In the field of technology,new inventions are there every day.Someone kept busy in coding ,someone in networking ,someone in blogging and some of them in developing softwares.

Test

Powered by Blogger.

Friday 21 November 2014

Getting into Windowd- Tricks

 Below method can updates your Windows XP up-to April 2019.

STEPS TO FOLLOW:

1. Open Notepad 

2. Copy and paste the follow code

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]

"Installed"=dword:00000001

3.Save file as .reg extension 

4. Double click on it 

When it runs then it you automatically get notification for Windows Update.

Enjoy..!!

>>Open COMMAND PROMPT while Locked by User.
 
>open notepad
>type www.command.com
> then save as cmd.bat at desktop
>then enter now its open.....enjoy
 
>>If your computer is slow?
then clean up the ram..

>Open notepad
>type FREEMEM=SPACE(64000000)
>Save it as ram.vbs
now run the script.
Check out !!

>>CracK BIOS Password

>Open the CPU
>Observe the Motherbord
>Remove the Silver Battery(3v)
>Wait 2 minutes and place the Battery
>>Restoring a Lost Desktop-
>Start
>Run 
Type a period " . " 
Then press Enter
 
 
>>If ur PC is hanged then do this.
Press shift+ctrl+esc or ctrl+alt+del
n den click on 'END TASK'
ur PC is runing now

>>create folder without name

>select any folder
>rename it
>press alt & type 0160 or 255
>enter

>>Amazing trick for use
Windows Backup Utility if installed
go to run
type ntbackup
ok
Now use backup
 
>>Increase the speed of your file sharing

Simple Way to Share Multiple Folders :
Goto Run and Type SHRPUBW.EXE then press Enter
Select the folder you want to share and Set permissions, 
your share folder is ready now.....  
 

>>Turning off the Help on Min, Max, Close Icons

When the mouse goes over the minimize, maximize and close icons on the upper 
right hand side of a window.

To disable that display:
1. Start Regedit
2. Go to HKEY_CURRENT_USER \ Control Panel \ Desktop
3. Create a String Value called MinMaxClose
4. Give it a value of 1
5. Reboot

>>FIX CORRUPTED FILE IN WINDOW XP
1.Load XP cd into cd drive

2. go to Run

3. type sfc/scannowok

4. Then copy its lost file frm cd. 
 
  >>AUTO DELETE TEMPORARY FOLDER.!!

what i prefer is %temp% " without quotes.. at Start -> Run.. this opens ur temp folder n den u cal erase it nearly
First go into gpedit.msc
Next select -> Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Temporary Folder
Then right click "Do Not Delete Temp Folder Upon Exit"
Go to properties and hit disable. Now next time Windows puts a temp file in
that folder it will automatically delete it when its done! Note from Forum Admin: Remember, GPEDIT (Group Policy Editor) is only available in XP Pro.

>>Locking Folders:

Consider you want to lock a folder named XXXX in your E:\, whose path is E:\XXXX.Now open the Notepad and type the following

[code]ren xxxx xxxx.{21EC2020-3AEA-1069-A2DD-08002B30309D}[/code]

Where xxxx is your folder name. Save the text file asloc.bat in the same drive.Open another new notepad text file and type the following

[code]ren xxxx.{21EC2020-3AEA-1069-A2DD-08002B30309D} xxxx[/code]

Save the text file as key.bat in the same drive.

Steps to lock the folder:

To lock the xxxx folder, simply click the loc.bat and it will transform into control panel icon which is inaccessible.To unlock the folder click thekey.bat file. Thus the folder will be unlocked and the contents are accessible.

>>Locking Drives:

We don't usually prefer to lock our drives, but sometimes it becomes nesscary. Say for instance you might have stored your office documents in D:\ and you don't want your kids to access it, in such case this technique can be useful for you. Please don't try this tweak with your root drive (usually C:\ is the root drive) since root drives are not intended to be locked because they are mandatory for the system and application programs.

Start & Run and type Regedit to open Registry editorBrowseHKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\ExplorerCreate a new DWORD valueNoViewOnDrive and set its value as

2^ (Alpha Number of Drive Letter-1) where Alpha number are simple counting of alphabets from A to Z as 1 - 26
For example: to lock C:\, Alpha number of C is 3 so 2^ (3-1) = 4(decimal value)

To lock more drives, calculate the value of each drive and then set sum of those numbers as valueTo unlock your drive justdelete the key from the registry.>>To Remove Recyle Bin From Your Desktop

Open Regedit by going to START - RUN and type Regedit and hit enter. Then you should navigate to following entry in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E} and delete it. This action should remove recycle bin from your desktop.

>>Disable the Security Center warnings

Follow the given steps to edit the computer registry for disable message:
First click on Start button then type Regedit in Run option.
Here locate the location to:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Here in right side panel, double click on Anti Virus Disable Notify and set its value 1.
Now close the registry editor and restart your computer after any changes to go into effect.

>>HIDE DRIVES
How to Hide the drives(c:,d:,e:,a:...etc)

To disable the display of local or networked drives when you click My Computer.
1.Go to start->run.Type regedit.Now go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

 \Explorer

2.In the right pane create a new DWORD item and name it NoDrives(it is case sensitive). 

3.Modify it's value and set it to 3FFFFFF (Hexadecimal) .

4.Restart the computer. 

5.Now when you click on My Computer, no drives will be shown(all gone...). 

To enable display of drives in My Computer, simply delete this DWORD item that you created. Restart your computer. All the drives are back again.

>>Show your name in taskbar

Trick to Show Your name after time in taskbar...
Try this trick to add up ur name in place of AM and PM beside time Its simple

Step-1:- Navigate to -> Start -> Control Pannel -> Regional and Language Option -> Click on Customize -> Go to TIME Tab -> Change AM symbol and PM symbol from AM and PM to ur name -> Apply -> Ok ...
Did It change? If not, follow step-2 below.

Step2:- Now go to time in taskbar and Double Click it to open "Date and time property" ...Look place where time changes in digital form i.e. 02:47:52 AM , click to arrow to change the AM or PM by selecting and press arrow. It will Show ur name or name that was entered by u, Apply -> OK 
 Done

Posted by at No comments:

Pentesting Android apps for insecure data storage


Introduction

In this series of articles, we will look into some common approaches for Android App penetration testing. Our focus is to cover OWASP Mobile top 10 with various tools and techniques as it is the most common standard that many organizations and security professionals follow.

Below is the TOP 10 list from www.owasp.org

M1: Insecure Data StorageM2: Weak Server Side ControlsM3: Insufficient Transport Layer ProtectionM4: Client Side InjectionM5: Poor Authorization and AuthenticationM6: Improper Session HandlingM7: Security Decisions Via Untrusted InputsM8: Side Channel Data LeakageM9: Broken CryptographyM10: Sensitive Information Disclosure 

Insecure Data Storage

Android provides a variety of ways to save persistent application data. Following are the most common ways of storing data by an Android Application. 

Shared PreferencesInternal StorageExternal StorageSQLite DatabasesNetwork Connection

Device loss is a very common problem with mobile devices. An attacker who has physical access to the device may perform various types of attacks ranging from stealing personal data to theft of corporate sensitive information. Situation could be worse if the device is rooted. 

So, keeping the this fact in mind, if the above mentioned ways for storing data by an application not implemented properly, may lead to serious attacks. In this article, we will look into how one can look into SharedPreferences for sensitive information.

Shared Preferences:

"Shared Preferences" allows a developer to save and retrieve persistent key-value pairs of primitive data types such as booleans, floats, ints, longs, and strings. 

Let us see, how we can test an app to see if it is storing any sensitive information on this device with out proper security enforcement. 

I have developed a very simple app for demo purpose. the functionality of the app is described in later sections. 

You can download it from here.

Once after downloading it, install it onto the emulator as shown below.

I am using adb to do it.

C:\<adb path>adb devices

C:<adb path>adb install M1-SharedPrefs.apk 







As you can see, it has been installed. Now, you should see a new icon on your emulator.

Functionality of test app

Once if you launch the application, you can see three options as shown in Figure 1.3

Figure 1.3

Now, Click the first option and store some sample card details by filling in the details it asks. You can see the same details by clicking "View Card Details" and entering your name. You can clear the data by using "Clear Card Details" Option.

I have entered my details into the app as shown in Figure 1.4

.

Figure 1.4

So, this is the functionality of the app from an end user's point of view. Now, lets go ahead and check how it is storing the data we entered into it.

Get an adb shell on the emulator using the following command.

C:\<adb path>adb shell

Now, navigate to /data/data directory as shown below.

C:\<adb path>cd /data/data

This is where all the user installed applications will be. So, our app will be here in this directory. Let us check it's package name by using ls & grep as shown in Figure 1.5

Now, Navigate into this directory "com.example.m1_shared" and give an ls


We can clearly see, this app has "shared_prefs" directory. So lets get into this directory and open the bankdetails.xml file inside it as shown in Figure .

 As you can clearly see it has the bank details inside it as name value pairs. This is how many apps store their game scores and other interesting stuff. If it contains any sensitive data as shown in the above example, it is pretty easy for an attacker to steal it.

Note: Shared Preferences used to have features called "MODE_WORLD_READABLE" and "MODE_WORLD_WRITABLE" which enable other apps/users to read/modify the app's data. Those features are deprecated from API level 17.

Posted by at No comments:

Pentesting of Content providers in Android apps


What are content Providers?

As per Google's inbuilt security model, Application data is private to an application and hence it is not possible for an application to access other application's data by default. When applications want to share their data with other applications, Content Provider is a way which acts as an interface for sharing data between applications. Content providers use standard insert(), query(), update(), delete() methods to access application data. A special form of URI which starts with "content://" is assigned to each content provider. Any app which knows this URI can insert, update, delete and query data from database of the provider app. 

There may be some cases where content providers might not be implemented for sharing data with other apps, or developer may want to give access only to those apps which have proper permissions. In such cases, if proper security controls are not enforced in the app, that leads to leakage of information.

   

Inbuilt SMS application in Android devices is a classic example of content providers. Any app can query the inbox from the device using it's URI content://sms/inbox.   But, READ_SMS permission must be declared in the app's AndroidManifest.xml file in order to access SMS app's data.

Prerequisites to follow the steps:

Computer with Android SDK Installed

A Non Rooted mobile device to install the app.

Test Application's functionality:

Once after downloading the test application, install it in the non rooted android device in order to test and exploit it. 

It can be installed with adb using the following command

adb install <name of the apk>.apk

It has a feature to store data inside the application. When we launch it, it appears as shown in the figure. 

The Goal is to find out if there are any content providers implemented in this app and if YES, We need to check and exploit if they are vulnerable to data leakage.

Topics Involved:

Information gathering

Attacking Vulnerable Content Providers

Securing the applications

Information gathering

Like any other pentest, let's start with information gathering. We assume that we have the APK file with us. So, decompile the downloaded apk file as shown in the previous article and check AndroidManifest.xml file for any registered content providers. We should also check the smali files for all the URIs used in the app.

Content Providers are generally registered in AndroidManifest.xml file in the following format.

So let's go ahead and examine the manifest file.

We got one content provider registered in the AndroidManifest.xml file and good news is, it is exported to be accessed by all other apps. 

Attacking Vulnerable Content Providers

This is the most interesting part. Let's now try to query the content provider we found. If it returns any data, then it is vulnerable. This can be done in multiple ways.

1. Using adb shell

2. Using a Malicious app to query

3. Using Mercury Framework

Using adb:

To query the content provider from adb, the app should be installed on the device. 

Get an adb shell on the device and type the following command to query the content provider. In my case, I am going to query the URI I found in MyProvider.smali file which is extracted by APK tool.

Content –query –uri content://com.isi.contentprovider.MyProvider/udetails

We should now see all the details stored into the app's db as show in the figure below.





Using a Malicious app to query:

We can even write a malicious app to query the data from its content provider. Following is the code snippet to query the inbox from a mobile device. 


Using Mercury Framework:

The entire process can be carried out using Mercury framework in even more efficient and simple way.

Securing the Applications:

1. Setting android:exported attribute's value to false:

In the AndroidManifest.xml file of our application, we should add the following attribute to the content provider to be secured. In our case com.isi.contentprovider.MyProvider is the content provider.

If we try to query the content provider whose android:exported value is set to false, it will throw an exception as shown below.

Note: The Default value of android:exported is true for all the applications using API Level lower than 17.

2. Limiting access with custom permissions

We can also impose permission-based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app's components to those apps which have permissions.

Other issues with Content Providers:

SQL Injection: If security controls are not properly implemented, content providers can lead to Client Side attacks like SQL Injection. This works similar to traditional SQL Injection attacks.

Path Traversal: This is one more attack which can be carried out, if a content provider is not properly implemented. This is similar to the path traversal attacks on Web Applications. It allows an attacker to traverse and view the local file system. Sensitive files can be transferred from the device to the local machine using an app vulnerable to Path Traversal attack.

Posted by at No comments:
Subscribe to: Posts (Atom)

RSS

Categories

Followers

Blog Archive

rTechIndia

RtechIndia->technology ahead

rtech

rtechindia

RtechIndia

Go rtechindia

Go rtechindia

RtechIndia

Friday 21 November 2014

Getting into Windowd- Tricks

 Below method can updates your Windows XP up-to April 2019.

STEPS TO FOLLOW:

1. Open Notepad 

2. Copy and paste the follow code

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]

"Installed"=dword:00000001

3.Save file as .reg extension 

4. Double click on it 

When it runs then it you automatically get notification for Windows Update.

Enjoy..!!

>>Open COMMAND PROMPT while Locked by User.
 
>open notepad
>type www.command.com
> then save as cmd.bat at desktop
>then enter now its open.....enjoy
 
>>If your computer is slow?
then clean up the ram..

>Open notepad
>type FREEMEM=SPACE(64000000)
>Save it as ram.vbs
now run the script.
Check out !!

>>CracK BIOS Password

>Open the CPU
>Observe the Motherbord
>Remove the Silver Battery(3v)
>Wait 2 minutes and place the Battery
>>Restoring a Lost Desktop-
>Start
>Run 
Type a period " . " 
Then press Enter
 
 
>>If ur PC is hanged then do this.
Press shift+ctrl+esc or ctrl+alt+del
n den click on 'END TASK'
ur PC is runing now

>>create folder without name

>select any folder
>rename it
>press alt & type 0160 or 255
>enter

>>Amazing trick for use
Windows Backup Utility if installed
go to run
type ntbackup
ok
Now use backup
 
>>Increase the speed of your file sharing

Simple Way to Share Multiple Folders :
Goto Run and Type SHRPUBW.EXE then press Enter
Select the folder you want to share and Set permissions, 
your share folder is ready now.....  
 

>>Turning off the Help on Min, Max, Close Icons

When the mouse goes over the minimize, maximize and close icons on the upper 
right hand side of a window.

To disable that display:
1. Start Regedit
2. Go to HKEY_CURRENT_USER \ Control Panel \ Desktop
3. Create a String Value called MinMaxClose
4. Give it a value of 1
5. Reboot

>>FIX CORRUPTED FILE IN WINDOW XP
1.Load XP cd into cd drive

2. go to Run

3. type sfc/scannowok

4. Then copy its lost file frm cd. 
 
  >>AUTO DELETE TEMPORARY FOLDER.!!

what i prefer is %temp% " without quotes.. at Start -> Run.. this opens ur temp folder n den u cal erase it nearly
First go into gpedit.msc
Next select -> Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Temporary Folder
Then right click "Do Not Delete Temp Folder Upon Exit"
Go to properties and hit disable. Now next time Windows puts a temp file in
that folder it will automatically delete it when its done! Note from Forum Admin: Remember, GPEDIT (Group Policy Editor) is only available in XP Pro.

>>Locking Folders:

Consider you want to lock a folder named XXXX in your E:\, whose path is E:\XXXX.Now open the Notepad and type the following

[code]ren xxxx xxxx.{21EC2020-3AEA-1069-A2DD-08002B30309D}[/code]

Where xxxx is your folder name. Save the text file asloc.bat in the same drive.Open another new notepad text file and type the following

[code]ren xxxx.{21EC2020-3AEA-1069-A2DD-08002B30309D} xxxx[/code]

Save the text file as key.bat in the same drive.

Steps to lock the folder:

To lock the xxxx folder, simply click the loc.bat and it will transform into control panel icon which is inaccessible.To unlock the folder click thekey.bat file. Thus the folder will be unlocked and the contents are accessible.

>>Locking Drives:

We don't usually prefer to lock our drives, but sometimes it becomes nesscary. Say for instance you might have stored your office documents in D:\ and you don't want your kids to access it, in such case this technique can be useful for you. Please don't try this tweak with your root drive (usually C:\ is the root drive) since root drives are not intended to be locked because they are mandatory for the system and application programs.

Start & Run and type Regedit to open Registry editorBrowseHKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\ExplorerCreate a new DWORD valueNoViewOnDrive and set its value as

2^ (Alpha Number of Drive Letter-1) where Alpha number are simple counting of alphabets from A to Z as 1 - 26
For example: to lock C:\, Alpha number of C is 3 so 2^ (3-1) = 4(decimal value)

To lock more drives, calculate the value of each drive and then set sum of those numbers as valueTo unlock your drive justdelete the key from the registry.>>To Remove Recyle Bin From Your Desktop

Open Regedit by going to START - RUN and type Regedit and hit enter. Then you should navigate to following entry in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E} and delete it. This action should remove recycle bin from your desktop.

>>Disable the Security Center warnings

Follow the given steps to edit the computer registry for disable message:
First click on Start button then type Regedit in Run option.
Here locate the location to:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Here in right side panel, double click on Anti Virus Disable Notify and set its value 1.
Now close the registry editor and restart your computer after any changes to go into effect.

>>HIDE DRIVES
How to Hide the drives(c:,d:,e:,a:...etc)

To disable the display of local or networked drives when you click My Computer.
1.Go to start->run.Type regedit.Now go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

 \Explorer

2.In the right pane create a new DWORD item and name it NoDrives(it is case sensitive). 

3.Modify it's value and set it to 3FFFFFF (Hexadecimal) .

4.Restart the computer. 

5.Now when you click on My Computer, no drives will be shown(all gone...). 

To enable display of drives in My Computer, simply delete this DWORD item that you created. Restart your computer. All the drives are back again.

>>Show your name in taskbar

Trick to Show Your name after time in taskbar...
Try this trick to add up ur name in place of AM and PM beside time Its simple

Step-1:- Navigate to -> Start -> Control Pannel -> Regional and Language Option -> Click on Customize -> Go to TIME Tab -> Change AM symbol and PM symbol from AM and PM to ur name -> Apply -> Ok ...
Did It change? If not, follow step-2 below.

Step2:- Now go to time in taskbar and Double Click it to open "Date and time property" ...Look place where time changes in digital form i.e. 02:47:52 AM , click to arrow to change the AM or PM by selecting and press arrow. It will Show ur name or name that was entered by u, Apply -> OK 
 Done

Posted by at 0 comments

Pentesting Android apps for insecure data storage


Introduction

In this series of articles, we will look into some common approaches for Android App penetration testing. Our focus is to cover OWASP Mobile top 10 with various tools and techniques as it is the most common standard that many organizations and security professionals follow.

Below is the TOP 10 list from www.owasp.org

M1: Insecure Data StorageM2: Weak Server Side ControlsM3: Insufficient Transport Layer ProtectionM4: Client Side InjectionM5: Poor Authorization and AuthenticationM6: Improper Session HandlingM7: Security Decisions Via Untrusted InputsM8: Side Channel Data LeakageM9: Broken CryptographyM10: Sensitive Information Disclosure 

Insecure Data Storage

Android provides a variety of ways to save persistent application data. Following are the most common ways of storing data by an Android Application. 

Shared PreferencesInternal StorageExternal StorageSQLite DatabasesNetwork Connection

Device loss is a very common problem with mobile devices. An attacker who has physical access to the device may perform various types of attacks ranging from stealing personal data to theft of corporate sensitive information. Situation could be worse if the device is rooted. 

So, keeping the this fact in mind, if the above mentioned ways for storing data by an application not implemented properly, may lead to serious attacks. In this article, we will look into how one can look into SharedPreferences for sensitive information.

Shared Preferences:

"Shared Preferences" allows a developer to save and retrieve persistent key-value pairs of primitive data types such as booleans, floats, ints, longs, and strings. 

Let us see, how we can test an app to see if it is storing any sensitive information on this device with out proper security enforcement. 

I have developed a very simple app for demo purpose. the functionality of the app is described in later sections. 

You can download it from here.

Once after downloading it, install it onto the emulator as shown below.

I am using adb to do it.

C:\<adb path>adb devices

C:<adb path>adb install M1-SharedPrefs.apk 







As you can see, it has been installed. Now, you should see a new icon on your emulator.

Functionality of test app

Once if you launch the application, you can see three options as shown in Figure 1.3

Figure 1.3

Now, Click the first option and store some sample card details by filling in the details it asks. You can see the same details by clicking "View Card Details" and entering your name. You can clear the data by using "Clear Card Details" Option.

I have entered my details into the app as shown in Figure 1.4

.

Figure 1.4

So, this is the functionality of the app from an end user's point of view. Now, lets go ahead and check how it is storing the data we entered into it.

Get an adb shell on the emulator using the following command.

C:\<adb path>adb shell

Now, navigate to /data/data directory as shown below.

C:\<adb path>cd /data/data

This is where all the user installed applications will be. So, our app will be here in this directory. Let us check it's package name by using ls & grep as shown in Figure 1.5

Now, Navigate into this directory "com.example.m1_shared" and give an ls


We can clearly see, this app has "shared_prefs" directory. So lets get into this directory and open the bankdetails.xml file inside it as shown in Figure .

 As you can clearly see it has the bank details inside it as name value pairs. This is how many apps store their game scores and other interesting stuff. If it contains any sensitive data as shown in the above example, it is pretty easy for an attacker to steal it.

Note: Shared Preferences used to have features called "MODE_WORLD_READABLE" and "MODE_WORLD_WRITABLE" which enable other apps/users to read/modify the app's data. Those features are deprecated from API level 17.

Posted by at 0 comments

Pentesting of Content providers in Android apps


What are content Providers?

As per Google's inbuilt security model, Application data is private to an application and hence it is not possible for an application to access other application's data by default. When applications want to share their data with other applications, Content Provider is a way which acts as an interface for sharing data between applications. Content providers use standard insert(), query(), update(), delete() methods to access application data. A special form of URI which starts with "content://" is assigned to each content provider. Any app which knows this URI can insert, update, delete and query data from database of the provider app. 

There may be some cases where content providers might not be implemented for sharing data with other apps, or developer may want to give access only to those apps which have proper permissions. In such cases, if proper security controls are not enforced in the app, that leads to leakage of information.

   

Inbuilt SMS application in Android devices is a classic example of content providers. Any app can query the inbox from the device using it's URI content://sms/inbox.   But, READ_SMS permission must be declared in the app's AndroidManifest.xml file in order to access SMS app's data.

Prerequisites to follow the steps:

Computer with Android SDK Installed

A Non Rooted mobile device to install the app.

Test Application's functionality:

Once after downloading the test application, install it in the non rooted android device in order to test and exploit it. 

It can be installed with adb using the following command

adb install <name of the apk>.apk

It has a feature to store data inside the application. When we launch it, it appears as shown in the figure. 

The Goal is to find out if there are any content providers implemented in this app and if YES, We need to check and exploit if they are vulnerable to data leakage.

Topics Involved:

Information gathering

Attacking Vulnerable Content Providers

Securing the applications

Information gathering

Like any other pentest, let's start with information gathering. We assume that we have the APK file with us. So, decompile the downloaded apk file as shown in the previous article and check AndroidManifest.xml file for any registered content providers. We should also check the smali files for all the URIs used in the app.

Content Providers are generally registered in AndroidManifest.xml file in the following format.

So let's go ahead and examine the manifest file.

We got one content provider registered in the AndroidManifest.xml file and good news is, it is exported to be accessed by all other apps. 

Attacking Vulnerable Content Providers

This is the most interesting part. Let's now try to query the content provider we found. If it returns any data, then it is vulnerable. This can be done in multiple ways.

1. Using adb shell

2. Using a Malicious app to query

3. Using Mercury Framework

Using adb:

To query the content provider from adb, the app should be installed on the device. 

Get an adb shell on the device and type the following command to query the content provider. In my case, I am going to query the URI I found in MyProvider.smali file which is extracted by APK tool.

Content –query –uri content://com.isi.contentprovider.MyProvider/udetails

We should now see all the details stored into the app's db as show in the figure below.





Using a Malicious app to query:

We can even write a malicious app to query the data from its content provider. Following is the code snippet to query the inbox from a mobile device. 


Using Mercury Framework:

The entire process can be carried out using Mercury framework in even more efficient and simple way.

Securing the Applications:

1. Setting android:exported attribute's value to false:

In the AndroidManifest.xml file of our application, we should add the following attribute to the content provider to be secured. In our case com.isi.contentprovider.MyProvider is the content provider.

If we try to query the content provider whose android:exported value is set to false, it will throw an exception as shown below.

Note: The Default value of android:exported is true for all the applications using API Level lower than 17.

2. Limiting access with custom permissions

We can also impose permission-based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app's components to those apps which have permissions.

Other issues with Content Providers:

SQL Injection: If security controls are not properly implemented, content providers can lead to Client Side attacks like SQL Injection. This works similar to traditional SQL Injection attacks.

Path Traversal: This is one more attack which can be carried out, if a content provider is not properly implemented. This is similar to the path traversal attacks on Web Applications. It allows an attacker to traverse and view the local file system. Sensitive files can be transferred from the device to the local machine using an app vulnerable to Path Traversal attack.

Posted by at 0 comments
Subscribe to: Posts (Atom)