Blog Infos
Author
Published
Topics
Author
Published
Introduction
Example #1 — ‘Mis-Intent-ion’
Exploiting Exports

Image credit: https://blog.mzfr.me/posts/2020-11-07-exported-activities

Job Offers

Job Offers

There are currently no vacancies.

OUR VIDEO RECOMMENDATION

, ,

Migrating to Jetpack Compose – an interop love story

Most of you are familiar with Jetpack Compose and its benefits. If you’re able to start anew and create a Compose-only app, you’re on the right track. But this talk might not be for you…
Watch Video

Migrating to Jetpack Compose - an interop love story

Simona Milanovic
Android DevRel Engineer for Jetpack Compose
Google

Migrating to Jetpack Compose - an interop love story

Simona Milanovic
Android DevRel Engin ...
Google

Migrating to Jetpack Compose - an interop love story

Simona Milanovic
Android DevRel Engineer f ...
Google

Jobs

In the companion app written for my talk, this is demonstrated through misconfiguring an activity MainActivity to be exportable despite it normally requiring ‘authentication’ to access it from within the app.

<activity
android:name=".login.LoginActivity"
android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity
android:name=".home.MainActivity"
android:exported="true" />

As MainActivity is exportable, it is possible to simply call adb to have the system open the activity and thus bypass the need for authentication.

adb shell am start -n dev.spght.owasp/dev.spght.owasp.home.MainActivity
view raw adb.sh hosted with ❤ by GitHub
The Fix
<!-- In the main application -->
<permission android:name="dev.spght.permission.example.MY_PERMISSION"
android:protectionLevel="signature"
android:label="A custom permission" />
<!-- In the secondary application -->
<uses-permission android:name="dev.spght.permission.example.MY_PERMISSION"/>
Next up 🚀
Thanks 🌟
Further Reading

YOU MAY BE INTERESTED IN

YOU MAY BE INTERESTED IN

blog
👋 Hi and welcome to the third post in this series where we deep-dive…
READ MORE
blog
Protect your user’s privacy and adhere to possible technical requirements
READ MORE
blog
Security and privacy are the two most talked about topics these days. Like any…
READ MORE
blog
👋 Hi and welcome to the second post in this series where we deep-dive…
READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu