Hacking Android dynamic Broadcast Receivers

An interesting point was raised this week when the subject of attacking IPC endpoints in Android applications was being discussed.
Attacking Endpoints is a method by which a malicious application on an Android device can communicate with, and misuse functions of other applications installed on the device. This can lead to anything from information disclosure to code execution.

To find these end points it's normally a matter of checking the application's manifest file (which can be recovered from the apk)

adb shell "pm list packages"
adb shell "pm path com.example.apptotest"
adb pull /data/app/com.example.apptotest-1.apk
aapt d xmltree com.example.apptotest-1.apk AndroidManifest.xml

This process (which can be sped up with mercury), gives you a whole list of text which allows you to identify which of these end points are exported either on purpose or otherwise, and which have permissions.

This gives us a list of things to look at in code, but I believe we are missing a step here. This assumes that these are the only end points we can talk to. Obviously some require permissions that we as a malicious app might have ourselves by just asking the user for it, but for this instance the malware will have zero permissions.

It is possible to register a broadcast receiver dynamically, typically by doing the following:
registerReceiver(BroadcastReceiver myreceiver, new IntentFilter("android.some.THING"))

This is fine, and often required to listen out for an event on a device. There are 2 things that can go badly wrong here though. First if the broadcast filter is listening for an intent that isn't a restricted broadcast then the malicious app can start sending them without needing any permissions. Secondly if the receiver goes on to use the extras sent with the broadcast, or to start running other functions, then the malware has a whole new entry point to your application. Of course it would require the malware to send the broadcast at the right moment, but hell just have it send the broadcast every second and run all the time.

To protect your broadcast, you need to register permissions when you declare it (details here), secondly don't trust the data that is being sent with it. It's passing through a trust zone to arrive in your app, so validate it! Details on Android permissions can be found here.