1
00:00:01,260 --> 00:00:08,340
So uncommon type of vulnerability that we can look at is improper activity exporting and we export activities

2
00:00:08,370 --> 00:00:11,910
essentially let's just start from what exactly is an activity.

3
00:00:11,920 --> 00:00:13,840
That's probably the best place to start here.

4
00:00:14,270 --> 00:00:19,570
And activity is going to be any of the user interfaces that you see instead of the application.

5
00:00:19,590 --> 00:00:26,280
So for instance when I launch up the diva app this main page that we see here is an activity we're looking

6
00:00:26,280 --> 00:00:31,620
at access control it means that certain activities shouldn't be accessible from specific locations.

7
00:00:31,620 --> 00:00:37,500
So for instance if I go to the access control issues you'll see that there's a page here that allows

8
00:00:37,500 --> 00:00:45,360
us to view API credentials and essentially something like this should only be viewable from like a privileged

9
00:00:45,360 --> 00:00:45,820
page.

10
00:00:45,820 --> 00:00:46,110
Right.

11
00:00:46,110 --> 00:00:51,890
So for example if we were to log onto this and be able to access this page that would be OK.

12
00:00:51,900 --> 00:00:57,510
However in some cases these pages are exposed without proper permissions which could potentially allow

13
00:00:57,510 --> 00:01:00,650
someone to be able to launch them if they're export.

14
00:01:00,750 --> 00:01:07,280
So I'll go ahead and I'll walk through what this looks like through Roser and then discuss a little

15
00:01:07,290 --> 00:01:10,520
bit about how you can find these vulnerabilities with DeRosa.

16
00:01:10,530 --> 00:01:14,640
Just to give you a bit more of an idea behind what they look like because trolls are one always pick

17
00:01:14,640 --> 00:01:19,620
up everything and he may be able to access some of these activities with some different permissions

18
00:01:19,650 --> 00:01:21,390
that maybe drove trouser can't access.

19
00:01:21,420 --> 00:01:24,000
So we'll take a look at both of those.

20
00:01:24,120 --> 00:01:28,710
If I wanted to determine which activities are exported I can run the following command here.

21
00:01:28,770 --> 00:01:36,490
We could do run dot activity dot info see hyphen a and then check card.

22
00:01:36,610 --> 00:01:42,980
It seemed like diva and what you'll see is it will show each of the activities that exists.

23
00:01:43,000 --> 00:01:48,750
There's the main activity the API credentials activity in the API creds to activity and you'll see that

24
00:01:48,750 --> 00:01:51,440
both of these have no permissions.

25
00:01:51,510 --> 00:01:54,510
That means that there's no permissions that are required to access them.

26
00:01:54,510 --> 00:01:59,370
So what this means is that I can go ahead and close off this application just to demonstrate this to

27
00:01:59,370 --> 00:02:00,780
you.

28
00:02:01,530 --> 00:02:09,300
And when I do this what I can do is I can run the following comments I can say run up dot civilly dot

29
00:02:09,380 --> 00:02:16,320
start I'm going to target a specific component so the component is the application that we want to target.

30
00:02:17,310 --> 00:02:22,650
So that's the application name and then we see which of the actual activities we want to target.

31
00:02:22,650 --> 00:02:32,000
So for instance I could target the main activity just by typing in main activity and oh I lost connection

32
00:02:32,000 --> 00:02:32,260
here.

33
00:02:32,270 --> 00:02:35,450
I think that's because I closed off theme that draws her out.

34
00:02:35,460 --> 00:02:49,690
So let me let me just relaunch that here so we're just gonna go ahead and reset up our uh our ADP dress

35
00:02:49,850 --> 00:02:51,820
or your top

36
00:02:54,740 --> 00:03:01,930
console connects OK so back where we were before we can we can run the activity starts so we could see

37
00:03:01,930 --> 00:03:05,910
a run up dot activity does start.

38
00:03:07,000 --> 00:03:08,940
And again we could target a specific component.

39
00:03:09,460 --> 00:03:11,530
So you do something like this.

40
00:03:11,530 --> 00:03:12,820
You could say magic ha.

41
00:03:12,840 --> 00:03:14,320
That seems diva.

42
00:03:14,650 --> 00:03:18,840
That's the application that we want to target and then we want to target a specific activity.

43
00:03:18,910 --> 00:03:22,890
So you could do this here.

44
00:03:22,900 --> 00:03:27,390
So that divides dot main activity.

45
00:03:27,530 --> 00:03:31,270
You see when we do this it launches the main activity on my screen here.

46
00:03:31,450 --> 00:03:35,890
So you could see how even without having the application active we'll be able to launch that activity

47
00:03:35,920 --> 00:03:38,980
because there's no permissions associated with it.

48
00:03:39,040 --> 00:03:49,710
And now what we can do is we can launch that API creds activity to it's a API creds activity.

49
00:03:50,620 --> 00:03:53,580
And it looks like oh API is all capitals.

50
00:03:54,220 --> 00:03:55,360
So it's case sensitive.

51
00:03:55,360 --> 00:03:56,590
Just keep that in mind.

52
00:03:56,680 --> 00:04:01,570
And as you can see I can launch the API activity with all the credentials inside of it.

53
00:04:01,570 --> 00:04:08,980
So this is a great example of improper access control because this general activity here should have

54
00:04:08,980 --> 00:04:12,190
some sort of access control it should have some form of permissions associated with it.

55
00:04:12,220 --> 00:04:18,070
However since it doesn't have any permissions associated with it we're able to launch it through Roser

56
00:04:18,130 --> 00:04:19,660
just by using this command.

57
00:04:19,660 --> 00:04:23,800
You can also launch it through ADP using similar commands but dresser it's just like a nice little all

58
00:04:23,800 --> 00:04:24,760
in one place to do it.

59
00:04:25,810 --> 00:04:31,450
So to give you an idea of where you can potentially find these vulnerabilities in general when you're

60
00:04:31,450 --> 00:04:38,170
looking at the android manifest where you're looking at are these these activity blocks here you can

61
00:04:38,170 --> 00:04:42,310
see these ones are mostly relating to strings that are used inside of them.

62
00:04:42,310 --> 00:04:48,190
So a lot of the time strings or something that's coded into the manifest files but a lot of the times

63
00:04:48,190 --> 00:04:52,030
we actually find the actual activity definitions as well.

64
00:04:52,030 --> 00:04:54,830
If we just look for them inside of here.

65
00:04:56,050 --> 00:04:59,070
So these are all of the labels see through all the labels.

66
00:04:59,360 --> 00:05:03,270
Yes you see here for instance like we have the the action domain.

67
00:05:03,340 --> 00:05:08,040
This one is actually an in 24 it's a cure all the activities here.

68
00:05:08,170 --> 00:05:13,190
So you can see the activities here and you can see the activities inside of here as well.

69
00:05:13,290 --> 00:05:18,790
So you can see with API credentials for instance with the API credentials activity with an intent to

70
00:05:18,790 --> 00:05:23,950
be able to view those credentials but without any permissions actually associated with it.

71
00:05:24,280 --> 00:05:27,850
So whenever you see these activities these could be potential things that we might be able to try to

72
00:05:27,850 --> 00:05:31,900
launch inside of inside of the the application.

73
00:05:31,900 --> 00:05:32,310
Right.

74
00:05:32,320 --> 00:05:38,380
So this is the general way that that trouser would be able to find this information is through the manifest.

75
00:05:38,380 --> 00:05:43,180
So you can see like you can find it to the activities inside of here and have names inside of that will

76
00:05:43,180 --> 00:05:45,940
be able to tell you like the the general information about them.

77
00:05:45,940 --> 00:05:46,270
Right.

78
00:05:46,270 --> 00:05:50,260
So this is the general way that Rosa is able to pick up on those.

79
00:05:50,410 --> 00:05:54,790
So running drones will allow you to be able to find these activities and really should try launching

80
00:05:54,820 --> 00:06:00,490
every activity that exists that's exported just to see if one of them might have something that it shouldn't

81
00:06:00,490 --> 00:06:06,460
be exposing to users because if it does that means that violates access control which in turn means

82
00:06:06,460 --> 00:06:11,050
that you know you shouldn't be able to actually access that without permissions.

83
00:06:11,050 --> 00:06:15,340
So that would be a typical type of vulnerability and it would be a fairly critical one to find.

84
00:06:15,340 --> 00:06:19,120
So this is one common type of fund or ability that exists inside of Android.