Enumeration

AndroidManifest.xml

• Review the androidmanifest.xml for broadcast receivers
• Are they exported?
• What custom permissions are enforced?
• You might need to reverse engineer the class to figure out what the receiver is expecting

Drozer

run app.broadcast.info -a com.your.app

Formulate an Intent

Drozer

run app.broadcast.send --action theBroadcast --extra string <string value> --extra string <string value 2>

Intent Sniffing

If intents are broadcast without setting a permission, they can be monitored by drozer

run app.broadcast.sniff --action theBroadcast

ADB

adb shell am broadcast com.your.app.intent.INTENT --es blah "string" -n com.your.app/.yourBroadcastReceiver