Android hacking and security, part 3: Exploiting broadcast receivers
In the first two articles, we discussed attacks associated with Activity Components, content provider leakage and ways to secure them. In this article, we will discuss attacks on broadcast receivers.
What should you learn next?
What are broadcast receivers?
A broadcast receiver is another important component of the Android system. Broadcast receivers are registered for specific events to occur. When the event occurs, the receiver gets invoked and performs tasks, such as showing a message to the user. What we can do with broadcast receivers is up to the creativity of the developer, as a lot of stuff can be carried out with them.
Security risks
To understand the security risks associated with the broadcast receivers, we should know how the events are broadcasted. There are two types of events.
- System Events
An application can be registered to receive broadcasts occurred by system events such as BOOT COMPLETE, SMS RECEIVED, BATTERY LOW, etc. When an application is registered for an SMS RECEIVED event, its receiver will be invoked every time a new SMS is received.
- Custom Broadcasts
Apart from the system-generated events, an application also can generate custom broadcast intents for which we can register a receiver.
Now, let's ask ourselves a few questions.
- When our app is sending a broadcast intent, is it received only by the intended application, or can all the applications receive it?
- When we register a receiver, are we receiving the broadcasts only from legitimate sources, or can any other malicious app spoof those broadcasts?
If the developer doesn't enforce controls on who can broadcast and who cannot broadcast, obviously the answer is YES. If the receiver accepts broadcasts from untrusted sources, it may put our application at serious risk.
To demonstrate how one can exploit such scenarios, I have developed a simple application.
Please fill out the form below to download the APK file and Source Code.
Prerequisites to follow the steps
- Computer with Android SDK Installed
- Two Emulators (In my case, emulator-5554 is where the vulnerable app is installed; emulator-5556 is to receive an SMS from the vulnerable app).
Test application's functionality
Once after downloading the test application, install it in an emulator in order to test and exploit it.
It can be installed with adb using the following command:
[c]adb install <name of the apk>.apk[/c]
When we launch the application, it appears as shown in the figure below. We need to register a specific mobile number using the registration activity as shown in the figure. Once, after clicking the submit button, a custom broadcast will be sent and we will receive a confirmation SMS to the registered number (emulator-5556 in my case).
App running on Emulator-5554
The Goal is to send spoofed broadcast intents and see if the application is accepting them. If yes, we will exploit the application to send an SMS to some random mobile numbers using the fake broadcasts.
Topics involved
- Understanding the application functionality
- Attacking vulnerable broadcast receivers
- Securing the applications
Understanding the application functionality
A broadcast receiver "MyBroadCastReceiver" is registered in the AndroidManifest.xml file.
Broadcast receivers are generally registered in the following format. The code seems insecure since the receiver is exported.
The application is sending intent using the following piece of code, in which "input" is the mobile number we are receiving as the user input.
The following piece of code takes the mobile number from the broadcast and sends a confirmation SMS to the registered number.
In the next section, we will try to exploit the above functionality by sending broadcasts from untrusted sources.
Attacking vulnerable broadcast receivers
Let's now try to send some spoofed broadcasts to the above receiver. This can be done in multiple ways.
- Using am tool available in adb
- Using a Malicious app to query
- Using Mercury Framework
Using adb
. Get an adb shell on the device and type the following command to send a spoofed broadcast.
am broadcast -a MyBroadcast -n com.isi.vul_broadcastreceiver/.MyBroadCastReceiver
The above command sends a broadcast, but it has no mobile number included. We can pass the mobile number as a string using the –es option available with the am tool. Now, the above command becomes:
am broadcast -a MyBroadcast -n com.isi.vul_broadcastreceiver/.MyBroadCastReceiver --es number 5556.
The same is shown in the figure below.
Now, a broadcast event is sent in the background, and since the application is not validating the input source, an SMS will be send to emulator-5556 without user intervention.
Using a malicious app to query
We can also write a malicious app to send broadcasts and exploit the functionality of the vulnerable app. The best part is, malicious app doesn't need SEND_SMS permission since it uses the permission registered by the vulnerable app.
Using Mercury framework
The entire process can be carried out using Mercury framework in even more efficient and simple way.
Securing the applications
- Setting android:exported attribute's value to false
In the AndroidManifest.xml file of our application, we should add the following attribute to the receiver to be secured.
- Limiting access with custom permissions
We can also impose permission-based restrictions by defining custom permissions for each receiver. This is helpful if the developer wants to limit the access to his app's components to those apps which have permissions.
This is the reason why we need to specify "android.permission.RECEIVE_SMS" permission in the AndroidManifest.xml file if any app wants to listen for the Receive SMS event using the action "android.provider.Telephony.SMS_RECEIVED"
Final words
FREE role-guided training plans
In Android, broadcast receivers provide great functionality to develop creative applications. But when proper security controls are not enforced, that may lead to serious attacks. So, it is always a good idea to test all the application components during a pentest.
In this Series
- Android hacking and security, part 3: Exploiting broadcast receivers
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
