Skip to content

Tag: Access Control

DIVA Android: Access Control Issues

Part 1: Starting an activity externally

The existing access control in the app can be bypassed if an activity can be started externally (outside the app). For example, some other app or debugger can trigger the activity. In the DIVA Android app example, you will see that the API credentials can be displayed after being invoked externally.

First, click the button ‘VIEW API CREDENTIALS’. By running adb logcat command, you can see the activity ‘APICredsActivity’ being triggered.

Using the Activity Manager (am), we can invoke the API Credentials activity using the following command:

adb shell am start -n jakhar.aseem.diva/.APICredsActivity

Once the activity is triggered, we can see the API Credentials activity.

Part 2: Starting Activity externally with input

In this part, you will notice that when you try to start the activity from adb, there will be another activity being shown. This means that the previous method in Part 1 does not work now in Part 2. And you will need to examine the source code to find the flaws in the business logic.

Run this command to see how the extra value can be passed:

adb shell am help start

What value should we pass to the command? The name of the value should be ‘check_pin’ and we should pass ‘false’ value so that the pin condition check will pass and allow you to access the API credential activity directly.

Now run the following command:

adb shell am start -n jakhar.aseem.diva/.APICreds2Activity --ez "check_pin" "false"

You will be able to access the API credentials activity.

Part 3: Poor Access Control for Data content

In this part 3, the app is currently using a pin as a form of access control to a particular note. In the source code, we can see that the app is parsing uri content that is hardcoded. You can use this hardcoded value to open the Notes.

Run this command:

adb shell content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes