Bypassing the Android Permission Model


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Song lyrics Android permission model- how does it work. Explicitly ask for permissions Users must accept or deny
  • Edit and Read SMS, send SMS, receive SMS Modify/delete USB storage contents Prevent phone from sleeping, write sync settings GPS data Services that cost you money Act as account authenticator, manage accounts Read and write to your personal information including contact data Phone calls, read phone state and identity Full network access
  • Now that I am doing a lot of development I know why this happens. I used to rag on developers for doing this, but after having my app crash over and over and me spending hours on google and rewriting code and putting debugging statements in, unable to come up with a good reason why a very simple instruction is crashing my app, and then realizing its because I forgot to ask for the permission, I see why developers would just ask for every permission imaginable right off the bat
  • So naturally I wrote an app to demo how ridiculously easy it is to abuse users acceptance of dangerous permissions
  • Anyone used a tool like this to root your Android phone? They use known exploits to give you root so you can load custom firmwares etc.
  • Trojaned Android apps on the official android market. Antivirus finds it now, doesn't find my app. Pretends to be a normal app, runs exploits and steals your data in the background
  • That's all. It actually does abuse the IMEI one right off the bat before it even roots your phone.
  • Pretended to be different apps, games, ads, dirty apps
  • Droiddream takes all the code from the regular apps and calls the it so to the user it looks like the app is running normally but it runs evil code in the background
  • Tried two different known root exploits for Android Both were patched in Android 2.2.1 which was released before the droiddream story broke Not necessarily patched when droiddream was written
  • These are the same sorts of roots that tools like these use In fact from reading the source of both I have reason to believe that the ragegainstthecage payload in droiddream was actually copied from z4root
  • So after it runs the root exploits if it is successful then it installs a system service. Only firmware apps should be system. System services have access to additional permissions and the permission model breaks down around system services. System app steals your data and sends it to a C&C
  • The moral of the story is Droiddream was an evil app masquerading as a beneign one
  • What's to stop these guys from doing the same?
  • For a while Android had the best updating mechanism out there for a smartphone Iphone you had to plug it in blackberry you had to plug it in Android pushes over the air, so do the others now Problem with Android is third party. Google releases new versions and Google phones get it. Others have to port it. There have been instances of new versions taking 6 months to push out to everyone. Older phones don't update. G1 still runs Android 1.6. That phone I rooted for Mom's fried
  • So far we've looked at apps that were meant to be evil by their developers. Now we are going to look at what I consider to be next generation flaws.
  • Benign apps that have flaws that allow bad code to take advantage of it. I'm not talking about traditional attack vectors like buffer overflows. Those are old and uninteresting. What I'm interested in here is getting permissions we shouldn't by piggybacking on poorly coded apps.
  • Bypassing the Android Permission Model

    1. 1. Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
    2. 2. Is the permission model working? Are users making good decisions?
    3. 3. Most Popular Android App
    4. 4. DemoApp abusing permissions
    5. 5. Demo explainedPermissions: − Read IMEI − Read Contacts − Send SMS We exploited every one of these
    6. 6. Rooting Android
    7. 7. Rooting Android for Evil (DroidDream)
    9. 9. DroidDream
    10. 10. DroidDream
    11. 11. DroidDream Rooting ExploidCVE-2010-Easy (RageAgainsttheCage)
    12. 12. Rooting Android
    13. 13. DroidDream Root Payload Permission model no longer applies − installed packages − All personal data − Send to C&C
    14. 14. Rooting Android for Evil (DroidDream)
    15. 15. Rooting Android
    16. 16. Mitigation Users update their phones That means they need the updates pushed out That means you third party platforms!!
    17. 17. Android Storage Sdcard  VFAT With apps  Only visible to app (default)  World readable
    18. 18. DemoExploiting bad storage practices
    19. 19. Demo Explained Stores sensitive data on the sdcard Sdcard is VFAT Everything is world readable
    20. 20. Demo Explained Discovers how the data is stored Accesses it Sends it to an attacker
    21. 21. Code ExamplesVulnerable CodeMalicious Code
    22. 22. BadSaveFile
    23. 23. BadSendFile
    24. 24. Wait? How do we get source code?Winzip/7zip etc.dex2jarjd-guiWhitepaper with more info: content/themes/exploit/docs/17717.pdf
    25. 25. Nonsensical Codewhile (true) { if (i < 0); String str; while (true) { return; try {
    26. 26. Mitigation Store information securely  Not on sdcard  Not in source code  Not world readable
    27. 27. Android Interfaces Call other programs Dont reinvent the wheel Take a picture Twitter from photo app
    28. 28. DemoExploiting open interface with SMS functionality
    29. 29. Demo Explained When it is called it sends an SMS Caller can set the number and message Sadly this is considered useful!
    30. 30. Demo Explained Calls the SMSBroadcastr Sends number and message Sends an SMS
    31. 31. Code ExamplesVulnerable CodeMalicious Code
    32. 32. SMSBroadcastr
    33. 33. SMSIntent
    34. 34. Mitigations Dont have dangerous functionality available in interfaces Require user interaction (click ok) Require-permission tag in manifest for interface
    35. 35. Contact Georgia @georgiaweidman