Bypassing the Android Permission Model

  • 2,476 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,476
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
58
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Song lyrics Android permission model- how does it work. Explicitly ask for permissions Users must accept or deny
  • Edit and Read SMS, send SMS, receive SMS Modify/delete USB storage contents Prevent phone from sleeping, write sync settings GPS data Services that cost you money Act as account authenticator, manage accounts Read and write to your personal information including contact data Phone calls, read phone state and identity Full network access
  • Now that I am doing a lot of development I know why this happens. I used to rag on developers for doing this, but after having my app crash over and over and me spending hours on google and rewriting code and putting debugging statements in, unable to come up with a good reason why a very simple instruction is crashing my app, and then realizing its because I forgot to ask for the permission, I see why developers would just ask for every permission imaginable right off the bat
  • So naturally I wrote an app to demo how ridiculously easy it is to abuse users acceptance of dangerous permissions
  • Anyone used a tool like this to root your Android phone? They use known exploits to give you root so you can load custom firmwares etc.
  • Trojaned Android apps on the official android market. Antivirus finds it now, doesn't find my app. Pretends to be a normal app, runs exploits and steals your data in the background
  • That's all. It actually does abuse the IMEI one right off the bat before it even roots your phone.
  • Pretended to be different apps, games, ads, dirty apps
  • Droiddream takes all the code from the regular apps and calls the it so to the user it looks like the app is running normally but it runs evil code in the background
  • Tried two different known root exploits for Android Both were patched in Android 2.2.1 which was released before the droiddream story broke Not necessarily patched when droiddream was written
  • These are the same sorts of roots that tools like these use In fact from reading the source of both I have reason to believe that the ragegainstthecage payload in droiddream was actually copied from z4root
  • So after it runs the root exploits if it is successful then it installs a system service. Only firmware apps should be system. System services have access to additional permissions and the permission model breaks down around system services. System app steals your data and sends it to a C&C
  • The moral of the story is Droiddream was an evil app masquerading as a beneign one
  • What's to stop these guys from doing the same?
  • For a while Android had the best updating mechanism out there for a smartphone Iphone you had to plug it in blackberry you had to plug it in Android pushes over the air, so do the others now Problem with Android is third party. Google releases new versions and Google phones get it. Others have to port it. There have been instances of new versions taking 6 months to push out to everyone. Older phones don't update. G1 still runs Android 1.6. That phone I rooted for Mom's fried
  • So far we've looked at apps that were meant to be evil by their developers. Now we are going to look at what I consider to be next generation flaws.
  • Benign apps that have flaws that allow bad code to take advantage of it. I'm not talking about traditional attack vectors like buffer overflows. Those are old and uninteresting. What I'm interested in here is getting permissions we shouldn't by piggybacking on poorly coded apps.

Transcript

  • 1. Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
  • 2. Is the permission model working? Are users making good decisions?
  • 3. Most Popular Android App
  • 4. DemoApp abusing permissions
  • 5. Demo explainedPermissions: − Read IMEI − Read Contacts − Send SMS We exploited every one of these
  • 6. Rooting Android
  • 7. Rooting Android for Evil (DroidDream)
  • 8. DroidDream PermissionsINTERNETREAD_PHONE_STATECHANGE_WIFI_STATEACCESS_WIFI_STATE
  • 9. DroidDream
  • 10. DroidDream
  • 11. DroidDream Rooting ExploidCVE-2010-Easy (RageAgainsttheCage)
  • 12. Rooting Android
  • 13. DroidDream Root Payload Permission model no longer applies − installed packages − All personal data − Send to C&C
  • 14. Rooting Android for Evil (DroidDream)
  • 15. Rooting Android
  • 16. Mitigation Users update their phones That means they need the updates pushed out That means you third party platforms!!
  • 17. Android Storage Sdcard  VFAT With apps  Only visible to app (default)  World readable
  • 18. DemoExploiting bad storage practices
  • 19. Demo Explained Stores sensitive data on the sdcard Sdcard is VFAT Everything is world readable
  • 20. Demo Explained Discovers how the data is stored Accesses it Sends it to an attacker
  • 21. Code ExamplesVulnerable CodeMalicious Code
  • 22. BadSaveFile
  • 23. BadSendFile
  • 24. Wait? How do we get source code?Winzip/7zip etc.dex2jarjd-guiWhitepaper with more info: http://cdn01.exploit-db.com/wp- content/themes/exploit/docs/17717.pdf
  • 25. Nonsensical Codewhile (true) { if (i < 0); String str; while (true) { return; try {
  • 26. Mitigation Store information securely  Not on sdcard  Not in source code  Not world readable
  • 27. Android Interfaces Call other programs Dont reinvent the wheel Take a picture Twitter from photo app
  • 28. DemoExploiting open interface with SMS functionality
  • 29. Demo Explained When it is called it sends an SMS Caller can set the number and message Sadly this is considered useful!
  • 30. Demo Explained Calls the SMSBroadcastr Sends number and message Sends an SMS
  • 31. Code ExamplesVulnerable CodeMalicious Code
  • 32. SMSBroadcastr
  • 33. SMSIntent
  • 34. Mitigations Dont have dangerous functionality available in interfaces Require user interaction (click ok) Require-permission tag in manifest for interface
  • 35. Contact Georgia Weidmangeorgiaweidman.com bulbsecurity.com georgia@bulbsecurity.com @georgiaweidman