A good way to proliferate information about application and their components is to eavesdrop on inter-application communication. One way you could do this is by requesting information about the most recent intents from the activity manager.
This is pretty straightforward and, as it turns out, can be done via drozer (which was introduced in Chapter 3, Android Security Assessment Tools) if you're willing to do some Python scripting. The folks at iSec Partners have developed an Android application that is capable of doing this, and most of the inspiration for the drozer module discussed in the following recipe comes from their app. To find out how to get your hands on this app see the See also section of this recipe.
Before we actually write this module, we need to modify the drozer Agent a little so it has the required permissions to actually request information about intents from the activity manager. The simplest way to do this is to augment the permissions requested by drozer via its AndroidManifest.xml file. Here, I'll show you how to do this using Eclipse.
- First you need to grab a copy of the drozer Agent and its dependencies from the following sites:
- The drozer Agent webpage at https://github.com/mwrlabs/drozer-agent
- The jdiesel (fuels the drozer) webpage at https://github.com/mwrlabs/jdiesel
- The TLS Support webpage at https://github.com/mwrlabs/mwr-tls
- The Android utilities for drozer webpage at https://github.com/mwrlabs/mwr-android
- Once you have these downloaded and saved them in the same folder, you can open Eclipse and import each of them as Android projects. For each of them, once Eclipse is opened, navigate to File | Import.
- Click on the Android folder, then go to Existing Android Code into Workspace and click on Next.
- At this point, Eclipse will ask you to specify a folder to import from. You'll need to add one of the folders you downloaded in step 1. To select a folder, click on Browse... and a file selection dialog will pop up.
- Using the File dialog, navigate to the file path where you've downloaded the drozer Agent and dependencies. You'll need to add each one of them this way.
Make sure you import each of the folders this way. Until you do so, Eclipse will not be able to build the drozer Agent successfully.
- Once you've imported all the projects, you'll need to edit the drozer Agent's
AndroidManifest.xml. You do this by double-clicking on theAndroidManifest.xmlfile in thedrozer-agent projectfolder in Eclipse (make sure that you select theAndroidManifest.xmltab before editing so you can edit the XML directly). Then, enter the following line:<uses-permission android:name="android.permission.GET_TASKS"/>The
AndroidManifest.xmlfile should look like the following screenshot if you've performed the step correctly:
And that's it! You've just added an extra permission to the drozer Agent. Now you can export the drozer Agent as an APK file, upload it to your device, and get cracking.
Please note you may need to uninstall the drozer Agent currently installed on your device before installing the modified one.
So that's the drozer Agent done and dusted. We can now move onto developing the intent sniffer module.
- Navigate to your drozer module repository; if you haven't set one up please refer to the Writing a drozer module – a device enumeration module recipe in Chapter 3, Android Security Assessment Tools, to see how this is done. Once you are in your module repository, create a file called
ex.sniffer.intentsand type the following into it (the following code will be available in this book's code repository):from drozer.modules import Module,common from drozer.modules import android class Intents(Module, common.PackageManager): name = "Dump recent intents to the console" description = "This module allows you to see the most recent intents that were sent, via the ActivityManager" examples = "run ex.sniffer.intents" author = "[your name]" date = "[the date]" license = "GNU GPL" path = ["ex","sniffer"] def execute(self,arguments): self.stdout.write("[*] initializing intent sniffer… ") context = self.getContext() activityService = context.getSystemService("activity") self.stdout.write("[*] got system service .. ") recentTasks = activityService.getRecentTasks(1000,1) self.stdout.write("[*] recentTasts Extracted.. ") list_length = recentTasks.size() self.stdout.write("[*] Extracted %s tasks .. " % (list_length)) for task in range(list_length): cur_task = recentTasks.get(task) cur_taskBaseIntent = cur_task.baseIntent self.stdout.write(" [%d] %s " % (task,cur_taskBaseIntent.toString())) - Once that's done, install the module into drozer by executing the following command:
dz> module install [path-to-module-repo]/ex.sniffer.intent - Then run it by executing the following command:
dz> run ex.sniffer.intentsYou should see something similar to the following screenshot:
The intent sniffer script is actually quite simple. Here I'll break down what it's doing and how it manages to actually sniff some intents.
The intent sniffer makes a call to Context.getSystemService() and passes it the identifier for the ACTIVITY_SERVICE flag, which is simply a string with the value of "activity". This returns an instance of the ActivityManager class, which allows the script to interact with the activity manager and make calls like ActivityManager.getRecentTasks(). This method takes in two arguments, the first is an integer which is the maximum number of the RecentTaskInfo objects the script wants to receive from the activity manager, and the second is a flag specifying the kind of recent activities. In this example, the script is written to request the full list without omitting any of the tasks. The reason I've written the script this way is because the intent that was sent to start each recent task comes bundled with the RecentTaskInfo object as a field called RecentTaskInfo.baseIntent. The script can then use it to extract some useful information about the intent, such as the component name, flags, actions, and categories. To keep things quick and easy here, the script then logs a call to the Intent.toString() method, which simply formats the information about the intent as string and returns it.
Of course, you are welcome to do more intelligent parsing of the intent information. You could even try working out a way to determine which package made the original call. Though this is very difficult, it would be quite a rewarding drozer module to pull off.
- The Intent Sniffer Android application at https://www.isecpartners.com/tools/mobile-security/intent-sniffer.aspx
- The
Context.getSystemService(String name)command at http://developer.android.com/reference/android/content/Context.html#getSystemService%28java.lang.String%29 - The ActivityManager.RecentTaskInfo reference at http://developer.android.com/reference/android/app/ActivityManager.RecentTaskInfo.html
- the Intent reference at http://developer.android.com/reference/android/content/Intent.html