0
1
00:00:08,340 --> 00:00:14,620
Now let's say we want to use an HTTP post to send the SMS received to a malicious server.
1

2
00:00:15,630 --> 00:00:19,450
Now let's comment out the toast message.
2

3
00:00:19,570 --> 00:00:26,370
Would you not want to show the user that we are accessing the S M S but we want to copy the contents
3

4
00:00:26,370 --> 00:00:34,640
of the S M S so just copy this and create a string with the content now.
4

5
00:00:34,690 --> 00:00:39,580
There are many ways of doing an HTTP post. Here
5

6
00:00:39,580 --> 00:00:44,410
we just prepared some code so just copy and paste from the resources.
6

7
00:00:45,540 --> 00:00:50,880
We have a method called HTTP post that receives a string.
7

8
00:00:50,880 --> 00:01:00,500
It prepares an HTTP post to send to this particular site called postman dash Echo Dot Com and as a
8

9
00:01:00,500 --> 00:01:09,200
parameter string it adds SMS text and appends the string we passed to HTTP post that's pretty much
9

10
00:01:09,200 --> 00:01:09,380
it.
10

11
00:01:11,010 --> 00:01:15,280
Now to run this we need to run an asynchronous task.
11

12
00:01:15,330 --> 00:01:21,030
This means that when it's invoked a separate thread is launched and the rest of the process can keep
12

13
00:01:21,030 --> 00:01:21,510
going.
13

14
00:01:23,230 --> 00:01:25,000
This is not too important.
14

15
00:01:25,000 --> 00:01:31,000
Again this is something specific to programming but with the way we implemented the HTTP post we need
15

16
00:01:31,000 --> 00:01:38,510
to run an asynchronous task what is important to us is that we have an SMS being received and this
16

17
00:01:38,510 --> 00:01:44,370
sms is being sent over HTTP post OK.
17

18
00:01:44,400 --> 00:01:50,490
Now to launch the asynchronous task we need to surround it with a try and catch.
18

19
00:01:50,620 --> 00:01:57,970
This here is a common convention that tries to run code and if there is an error rather than crashing
19

20
00:01:58,060 --> 00:02:00,970
it runs the code in the catch part.
20

21
00:02:00,970 --> 00:02:05,890
This is referred to as error handling OK.
21

22
00:02:05,910 --> 00:02:13,190
So now I will execute the asynchronous task like so, all of this code will be provided for you.
22

23
00:02:13,220 --> 00:02:14,630
Don't worry too much about it.
23

24
00:02:16,360 --> 00:02:20,820
But just by looking at a number of strings here we can get an idea of what's going on.
24

25
00:02:21,810 --> 00:02:32,320
We have an S M S we have an HTTP post straight after that on its own can't be very good for the user.
25

26
00:02:32,340 --> 00:02:35,500
Now this will not work as is.
26

27
00:02:35,720 --> 00:02:41,380
The reason is that here we're using the Internet and the use of Internet requires the Internet permission.
27

28
00:02:42,780 --> 00:02:45,430
So here we need to go to the manifest.
28

29
00:02:45,750 --> 00:02:48,240
And here we need to add the Internet permission.
29

30
00:02:49,770 --> 00:02:53,400
This permission does not need to be explicitly requested to the user.
30

31
00:02:54,660 --> 00:03:00,690
Google decided that it's not dangerous enough to need to ask the user for consent or it is so common
31

32
00:03:00,690 --> 00:03:09,470
that users kind of expect the apps to use Internet permission so let's run the app send a test SMS.
32

33
00:03:11,130 --> 00:03:16,860
we'll not see anything in the app but what happened is that the shopping list app just stole the SMS
33

34
00:03:16,860 --> 00:03:19,320
and sent it to their server.
34

35
00:03:19,320 --> 00:03:23,880
This is actually something we will analyze during the dynamic analysis part of the course.