
No-permission Android App Gives Remote Shell - Garbage
http://viaforensics.com/security/nopermission-android-app-remote-shell.html
======
jr62
So there's a way to establish two-way communication with an Android device,
without enabling any permissions. But it's a very obvious system (works by
launching intents, just like every other Android function), so it's hardly
something that would work in any kind of stealth mode. Interesting hack, but
not really as serious a vulnerability as the name might suggest.

------
yuliyp
So you demonstrate a confused deputy attack on Android? This is hardly news.

------
pkulak
Not very interesting if you don't tell me how it's done...

~~~
modeless
According to the linked presentation the app sends data by opening URLs in the
web browser (which is obvious to the user unless the device is locked). It
receives data by having the browser open URLs using a custom URL scheme (which
can apparently be registered without any permissions).

~~~
jebblue
What was that python reverse program and if that's running then the device is
in debug mode (since it's an emulator maybe it's always in debug mode?). So
I'm left wondering what does this prove?

~~~
_tornado_
The python program was simply the server the attacker sets up. It could be run
on any machine connected to the Internet and then accessed by the shell
program from the user's device. The emulator and server were run on the same
machine to make it easier to record the screencast, but the method works just
the same on a real device and a remote server. There is nothing really
difficult about how it is done, it is explained in the linked presentation, it
is just a nice demo of it.

~~~
jebblue
I guess I need to go back and review the whole presentation, I stopped about
half way through. Thanks.

