Challenges
  • Introduction
  • InsecureShop Challenges
    • Hardcoded Credentials
    • Insufficient URL Validation
    • Weak Host Validation
    • Arbitrary Code Execution
    • Intent Redirection (Access to Protected Components)
    • Unprotected Data URIs
    • Theft of Arbitrary files from LocalStorage
    • Using Components with Known Vulnerabilities
    • Insecure Broadcast Receiver
    • AWS Cognito Misconfiguration
    • Insecure use of FilePaths in FileProvider
    • Use of Implicit intent to send a broadcast with sensitive data
    • Intercepting Implicit intent to load arbitrary URL
    • Insecure Implementation of SetResult in exported Activity
    • Insecure Content Provider
    • Lack of SSL Certificate Validation
    • Insecure Webview Properties Enabled
    • Insecure Data Storage
    • Insecure Logging
Powered by GitBook
On this page

Was this helpful?

  1. InsecureShop Challenges

Use of Implicit intent to send a broadcast with sensitive data

The com.insecureshop.AboutUsActivity contains the following code:

public final void onSendData(android.view.View view) {
        kotlin.jvm.internal.Intrinsics.checkParameterIsNotNull(view, "view");
        java.lang.String userName = com.insecureshop.util.Prefs.INSTANCE.getUsername();
        if (userName == null) {
            kotlin.jvm.internal.Intrinsics.throwNpe();
        }
        java.lang.String password = com.insecureshop.util.Prefs.INSTANCE.getPassword();
        if (password == null) {
            kotlin.jvm.internal.Intrinsics.throwNpe();
        }
        android.content.Intent intent = new android.content.Intent("com.insecureshop.action.BROADCAST");
        intent.putExtra("username", userName);
        intent.putExtra("password", password);
        sendBroadcast(intent);
        android.widget.TextView textView = (android.widget.TextView) _$_findCachedViewById(com.insecureshop.C0818R.id.textView);
        kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(textView, "textView");
        textView.setText("InsecureShop is an intentionally designed vulnerable android app built in Kotlin.");
    }
}

The above code defines an action com.insecureshop.action.BROADCAST and use implicit intent to send a broadcast containing username and password of the logged-in user.

Note (If you are exploiting this on Android version 7 and above):

On Android O, code like this no longer works the way that you expect:

sendBroadcast(new Intent("this.is.an.implicit.broadcast"));

Normally, this broadcast would be received by all receivers that are registered for that custom action string. Even on O, two sets of receivers will still receive the broadcast:

  • Those whose apps have targetSdkVersion of 25 or lower

  • Those that were registered via registerReceiver() of some already-running process

To use Implicit Receivers in your application, you need to define them programmatically in your code, using registerReceiver().

Reference:

PreviousInsecure use of FilePaths in FileProviderNextIntercepting Implicit intent to load arbitrary URL

Last updated 3 years ago

Was this helpful?

Interception of Android implicit intentsNews, Techniques & Guides
Android Oreo Implicit and Explicit Broadcast Receiver - JournalDevJournalDev
Logo
Logo