1
00:00:00,330 --> 00:00:01,200
‫Instructor: Hi.

2
00:00:01,200 --> 00:00:04,710
‫Within this lecture we are going to see how we can hack

3
00:00:04,710 --> 00:00:09,270
‫into content providers of this application.

4
00:00:09,270 --> 00:00:10,820
‫And in order to do that, we are going

5
00:00:10,820 --> 00:00:14,070
‫to have to discuss what is a content provider

6
00:00:14,070 --> 00:00:17,190
‫and what does it do in Android development.

7
00:00:17,190 --> 00:00:20,880
‫But let me just open this under Android manifest XML

8
00:00:20,880 --> 00:00:23,760
‫so that you can see what I'm talking about.

9
00:00:23,760 --> 00:00:27,660
‫So over here in the manifest folder,

10
00:00:27,660 --> 00:00:31,410
‫we have seen that we can actually see

11
00:00:31,410 --> 00:00:33,990
‫all the activities before, right?

12
00:00:33,990 --> 00:00:37,200
‫So that we can gather information about the activities

13
00:00:37,200 --> 00:00:41,470
‫and we can actually do a manual intent to go to

14
00:00:42,479 --> 00:00:45,720
‫those activities using the ADB shell, right?

15
00:00:45,720 --> 00:00:47,910
‫However, other than the activities,

16
00:00:47,910 --> 00:00:51,060
‫we can see the other compliments of the Android development

17
00:00:51,060 --> 00:00:54,750
‫like this content provider over here.

18
00:00:54,750 --> 00:00:58,620
‫Like, we have a track user content provider.

19
00:00:58,620 --> 00:01:02,430
‫So what is it and what does it do?

20
00:01:02,430 --> 00:01:07,050
‫And actually why is it in the Android manifest?

21
00:01:07,050 --> 00:01:11,850
‫So we have all the basic components in the Android manifest.

22
00:01:11,850 --> 00:01:14,760
‫We had to have them, otherwise it won't work.

23
00:01:14,760 --> 00:01:17,640
‫So what do I mean by basic components?

24
00:01:17,640 --> 00:01:21,180
‫So I'm gonna go over to developer.android.com

25
00:01:21,180 --> 00:01:22,890
‫and you don't have to do that, by the way.

26
00:01:22,890 --> 00:01:26,100
‫I'm just doing it for the educational purposes.

27
00:01:26,100 --> 00:01:30,870
‫So I'm gonna go over to the guides or reference over here

28
00:01:30,870 --> 00:01:35,250
‫so that I can read about the underwritten platform itself.

29
00:01:35,250 --> 00:01:37,770
‫So let me go to guides.

30
00:01:37,770 --> 00:01:40,440
‫Yeah, this is what I'm looking for.

31
00:01:40,440 --> 00:01:43,800
‫So if you go over here to application fundamentals,

32
00:01:43,800 --> 00:01:47,070
‫we can see the application components.

33
00:01:47,070 --> 00:01:50,850
‫So there are basically four things that make

34
00:01:50,850 --> 00:01:55,530
‫up an Android application, which is activities, services,

35
00:01:55,530 --> 00:01:58,920
‫broadcast receivers, and content providers.

36
00:01:58,920 --> 00:02:01,830
‫So maybe you don't know all of the things.

37
00:02:01,830 --> 00:02:04,440
‫We have actually seen the activities, right?

38
00:02:04,440 --> 00:02:06,660
‫But we haven't seen services.

39
00:02:06,660 --> 00:02:08,370
‫So what is a service?

40
00:02:08,370 --> 00:02:11,910
‫Service lets you run things in background

41
00:02:11,910 --> 00:02:14,940
‫like downloading data from the internet.

42
00:02:14,940 --> 00:02:17,610
‫User doesn't see it happening, but it happens

43
00:02:17,610 --> 00:02:18,930
‫in the background.

44
00:02:18,930 --> 00:02:22,860
‫In broadcast receivers, you use broadcast receivers

45
00:02:22,860 --> 00:02:26,460
‫to transfer information between applications

46
00:02:26,460 --> 00:02:29,580
‫or inside of the applications as well.

47
00:02:29,580 --> 00:02:31,590
‫For example, if you want to share a data

48
00:02:31,590 --> 00:02:35,340
‫with another application, you can use a broadcast receiver.

49
00:02:35,340 --> 00:02:39,180
‫And in the content providers, you provide a content.

50
00:02:39,180 --> 00:02:43,446
‫You actually try to get data from some source

51
00:02:43,446 --> 00:02:47,220
‫like getting the contact information

52
00:02:47,220 --> 00:02:49,650
‫from the phone book itself.

53
00:02:49,650 --> 00:02:53,520
‫So you can write your own content providers

54
00:02:53,520 --> 00:02:57,030
‫and we generally use them with databases.

55
00:02:57,030 --> 00:03:01,950
‫So as we have seen, a content provider in our application

56
00:03:01,950 --> 00:03:06,783
‫we can try to find it in JDXD compilation like this, okay?

57
00:03:07,692 --> 00:03:09,300
‫And we can try to analyze it.

58
00:03:09,300 --> 00:03:12,450
‫So over here, if we can come to this

59
00:03:12,450 --> 00:03:15,180
‫content provider Java file,

60
00:03:15,180 --> 00:03:18,150
‫we can see all this data.

61
00:03:18,150 --> 00:03:23,150
‫So even though we can see everything in clear over here,

62
00:03:23,520 --> 00:03:28,520
‫there is a way to see these URLs like in encryption cases

63
00:03:30,720 --> 00:03:32,610
‫like ProGuard cases as well.

64
00:03:32,610 --> 00:03:36,210
‫For example, if we have this URL, which is what we need

65
00:03:36,210 --> 00:03:39,690
‫in order to analyze this content provider,

66
00:03:39,690 --> 00:03:44,690
‫which is a content:// package name

67
00:03:45,300 --> 00:03:47,610
‫and the content provider itself

68
00:03:47,610 --> 00:03:50,730
‫and then the track user's description.

69
00:03:50,730 --> 00:03:53,850
‫So this is a URL actually.

70
00:03:53,850 --> 00:03:58,202
‫It leads us to somewhere where we can gather data

71
00:03:58,202 --> 00:04:02,790
‫and we can try to query data

72
00:04:02,790 --> 00:04:06,573
‫from this content provider using ADB shell.

73
00:04:07,977 --> 00:04:11,790
‫So in this case, it will most probably return us

74
00:04:11,790 --> 00:04:13,830
‫the user information

75
00:04:13,830 --> 00:04:17,160
‫but it can store some data that developers

76
00:04:17,160 --> 00:04:20,730
‫don't want you to see so it would be a good practice

77
00:04:20,730 --> 00:04:21,990
‫to gather information

78
00:04:21,990 --> 00:04:25,530
‫from this content provider in a real life example.

79
00:04:25,530 --> 00:04:26,400
‫Okay.

80
00:04:26,400 --> 00:04:28,350
‫So I'm gonna copy this.

81
00:04:28,350 --> 00:04:32,220
‫And even if it's encrypted with ProGuard, it's a URL.

82
00:04:32,220 --> 00:04:33,330
‫It's a string.

83
00:04:33,330 --> 00:04:37,710
‫We can still see this in smaller files or in any other files

84
00:04:37,710 --> 00:04:42,710
‫like maybe in values and in strings that examine our stuff.

85
00:04:43,710 --> 00:04:44,550
‫Okay.

86
00:04:44,550 --> 00:04:47,550
‫So make sure you find this content provider

87
00:04:47,550 --> 00:04:49,320
‫and copy the URI.

88
00:04:49,320 --> 00:04:50,460
‫Okay.

89
00:04:50,460 --> 00:04:52,260
‫And then what we are gonna do

90
00:04:52,260 --> 00:04:55,003
‫we're gonna open the ADB shell as usual.

91
00:04:55,003 --> 00:04:59,280
‫So I'm gonna come over here and start the ADB.

92
00:04:59,280 --> 00:05:01,697
‫And in order to do that, of course, I'm going to

93
00:05:01,697 --> 00:05:06,360
‫exit out of this one and start a new one.

94
00:05:06,360 --> 00:05:07,193
‫Okay.

95
00:05:07,193 --> 00:05:10,230
‫Because it might lose the connection.

96
00:05:10,230 --> 00:05:11,340
‫So here you go.

97
00:05:11,340 --> 00:05:12,660
‫Here is our shell.

98
00:05:12,660 --> 00:05:17,280
‫So remember we have executed the AM comment before

99
00:05:17,280 --> 00:05:19,470
‫in order to fire up an intent.

100
00:05:19,470 --> 00:05:21,900
‫So rather than AM we are going to use

101
00:05:21,900 --> 00:05:24,390
‫content query this time.

102
00:05:24,390 --> 00:05:26,370
‫So we use query keyword

103
00:05:26,370 --> 00:05:29,310
‫in order to retrieve data from some database.

104
00:05:29,310 --> 00:05:32,550
‫And in this case, we are using this in order

105
00:05:32,550 --> 00:05:35,550
‫to retrieve data from this content provider.

106
00:05:35,550 --> 00:05:38,340
‫It starts somewhere inside of our application

107
00:05:38,340 --> 00:05:40,320
‫inside of our data folders.

108
00:05:40,320 --> 00:05:42,360
‫And in order to test this,

109
00:05:42,360 --> 00:05:47,010
‫we are going to paste the URI that we have copied before.

110
00:05:47,010 --> 00:05:48,150
‫And here you go.

111
00:05:48,150 --> 00:05:53,150
‫Now, make sure you include this URI parameter over here

112
00:05:53,160 --> 00:05:57,240
‫like that, and then paste the thing that you have copied.

113
00:05:57,240 --> 00:05:59,340
‫So this is the comment

114
00:05:59,340 --> 00:06:03,060
‫that you should run content query dash dash URI

115
00:06:03,060 --> 00:06:06,480
‫and the URI of the content provider.

116
00:06:06,480 --> 00:06:09,930
‫So once I hit enter, I can see the content.

117
00:06:09,930 --> 00:06:14,073
‫Like raw is zero, ID is one and name is the dash.

118
00:06:15,060 --> 00:06:20,060
‫So it didn't give me much, but if it stored something else,

119
00:06:20,130 --> 00:06:22,740
‫I would have gotten it anyway, right?

120
00:06:22,740 --> 00:06:26,400
‫So let me just try this with another user.

121
00:06:26,400 --> 00:06:30,990
‫So remember we had two users, so I'm going to restart this

122
00:06:30,990 --> 00:06:34,650
‫and rather than Denise, I'm going to sign in with Jack.

123
00:06:34,650 --> 00:06:35,520
‫Okay.

124
00:06:35,520 --> 00:06:38,490
‫And I believe the password was the same thing

125
00:06:38,490 --> 00:06:41,457
‫Jack@123$.

126
00:06:42,581 --> 00:06:43,830
‫And I'm gonna log in with this.

127
00:06:43,830 --> 00:06:45,180
‫Okay.

128
00:06:45,180 --> 00:06:46,013
‫And here you go.

129
00:06:46,013 --> 00:06:46,980
‫Now I'm logged in.

130
00:06:46,980 --> 00:06:49,410
‫So the username is correct.

131
00:06:49,410 --> 00:06:50,880
‫I'm gonna come over here

132
00:06:50,880 --> 00:06:53,220
‫and run the same thing one more time

133
00:06:53,220 --> 00:06:54,240
‫and here you go.

134
00:06:54,240 --> 00:06:57,330
‫Now, I got the other user here as well.

135
00:06:57,330 --> 00:06:59,730
‫And, again, this is not very much,

136
00:06:59,730 --> 00:07:03,870
‫but in real life you can get much more valuable information

137
00:07:03,870 --> 00:07:06,060
‫from a content provider.

138
00:07:06,060 --> 00:07:08,880
‫So I hope you enjoyed the CTF section.

139
00:07:08,880 --> 00:07:11,850
‫So try to find the other vulnerabilities

140
00:07:11,850 --> 00:07:15,960
‫and other exploits by yourself if you have time

141
00:07:15,960 --> 00:07:20,940
‫because we have learned a lot during this course.

142
00:07:20,940 --> 00:07:24,000
‫So you may try to find vulnerabilities

143
00:07:24,000 --> 00:07:26,010
‫by just looking at the code.

144
00:07:26,010 --> 00:07:30,150
‫You can try to understand what codes do what

145
00:07:30,150 --> 00:07:33,810
‫and try to find your way into hacking this application

146
00:07:33,810 --> 00:07:36,540
‫by yourself in your spare time.

147
00:07:36,540 --> 00:07:39,420
‫And it will be a very good practice for you.

148
00:07:39,420 --> 00:07:43,560
‫And if you find any other good CTF challenge online,

149
00:07:43,560 --> 00:07:45,480
‫please feel free to share it with me

150
00:07:45,480 --> 00:07:49,920
‫so that we can maybe add it to the course later on.

151
00:07:49,920 --> 00:07:51,600
‫And we're going to stop here.

152
00:07:51,600 --> 00:07:52,770
‫And within the next section,

153
00:07:52,770 --> 00:07:56,250
‫we're going to see how network attacks

154
00:07:56,250 --> 00:08:00,543
‫and network attacks work in the mobile devices as well.