Skip to main content

Attacking Services

Review your notes of the Service names, and if they are explicitly or implicitly exported. For this, I am using the intentionally vulnerable app Sieve, from WithSecureLabs.

Here are the Services notes from the app:

[SERVICE] com.withsecure.example.sieve.service.AuthService
Exported: true
Process: remote

[SERVICE] com.withsecure.example.sieve.service.CryptoService
Exported: true
Process: remote

There are 2 Services that are explicitly exported.

Access Exported Services

Attempt to start the exported services manually, to see how this functions and how we can further attack the app. Manually starting the Service can be performed using the Activity Manager command (am), with the startservice sub-command.

note

These commands assume you are already in a shell of the Android device. Most likely through adb.

Start Services

The basic command syntax is below. There are two ways to run this command, the full command & the shorthand method. I tend to use the shorthand version, but if that doesn't work then you will need to know the full command syntax.

# Full command
am startservice <package-id> <package-id>.service.<service-name>

# Shorthand command
am startservice <package-id>/.service.<service-name>

com.withsecure.example.sieve.service.AuthService

# Activity Manager command:
oriole:/ $ am startservice com.withsecure.example.sieve/.service.AuthService
Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.withsecure.example.sieve/.service.AuthService }

# Drozer command:
dz> run app.service.start --component com.withsecure.example.sieve com.withsecure.example.sieve.service.AuthService

You will not see any feedback of these commands since a Service does not have a GUI component to it.

com.withsecure.example.sieve.service.CryptoService

# Activity Manager command:
oriole:/ $ am startservice com.withsecure.example.sieve/.service.CryptoService
Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.withsecure.example.sieve/.service.CryptoService }

# Drozer command:
dz> run app.service.start --component com.withsecure.example.sieve com.withsecure.example.sieve.service.CryptoService