Kiosk Mode / Breakout Testing

What is it?

In simple words, if you want to restrict the usability of the device that you are giving to your employee/customer's hand, you can use kiosk browser lockdown facility to make that device single purpose used.

Post setting up Kiosk, when that Android OS based device boots up, it automatically runs only allowed the application. Which will not have any exit feature or may be an exit to the home screen, notification area or settings menu is locked down with the password.

• Check if USB debugging is enabled or not, try connecting device with USB and see if you can use ADB commands or not.

• The application running in kiosk mode can be an exit by long pressing on the “Background process”.

• Check if you can root the device or not []If none of the above is possible, if the application itself as a upload option, try to install burp cert and proxy or adb.

• Use a help/faq which may have any external link of web reference which will be opened by default tablet browser can be used to download malicious apk afterward.

• Try to open android device in safe mode and disable/uninstall kiosk application.

• Check if kiosk application has any exit button which requires a password, then give 0000 as default password or go to the kiosk application vendor website and find if there is any fallback/reset functionality procedure mentioned or not which you can use in your testing.

• Check if USB debugging is enabled and you can install FRIDA hooking application, then use FRIDA to disable kiosk running on startup.

• Sometimes USB debugging is disabled in normal mode, but it can be enabled in fastboot/samemode boot mode. So try opening tablet in safeboot or fastboot mode and then check if USB debugging is working or not.

• Sometimes installing alternative homescreen can also bypass kiosk browser lockdown. []Try to find out which kiosk lockdown software (commercial/free) that company is using, go to their website find documentation if there are default password or anything like that you can access. Check for any backdoor in the configuration file.

• Try to find out if any researcher/company in the world has bypassed it or produced any vulnerability/exploit regarding that software, if yes apply it in your engagement.

ADB Tricks and Attack Vectors:

Load Settings using ADB

adb shell am start com.android.settings 
adb shell am start -a android.settings.SETTINGS

Enter Developer Mode using ADB:

adb shell am start -a com.android.settings.APPLICATION_DEVELOPMENT_SETTINGS

Install another application package (APK) using ADB:

adb install Snapchat_500003.0.1_Apkpure.apk

Launching a package with unknown Activity using ADB and Monkey:

adb shell monkey -p com.snapchat.android 1

Open dialling pad and dial number using ADB:

adb shell am start -a android.intent.action.CALL -d tel:666666666