Access Control bypass using Intents with Data – #10 DIVA Solution

As we saw in previous post Access Control bypass using Intents – #9 DIVA Solution Android provides Intents in order to perform any IPC (Inter process communication) to launch some Activity/Service/Broadcast-Receiver. Here you would see along with invoking an Activity how to pass some data via Intents and bypassing Access control over there.


The video demonstrates DIVA app to understand AccessControl bypass via Intents along with passing data. Here aim is to view details for all user credentials by Invoking Activity of the app either via External App or ADB command-line.


First lets examine Android Manifest.xml file (check this article to reverse engineer .apk to get Manifest file) which contains details for all activities where developers can implement Intent Filter to allow or restrict external app calls.

Here Activity named APICreds2Activity is defined. You would notice that Intent Filter Tag within APICreds2Activity, ACTION = ‘~.VIEW_CREDS2’ which means it allows Viewing of Activity whenever this activity would be invoked & CATEGORY = ‘~.DEFAULT’ which says that default app context should be loaded as no explicit Activity is mentioned. Collectively it means the app allows any application to invoke APICreds2Activity to View without any restriction.

Comparing this with previous APICredsActivity looks quite same. However if we directly try to invoke APICreds2Activity (am start jakhar.aseem.diva/.APICreds2Activity) just like previous APICredsActivity, we will not be able to see user credentials.

The reason is  APICreds2Activity is expecting data long with Intent call to launch. To find this lets open from app>src>main>java>jakhar.aseem.diva as shown below:

Intent i = getIntent();
boolean bcheck = i.getBooleanExtra(getString(R.string.chk_pin), true);

if (bcheck == false) {
     // Connect to vendor cloud and send User PIN
     // Get API credentials and other confidential details of the user
     String apidetails = "TVEETER API Key: secrettveeterapikey\nAPI User name: diva2\nAPI Password: p@ssword2";
     // Display the details on the app
else {
     apicview.setText("Register yourself at to get your PIN and then login with that PIN!");

Explaining above Code :

Line 2  i.getBooleanExtra(~) means Intent is expecting Boolean data which would be assigned to bcheck variable on the left. The identifier name used as Key-value pair would be fetched from R.string.chk_pin (i.e. the value of Key named chk_pin is “check_pin” of File named string.xml present inside app>src>main>res>values). Last parameter is default value in case nothing is passed then intent would assign true to bcheck. If it is difficult to understand above, for now just remember bcheck will hold boolean data passed via Intent.

Line 4 if (bcheck == false) is the part where positive block of if-else is handled. Suppose bcheck holds false then next statement to show credentials will start, otherwise bcheck=true then control would move in else block where user would be greeted incorrect PIN. So we understood we need bcheck value as false (essentially telling the app that PIN check is not needed).

Line 7 Helps displaying credentials in label over APICreds2Activity.


So now in order to exploit this lets connect Android device for USB debugging & try below commands aiming bcheck to be assigned false i.e. via passing check_pin false:

adb shell

am start -a jakhar.aseem.diva.VIEW_CREDS2 -n jakhar.aseem.diva/.APICreds2Activity --ez check_pin false

Explaining above Code :

This can also be exploited over non-rooted devices also. On having ADB shell using ‘am‘ (Activity Manager)  start -a jakhar.aseem.diva.VIEW_CREDS2 you define action (you can find it from AndroidManifest.xml)  -n jakhar.aseem.diva/.APICreds2Activity specifying Activity to be launched –ez check_pin false we are passing boolean data under identifier check_pin as false (–ez means boolean data, –es string data, –ei integer data, –el long data, –ef float data, –eu URI Data).


  • If you are going to save anything sensitive or any actions which needs proper Authentication-Authorization make sure you don’t allow your Activity/Service/Receiver to be invoked by anybody by not opening Intent-Filter. You should properly set which action and category in Intent-Filter.
  • In Manifest file never use exported=’true’ unless you know what you are doing properly. Otherwise this would allow external app to invoke your component easily.
  • For critical things server side validations rather than client side.

Report Errors + Bugs & Become Insider for

We would like to hear you, if you find any error or misspelled phrase while reading our tutorials. By reporting mistakes through email to you could help other peers.