Android Applications:

  1. Activities: Single, focused things that users can interact with.

  2. Content Providers: Manage access to a central repository of data.

  3. Broadcast Receivers: Allow apps to broadcast messages to each other.

  4. Services: Handle long-term background processes.

Important Points on Access Control:

  1. Authentication and Authorization:

  • Authentication verifies the identity of a user.

  • Authorization determines what an authenticated user is allowed to access.

  • Improper implementation can lead to unauthorized access and disclosure of sensitive information.

  1. Example Scenario in DIVA App:

  • The DIVA app has a challenge where accessing API credentials requires authentication.

Exploitation Steps:

  1. Analyze Source Code:

  • Decompile the APK using jadx to inspect the source code.

  • Find activity entries and permissions in AndroidManifest.xml.

  • Identify activities related to accessing sensitive information.

  1. Invoke Activity Directly:

  • Use the Android activity manager (am) to start the target activity without using the app interface.

  • Example command: shell Copy code adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS

  • This command bypasses the usual app interface to directly open the activity that shows sensitive information.

Practical Example:

  1. Open the DIVA App:

  • Check what happens when clicking on "Access Control Issues – Part 1."

  • This opens an activity showing API credentials (API key, Username, Password).

  1. Bypass the Interface:

  • Open the source code of the DIVA app.

  • Decompile the APK file using jadx.

  • Locate the AndroidManifest.xml file to find relevant activities.

  • Identify the activity AccessControl1Activity which opens APICredsActivity using the intent jakhar.aseem.diva.action.VIEW_CREDS.

  1. Execute the Bypass:

  • Use the following command to open the activity directly: shell Copy code adb shell am start -a jakhar.aseem.diva.action.VIEW_CREDS

  • This opens the activity showing sensitive API credentials without interacting with the app's UI.

By understanding these steps, developers can better secure their applications by ensuring proper authentication and authorization mechanisms are in place to protect sensitive information

 
 
 

Recent Posts

See All
PE internals

Linked Libraries and Functions Imported Functions: Definition: These are functions used by a program that are actually stored in...

 
 
 
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 

Comments

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page