Activities are the application components that facilitate user interaction. It may be useful during an application security assessment to find out which applications can be launched without permissions in case any of them provide access to sensitive data or cause an application to crash if launched in the wrong context. Besides the obvious benefit of engaging with activities via the drozer console, it makes for a good responsive introduction to engage with application components because you can actually see your Android device respond to your commands from the terminal. So, without further ado, let's get cracking with some activities!
You will need to choose an activity to launch, but seeing that you cannot inherently know where the launchable activities are or what they're called, I thought I'd include the process of finding a launchable activity in this recipe.
- Find some activities using the
app.activity.infomodule:dz> run app.activity.info –-package [package name]You'll need to choose a package and an activity to use in the next step. Get used to running this command a couple of times; you'll be using it quite a lot if you're going to get into Android penetration testing.
- When you've found the activity you're looking for, you can send it some launch intents and watch it pop up on your Android device's screen. Here's how you do that:
dz> run app.activity.start –-action [intent action] –-category [intent category] –-component [package name] [component name]Here,
[intent action]is the action attribute of the intent filter set by the target activity and[intent category]is the category attribute of the intent filter set by the target activity, which you can get from the command in Step 1.
Here's an example you can try out:
dz> run app.activity.start –-action android.intent.action.MAIN –-category android.intent.category.LAUNCHER –-component com.android.browser com.android.browser.BrowserActivity
Let's take a look at the drozer source code to find out exactly how it manages to launch some activities.
Note
The following code is available at https://github.com/mwrlabs/drozer/blob/master/src/drozer/modules/app/activity.py (lines 166-174).
.... #some code has been omitted for brevity
def execute(self,arguments)
intent = android.Intent.fromParser(arguments)
if len(intent.flags) == 0:
intent.flags.append('ACTIVITY_NEW_TASK')
if intent.isValid():
self.getContext().startActivity(intent.buildIn(self))
else:
self.stderr.write('invlaid intent: one of action or component must be set')
...#some code has been omitted for brevitySo, what we see here is that drozer simply bundles user-supplied arguments into an intent after pulling it through the argument parser; it then sends over this intent after checking if the intent is valid. This works the same way an intent would from an Android application.
You can go about finding activities to launch using the app.activity.forintent module.
This nifty module lets you search for activities based on a given intent action and category; here's how to do that:
dz> run app.activity.forintent –-action [intent action] –category [intent category]
Here's an example:
dz> run app.activity.forintent –-action android.intent.action.VIEW –-category android.intent.category.DEFAULT
- The Intent filter reference material at http://developer.android.com/reference/android/content/Intent.html
- The Intents and Intent Filters – Android Developer webpage at http://developer.android.com/guide/components/intents-filters.html
- The Activites – Android Developer webpage at http://developer.android.com/guide/components/activities.html