Sekai Bank was a reverse engineering / misc challenge during the SEKAI 2025 CTF. The challenge consisted of an APK containing a banking application that allows you to send or request money.

Right off the bat, by checking the Android manifest, we see the following:

Log Provider

The app has a provider with authority com.sekai.bank.logprovider:

<provider android:authorities="com.sekai.bank.logprovider" android:enabled="true" android:exported="false" android:grantUriPermissions="true" android:name="com.sekai.bank.providers.LogProvider">
    <meta-data android:name="android.support.FILE_PROVIDER_PATHS" android:resource="@ResourceId_0x7f150002" />
</provider>

Note that the provider is not exported, so we cannot directly use it from our app. However, notice the following:

android:grantUriPermissions="true"

Boot Receiver

<receiver android:enabled="true" android:exported="true" android:name="com.sekai.bank.utils.delayed_transaction.BootReceiver">
    <intent-filter android:priority="1000">
    <action android:name="android.intent.action.BOOT_COMPLETED" />
    <category android:name="android.intent.category.DEFAULT" />
    </intent-filter>
</receiver>