Showing posts with the label Threat Modelling Android Applications

[Android Security] Attacking the Android Package Manager from the past.

Hi folks, here's a quick post about something I see very often in android application code. Something that could have pretty devastating effects if taken too lightly. Something that I believe is known about in some Android development circles but according to some of the things I've seen in apps - it doesn't seem this abuse of the PackageManager is as widely understood as it should be.  So in the following post I'm going to lay out a small trust problem folks seem to miss when dealing with Intents and the PackgeManager on Android.

So here's whats up...
When developing applications for Android you often want to take advantage of other applications and services available on the hosting system. For instance you might want to develop an app that opens Google Maps on a given set of co-ordinates , or perhaps opens a browser on a given page. Of course this is very common, its even common to host applications that forward potentially sensitive information to other applica…

Grepping for Glory : using grep to uncover Android Application Level Vulns

I've spent some time trawling through masses of Android App Sauce lately and I thought I'd share some quick tips and tricks that can help you uncover some critical vulnerabilities. In this post I'll discuss some basic bash scripting that pin points code being either in Java or Jasmin/Smali form.

A quick disclaimer, 

the screenshots below are from actual apps sourced from the play store, I've used real examples here to motivate the need to look for the mentioned vulnerabilities and detail how easy they are to find. Although I've made sure to santize them for any useable or exploitable information seeing that some of these apps have been downloaded hundreds of the thousands of times.