Home > Android Pentesting

Activities, Services & Intents

Activities, Services, and Intents form the core communication and execution system of Android apps. In pentesting, these components become direct entry points for attacks such as activity hijacking, intent spoofing, service abuse, and privilege escalation. This chapter focuses on practical enumeration, testing, exploitation, and command-based workflows.

Activities (Practical Pentesting)

Activities represent UI screens. Misconfigured activities expose internal screens, hidden features, or authentication bypasses.

Enumerating Activities

Decode manifest:

apktool d app.apk -o decoded_app
cat decoded_app/AndroidManifest.xml

List all activities:

grep -R "<activity" -n decoded_app/AndroidManifest.xml

Extract activity names:

grep -oP '(?<=activity android:name=").*?(?=")' decoded_app/AndroidManifest.xml

Finding Exported Activities

Search for exported:

grep -R "android:exported=\"true\"" -n decoded_app

If an exported activity has:

  • No permission

  • No authentication

  • No intent restrictions

…then it becomes a direct attack vector.

Launching Activities Manually (Attack Test)

Trigger an activity:

adb shell am start -n com.app/.HiddenActivity

Open an activity with data:

adb shell am start -n com.app/.UserActivity --es user_id 1

Test for:

  • Hidden admin pages

  • Debug screens

  • Bypassed login screens

  • Direct navigation to privileged screens

If the activity opens without authentication → vulnerability.

Services (Practical Pentesting)

Services perform background operations like uploads, notifications, data processing, and long-running tasks. If exported, they can be abused to trigger privileged logic.

Enumerating Services

grep -R "<service" -n decoded_app/AndroidManifest.xml

Detecting Exported Services

grep -R "exported=\"true\"" -n decoded_app

Starting a Service Manually

adb shell am startservice -n com.app/.UploadService

Start with extra parameters:

adb shell am startservice -n com.app/.SyncService --es token "abc"

Test for:

  • Unauthorized file uploads

  • Forced data sync

  • Triggering background logic

  • Manipulating processing flows

Checking Bound Services

Bound services allow IPC calls.

Scan binder interfaces using Frida:

frida -U -f com.app -l binder.js --no-pause

Bindable services can expose sensitive methods if not protected.

Broadcast Receivers (Intent-Based Attacks)

Broadcast receivers listen for system or app-level events. If exported, they accept external broadcasts and may perform privileged actions.

Enumerating Receivers

grep -R "<receiver" -n decoded_app

Testing Exported Receivers

Trigger a broadcast:

adb shell am broadcast -a com.app.ACTION_DEBUG

Trigger with extras:

adb shell am broadcast -a com.app.UPDATE --es id 1

If the receiver performs actions on attacker-controlled input, the app is vulnerable.

Content Providers (Intent-Accessible Data)

Content providers expose structured data such as databases.

Enumerate Providers

grep -R "<provider" -n decoded_app

Query Provider Data

adb shell content query --uri content://com.app.provider/users

Try inserting data:

adb shell content insert --uri content://com.app.provider/users --bind name:s:attacker

Try deleting:

adb shell content delete --uri content://com.app.provider/users

Improperly protected providers leak entire databases.

Intents (Practical Exploitation)

Intents are messages used to start activities, services, receivers, and data flows. Misuse often results in spoofing, hijacking, and data injection attacks.

Types of Intents

  • Explicit → directly names components

  • Implicit → resolved by intent-filters

Enumerating Intent Filters

grep -R "<intent-filter" -n decoded_app

Look for:

android:scheme=
android:host=
android:path=

These define deep links.

Testing Deep Links

adb shell am start -a android.intent.action.VIEW -d "myapp://login/reset"

Weak deep link validation allows:

  • Login bypass

  • Navigation bypass

  • Privileged screens access

Intent Spoofing Attack

If an exported component does not validate the sender, attackers can send fake intents.

Test with:

adb shell am start -n com.app/.PaymentActivity --es amount "0"

If the app processes the intent blindly, spoofing is possible.

Testing for Data Injection

adb shell am start -n com.app/.TransferActivity --es account 123 --es amount 100000

If internal logic runs → vulnerability.

Activity Hijacking (Task Affinity Abuse)

Check manifest for taskAffinity:

grep -R "taskAffinity" -n decoded_app

If custom affinities exist, attackers can create fake UI screens positioned inside the app task.

Create malicious app:

<activity android:taskAffinity="com.app">

This allows phishing and UI hijacking.

Practical Testing Workflow (End-to-End)

  1. Decode manifest

  2. List all activities, services, receivers, providers

  3. Extract all intent filters

  4. Test each exported component using adb

  5. Send forged intents to all activities

  6. Start services with attacker-controlled extras

  7. Broadcast fake intents

  8. Query content providers

  9. Inspect task affinities for hijacking vectors

  10. Map all found entry points for exploitation

Practical Commands Reference

Start activity:

adb shell am start -n com.app/.Activity

Start service:

adb shell am startservice -n com.app/.Service

Broadcast:

adb shell am broadcast -a com.app.ACTION

Deep link:

adb shell am start -a android.intent.action.VIEW -d "app://path"

Content provider query:

adb shell content query --uri content://authority/path

Intel Dump

  • Activities represent attackable UI entry points

  • Services allow triggering background operations

  • Receivers accept broadcasts and can be spoofed

  • Providers expose data and must be permission-protected

  • Intents allow launching, injecting, and spoofing app flows

  • adb is used to trigger and test all components directly

  • Exported components form the largest attack surface in Android apps

HOME LEARN COMMUNITY DASHBOARD