Challenges
Search…
Introduction
InsecureShop Challenges
Hardcoded Credentials
Insufficient URL Validation
Weak Host Validation
Arbitrary Code Execution
Intent Redirection (Access to Protected Components)
Unprotected Data URIs
Theft of Arbitrary files from LocalStorage
Using Components with Known Vulnerabilities
Insecure Broadcast Receiver
AWS Cognito Misconfiguration
Insecure use of FilePaths in FileProvider
Use of Implicit intent to send a broadcast with sensitive data
Intercepting Implicit intent to load arbitrary URL
Insecure Implementation of SetResult in exported Activity
Insecure Content Provider
Lack of SSL Certificate Validation
Insecure Webview Properties Enabled
Insecure Data Storage
Insecure Logging
Powered By GitBook
Use of Implicit intent to send a broadcast with sensitive data
The com.insecureshop.AboutUsActivity contains the following code:
public final void onSendData(android.view.View view) {
kotlin.jvm.internal.Intrinsics.checkParameterIsNotNull(view, "view");
java.lang.String userName = com.insecureshop.util.Prefs.INSTANCE.getUsername();
if (userName == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
java.lang.String password = com.insecureshop.util.Prefs.INSTANCE.getPassword();
if (password == null) {
kotlin.jvm.internal.Intrinsics.throwNpe();
}
android.content.Intent intent = new android.content.Intent("com.insecureshop.action.BROADCAST");
intent.putExtra("username", userName);
intent.putExtra("password", password);
sendBroadcast(intent);
android.widget.TextView textView = (android.widget.TextView) _$_findCachedViewById(com.insecureshop.C0818R.id.textView);
kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(textView, "textView");
textView.setText("InsecureShop is an intentionally designed vulnerable android app built in Kotlin.");
}
}
The above code defines an action com.insecureshop.action.BROADCAST and use implicit intent to send a broadcast containing username and password of the logged-in user.

Note (If you are exploiting this on Android version 7 and above):

On Android O, code like this no longer works the way that you expect:
sendBroadcast(new Intent("this.is.an.implicit.broadcast"));
Normally, this broadcast would be received by all receivers that are registered for that custom action string. Even on O, two sets of receivers will still receive the broadcast:
  • Those whose apps have targetSdkVersion of 25 or lower
  • Those that were registered via registerReceiver() of some already-running process
To use Implicit Receivers in your application, you need to define them programmatically in your code, using registerReceiver().

Reference:

Interception of Android implicit intents
News, Techniques & Guides
Android Oreo Implicit and Explicit Broadcast Receiver - JournalDev
JournalDev
InsecureShop Challenges - Previous
Insecure use of FilePaths in FileProvider
Next - InsecureShop Challenges
Intercepting Implicit intent to load arbitrary URL
Last modified 1yr ago
Copy link
On this page
Reference: