If you've seen any of my previous write-ups on the DIVA APK's, you would know that today we are going to cover the last and final section: Access Control Issues. Access Control Issues arise when we, as normal users, can gain access to data that we are not suppose to access either directly or via malicious methods. This is mostly due to poor data/access protection mechanisms put in place by developers. 🤠
Now, with this section there are three parts. Without any further lollygagging, let's jump into it!
When we open the Access Control Issues - Part Three section on our device we are met with the following objective: try to access the private notes from outside the app without knowing the pin. This means that we cannot go ahead and just create a pin to access the notes, but we should try and access the notes using other methods (not necessarily by launching the activity as prior), such as via the terminal (we know Christine, we know).
For interest sake, this is what happens when we register a pin (I entered a basic 1234 pin):
Let's open up our terminal and see what activity our LogCat reveals to us.
adb shell logcat
We can see that it logs two activities, ./AccessControl3Activity and ./AccessControl3NotesActivity. Let's open up our **JADX-GUI **and have a look at both.
We can see our AccessControl3Activity stores our pin via a SharedPreferences object, which we covered way back when. When we enter the pin saved in shared_prefs, it launches the AccessControl3NotesActivity activity which validates this pin before showing the notes via a query(NotesProvider.CONTENT_URI) content query. This content provider will dump all of the notes, and allow us to meet our objective.
We can dump this content provider via the following command in our terminal:
adb shell am content query --uri content://jakhar.aseem.diva.provider.notesprovider/notes/
Thus we have accessed all the notes from outside of the application, without having to register for a pin or launch the activity as before.
Congratulations, you have successfully completed all the sections of the DIVA APK! 🥳
I hope this was easy enough to follow/understand. If you have recommendations on any cool tools, techniques, or tutorials that I too can follow feel free to leave them below and I'll check it out! 😊