Exploitr's Cubicle

Listing Broadcast-Receivers in Android with specific intents/permissions !!

androidjavabroadcast-receivertelephonymockSMS

This post was originally published on my WordPress blog. I have decided not to rewrite it to preserve its original character during the migration. Enjoy the nostalgia (and the cringe)!

Recently, for my MockSMS project (which creates local user-made fake SMS messages) I needed to list up all the SMS apps installed in user-device.

I didn't know anything about how it can be done. I was totally unaware of it. Even, after some tries, I was just going to give up adding the feature to my app which requires this.

But, after some days somehow accidentally, I hovered upon the method :

Telephony.Sms.getDefaultSmsPackage(Context)

sms_1

I started thinking, there is somehow it's done by Google and started finding it's source by my most beloved method alt+Enter (Using the Eclipse keymap). And, found that the code comes actually from a @hidden class SmsApplication.java :

sms_2

And, in the imports of Telephony.Sms class, found :

import com.android.internal.telephony.SmsApplication;

I  just needed this hint!

Went to the Google Android OS Repo and moved to the SMSApplication class !

Now found the main culprit :

sms_3

The method determines the default package from the SmsApplicationData : I understood and then some minutes of work to get the hero out!

Usable Code :

[Utils.class]
public static HashMap getSMSAppsContent(Context context) {
    PackageManager packageManager = context.getPackageManager();
    Intent intent = new Intent(Telephony.Sms.Intents.SMS_DELIVER_ACTION);
    List smsReceivers = packageManager.queryBroadcastReceivers(intent, 0);
    HashMap receivers = new HashMap();
    for (ResolveInfo resolveInfo : smsReceivers) {
        final ActivityInfo activityInfo = resolveInfo.activityInfo;
        if (activityInfo == null) {
            continue;
        }
        if (!Manifest.permission.BROADCAST_SMS.equals(activityInfo.permission)) {
            continue;
        }
        final String packageName = activityInfo.packageName;
        if (!receivers.containsKey(packageName)) {
            final String applicationName = resolveInfo.loadLabel(packageManager).toString();
            receivers.put(packageName, applicationName);
        }
    }
    return receivers;
}

Getting the values :

HashMap map = Utils.getSMSAppsContent(getApplicationContext());
StringBuilder ox = new StringBuilder();
for (int i = 0; i < map.keySet().size(); i++) {
    ox.append(map.values().toArray()[i]).append(":").append(map.keySet().toArray()[i]).append("\n");
}
L.p(ox.toString());

Result :

06-28 23:01:25.135 7025-7025/hacks.exploitr.mockSms V/----____----: Hangouts:com.google.android.talk
Messaging:com.android.mms
MockSMS:hacks.exploitr.mockSms
SYNCit:com.lenovo.leos.cloud.sync.row

So, it was just a specific example. In my case, I quarried Telephony.Sms.Intents.SMS_DELIVER_ACTION as Intent and checked if that app has permission Manifest.permission.BROADCAST_SMS. You can modify the code as required....

Did you read this far? Then you're one of the 1% who still reads in this dopamine addict world!