CTFZone Paper: Trust Area — Client Part

About application architecture

  • caching to reduce the backend load,
  • ability to create data backups.
Fig. 1. Android client architecture

How we developed the client and the problems we bumped into

  • heap limitations — 2–36 MB,
  • an app can’t store more than 3.5 GB on /sdcard/Android/data/,
  • it can’t use more than 200 MB on /data/data/,
  • network traffic per app is not limited (but we would have seen the source in traffic dumps).

About client-to-client communication

  1. Client1, with an intent to send a request to Client 2, sends a PendingIntent to the IntentProxy specifying the recipient and data.
  2. The IntentProxy replaces the sender with itself and forwards the PendingIntent to Client 2.
  3. Client2 is unaware which of the clients has sent a PendingIntent since every client interacts solely with the IntentProxy by default.
  • The IntentProxy was a single point of load — hence, a single point of failure.
  • This was another service for us to write and administer.
  • A simple functionality concealed a number of problems — we had to decide how to deal with:
    - intent queues,
    - asynchronous delivery of responses,
    -a mechanism for processing such events as the absence of a response from the client, incorrect response formats, etc.
  1. Client1, with an intent to send a request to Client 2, registers in the system a BroadcastReceiver with a random action.
  2. Client1 sends a standard intent with a request and the said random action to Client 2.
  3. Client2 doesn’t see the sender in the standard intent, but the action indicates where to send the response (as a Broadcast Intent).
  4. Client1, upon receiving the response, closes the BroadcastReceiver.

About vulnerabilities

  • the use of empty intents (Intent() as basic, during PendingIntent initialisation),
  • Intent Redirection.

About the teams' authenticity

Fig. 2. Code snippets

Source code:

--

--

--

International community conference for cybersecurity researchers and professionals. No suits, no business — only hardcore research.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Few tips for beginners in Android Development

Jetpack Compose Concepts Every Developer Should Know

Android Studio -Project Structure

All about Proto DataStore

How ViewModels Work on Android

Android 11: Creating an IME(Keyboard) Visibility Listener

Android Restrictions You May Encounter During Development Process

Add/Remove and Refresh Fragments in ViewPager2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
OFFZONE

OFFZONE

International community conference for cybersecurity researchers and professionals. No suits, no business — only hardcore research.

More from Medium

Network Services

THM: Plotted-THM Writeup

CSRF prevention: Control your TLDs

Installing MOBSF for mobile app static security assessment