Access Control bypass using Intents – #9 DIVA Solution

Android provides Intents in order to perform any IPC (Inter process communication). In easy terms if you want to launch some Activity/Service/Broadcast-Receiver or pass some data you can use Intents. You may want to refer to get developers view on Intents. Implicit Intent allows user to choose a particular application out of available applications(like what we see if we have multiple browsers and if we click on any URL, OS would ask which browser to launch) & Explicit Intent means that developer has already defined that app should invoke a particular component like Activity/Service/Receiver(either within same app or external app).


Considering any external app can also invoke our App components – say some Activity with sensitive information, to prevent this developers need to restrict it via Intent Filter. Android Manifest.xml file contains details for all activities where developers can implement Intent Filter to allow or restrict external app calls.


The video demonstrates DIVA app to understand AccessControl bypass via Intents. Here aim is to view details for all user credentials by Invoking Activity of the app either via External App or ADB command-line.


To start with – lets examine AndroidManifest.xml (Refer this article to learn process of Reverse engineering to get Manifest file) where Activity named APICredsActivity is defined. You would notice that Intent Filter Tag within APICredsActivity, ACTION = ‘~.VIEW_CREDS’ which means it allows Viewing of Activity whenever this activity would be invoked & CATEGORY = ‘~.DEFAULT’ which says that default app context should be loaded as no explicit Activity is mentioned. Collectively it means the app allows any application to invoke APICredsActivity to View without any restriction.


In order to exploit this we can either use ADB or making Android app which can invoke this Activity (this would require programming skills for Android app). Connecting Android device for USB debugging lets see below commands:

adb shell

am start jakhar.aseem.diva/.APICredsActivity

This can also be exploited over non-rooted devices also. On having ADB shell using ‘am‘ (Activity Manager) you can launch an activity by calling start PackageName/.ActivityName. Suppose the App is using some 3rd party SDK, in order to invoke that activity we need to use start APPPackageName/3rdPartySDKPackage.ActivityName

One more possibility is by chance if developer make Activity/Service/Broadcast with exported=’true’ flag within Manifest inside Activity/Service/Broadcastreceiver tag. Then using above command we can invoke that Activity or component directly bypassing the app logic.


  • If you are going to save anything sensitive or any actions which needs proper Authentication-Authorization make sure you don’t allow your Activity/Service/Receiver to be invoked by anybody by not opening Intent-Filter. You should properly set which action and category in Intent-Filter.
  • In Manifest file never use exported=’true’ unless you know what you are doing properly. Otherwise this would allow external app to invoke your component easily.

Report Errors + Bugs & Become Insider for

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to you could help other peers.


  1. […] we saw in previous post Access Control bypass using Intents – #9 DIVA Solution Android provides Intents in order to perform any IPC (Inter process communication) to launch some […]