YoVDO

A Universal Way to Exploit Android PendingIntents in High-profile and System Apps

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Android Development Courses Cybersecurity Courses Android Security Courses Automated Security Testing Courses

Course Description

Overview

Explore a comprehensive analysis of Android PendingIntents vulnerabilities in a 28-minute Black Hat conference talk. Delve into the advanced inter-component communication mechanism and its potential security risks when improperly implemented. Learn about the researchers' findings on exploiting PendingIntents in high-profile and system apps, including case studies of CVE-2020-0188, CVE-2020-0389, and CVE-2020-0294. Discover techniques for retrieving and hijacking insecure PendingIntents, as well as automated methods for identifying vulnerabilities. Gain insights into security changes in Android 12 and receive essential guidelines for secure PendingIntent implementation. Presented by En He, Wenbo Chen, and Daoyuan Wu, this talk offers valuable knowledge for Android developers and security professionals seeking to enhance app security.

Syllabus

Intro
Agenda
Who we are
The Pendingintent API
Previous Research
Retrieving Pendingintents
Hijacking Insecure Pendingintents
Deep Dive Into PendingIntent
Hijacking Pendingintents with Implicit Base Intent
Case Studies
POC of CVE-2020-0188
CVE-2020-0389: Notification
A-166126300: MediaBrowser Service
Some High Profile Apps: AppWidgets
CVE-2020-0294: System Service
Restrictions on URI Grant from uid 1000
Hunting Insecure Pendingintents Automatically
Search APIs without IMMUTABLE
Search Empty or Implicit base Intents
Security Changes in Android 12
Security Guidelines
Final Advice


Taught by

Black Hat

Related Courses

0-Days and Mitigations - Roadways to Exploit and Secure Connected BMW Cars
Black Hat via YouTube
Ways to Die in Mobile OAuth
Black Hat via YouTube
Ways to Bypass Your macOS Privacy Mechanisms
Black Hat via YouTube
Electronegativity - A Study of Electron Security
Black Hat via YouTube
A Titan M Odyssey
Black Hat via YouTube