Android Penetration Testing – Part 10

Attacking Broadcast receiver:

A Broadcast Receiver is an Android Component which allows you to register for system or application events.We recommend reading Android Penetration Testing – Part 5 for more details with Broadcast Receiver

Let’s examine android manifest

- Advertisement -

Broadcast receivers are generally registered in the following format. As we can see in android manifest file exported value = True for broadcast

The code seems insecure since the receiver is exported.

The parameters that are passed to the Broadcast Receiver can be seen below

The Goal is to send spoofed broadcast intents and see if the application is accepting them. If yes, we will exploit the application to send an SMS to some random mobile numbers using the fake broadcasts.

Attacking vulnerable broadcast receivers
Securing the applications

Attacking Vulnerable Broadcast Receivers

Let’s now try to send some spoofed broadcasts to the above receiver.

Using am tool available in adb

Using adb

Get an adb shell on the device and type the following command to send a spoofed broadcast.
Navigate back to the “platform-tools” folder and enter the below mentioned command:

. /adb shell

Enter the following command in the shell:

am broadcast -a theBroadcast -n com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastReceiver –es phonenumber 5554 –es newpass Dinesh@123!

Back on the emulator, navigate to the “Messages”. The above-entered command automatically makes a call to the mentioned Broadcast Receiver and an SMS text with the passwords is sent.

Now, a broadcast event is sent in the background, and since the application is not validating the input source, an SMS will be sent to emulator-5554 without user intervention.

Let’s see how we can secure application-

Securing the Applications:

Setting android: exported attribute’s value to false

In the AndroidManifest.xml file of our application, we should add the following attribute to the receiver to be secured.

Limiting access to custom permissions

We can also impose permission-based restrictions by defining custom permissions for each receiver. This is helpful if the developer wants to limit the access to his app’s components to those apps which have permissions.

This is the reason why we need to specify “android.permission.RECEIVE_SMS” permission in the AndroidManifest.xml file if any app wants to listen for the Receive SMS event using the action “android.provider.Telephony.SMS_RECEIVED“

Check out our previous parts of Android Penetration Testing

Android Application Penetration Testing – Part 1
Android Application Penetration Testing – Part 2
Android Application Penetration testing – Part 3
Android Application Penetration Testing – Part 4
Android Application Penetration Testing – Part 5
Android Application Penetration Testing – Part 6
Android Application Penetration Testing – Part 7
Android Application Penetration Testing – Part 8
Android Application Penetration Testing – Part 9

Android Application Penetration Testing – Part 10

Supply Chain Attack Prevention

Follow Us on Google News

Securing the Applications:

Check out our previous parts of Android Penetration Testing

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Resilience at Scale

Why Application Security is Non-Negotiable

Discussion points

More like this

Android Security Update -A Critical RCE Vulnerability Actively Exploited in the Wild

GPUAF: Two Methods to Root Qualcomm-Based Android Phones

SpyMax Android Spyware: Full Remote Access to Monitor Any Activity

How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities

How to Build and Run a Security Operations Center (SOC Guide) – 2023

Network Penetration Testing Checklist – 2025