© 2014 IBM Corporation
IBM Security Systems
1
© 2014 IBM Corporation
Pinpointing Vulnerabilities in Android
Applications: ...
© 2014 IBM Corporation
IBM Security Systems
2
Please note
IBM’s statements regarding its plans, directions, and intent are...
© 2014 IBM Corporation
IBM Security Systems
3
Agenda
 Mobile Vulnerabilities Primer
 Malicious Apps and the Android Secu...
© 2014 IBM Corporation
IBM Security Systems
4
© 2014 IBM Corporation
Mobile Vulnerabilities Primer
© 2014 IBM Corporation
IBM Security Systems
5
A Typical Mobile App
Client Back-end
App
© 2014 IBM Corporation
IBM Security Systems
6
The Mobile Vulnerabilities Space
New
Client-side
vulnerabilities:
?
Classic
...
© 2014 IBM Corporation
IBM Security Systems
7
Attack Vectors for Client-Side Vulnerabilities
Client Back-end
App
© 2014 IBM Corporation
IBM Security Systems
8
(1) Taking Over the Backend
Client Back-end
App
Attacker
© 2014 IBM Corporation
IBM Security Systems
9
(2) Man-in-the Middle (MiTM)
Client Back-end
App Attacker
© 2014 IBM Corporation
IBM Security Systems
10
(3) Malicious Apps
Client Back-end
Attacker
App
© 2014 IBM Corporation
IBM Security Systems
11
© 2014 IBM Corporation
Malicious Apps
© 2014 IBM Corporation
IBM Security Systems
12
The Android Threat Model
 Apps in Android are sandboxed from each other:
...
© 2014 IBM Corporation
IBM Security Systems
13
Two Types of Malicious Apps
 (1) Attack the System
 Abuse system services...
© 2014 IBM Corporation
IBM Security Systems
14
Two Types of Malicious Apps
 (2) Attack other Apps
 Try to subvert the in...
© 2014 IBM Corporation
IBM Security Systems
15
Inter-Process-Communication in Android
 Apps want to be able to talk to ea...
© 2014 IBM Corporation
IBM Security Systems
16
A Typical Attack by a Malicious App
 For a vulnerable app to be exploited,...
© 2014 IBM Corporation
IBM Security Systems
17
© 2014 IBM Corporation
The Mobile Analyzer
© 2014 IBM Corporation
IBM Security Systems
18
The Mobile Analyzer: Modus Operandi
 (1) Explore. Discover of the elements...
© 2014 IBM Corporation
IBM Security Systems
19
The Mobile Analyzer: In Front of the Scenes
Uploads an APK
Our
Client
© 2014 IBM Corporation
IBM Security Systems
20
The Mobile Analyzer: In Front of the Scenes
Receives a Security Report
Our
...
© 2014 IBM Corporation
IBM Security Systems
21
Debug Flag
enablement
Insecure
Pending
Intent
Memory
Corruptions
Client-sid...
© 2014 IBM Corporation
IBM Security Systems
22
© 2014 IBM Corporation
Demo
© 2014 IBM Corporation
IBM Security Systems
23
Structure of the DoNothing App
Intent(data)
Log
(Native
code)
SQLite
DB
dat...
© 2014 IBM Corporation
IBM Security Systems
24
The Developer’s Mistake
Intent(data)
data
data
Exported activity Exported a...
© 2014 IBM Corporation
IBM Security Systems
25
© 2014 IBM Corporation
Case Study:
NYTimes
Cross-Application Scripting
© 2014 IBM Corporation
IBM Security Systems
26
Cross-Application Scripting (XAS)
 The Vulnerable app contains an embedded...
© 2014 IBM Corporation
IBM Security Systems
27
The NYTimes Vulnerability
protected void onCreate(Bundle bundle)
{
…
g.getS...
© 2014 IBM Corporation
IBM Security Systems
28
Stealing the Session-ID
Client Back-end
NYT
NYTimes Session-ID
© 2014 IBM Corporation
IBM Security Systems
29
Stealing the Session-ID
Client Back-end
NYT
NYTimes Session-ID
Attacker
Ste...
© 2014 IBM Corporation
IBM Security Systems
30
Stealing the Session-ID
Client Back-end
NYT
Attacker
NYTimes Session-ID
Sto...
© 2014 IBM Corporation
IBM Security Systems
31
Goal & Impact
 The Attacker would like to leak some sensitive NYTimes file...
© 2014 IBM Corporation
IBM Security Systems
32
Exploitation: Abusing file:// URI schemes
 The javascript:// URI scheme ca...
© 2014 IBM Corporation
IBM Security Systems
33
© 2014 IBM Corporation
Demo
© 2014 IBM Corporation
IBM Security Systems
34
© 2014 IBM Corporation
Questions
© 2014 IBM Corporation
IBM Security Systems
35 © 2014 IBM Corporation
IBM Security Systems
35
www.ibm.com/security
© Copyr...
Upcoming SlideShare
Loading in …5
×

Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

909 views

Published on

Enterprise use of mobile devices is exploding and devices are increasingly employee-owned. These vulnerabilities are like finding a needle in a haystack, and represent an increasing threat to your security, given the dramatic increase of personal and organizational data being stored on mobile devices.

In this webinar, IBM will showcase a live demo of vulnerabilities found in native mobile code and provide a deep-dive into specific Android vulnerabilities and attack vectors. Utilizing IBM’s mobile dynamic application security testing (DAST) technology, we’ll demonstrate real-world techniques to address how you can pinpoint critical mobile vulnerabilities and enhance mobile security protection.

View the full on-demand webcast: http://securityintelligence.com/events/pinpointing-security-vulnerabilities-android-applications/#.VYxn6_lVhBc

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
909
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • 6/11/2014
  • Add the latests issue types here
  • Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

    1. 1. © 2014 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation Pinpointing Vulnerabilities in Android Applications: Like Finding a Needle in a Haystack Roee Hay, roeeh@il.ibm.com IBM Application Security Research Group Lead
    2. 2. © 2014 IBM Corporation IBM Security Systems 2 Please note IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
    3. 3. © 2014 IBM Corporation IBM Security Systems 3 Agenda  Mobile Vulnerabilities Primer  Malicious Apps and the Android Security Model  Mobile DAST Research Project: The Mobile Analyzer  Case Study. The NY Times Cross-Application Scripting (XAS)
    4. 4. © 2014 IBM Corporation IBM Security Systems 4 © 2014 IBM Corporation Mobile Vulnerabilities Primer
    5. 5. © 2014 IBM Corporation IBM Security Systems 5 A Typical Mobile App Client Back-end App
    6. 6. © 2014 IBM Corporation IBM Security Systems 6 The Mobile Vulnerabilities Space New Client-side vulnerabilities: ? Classic Back-end vulnerabilities: SQL Injection Code Execution etc
    7. 7. © 2014 IBM Corporation IBM Security Systems 7 Attack Vectors for Client-Side Vulnerabilities Client Back-end App
    8. 8. © 2014 IBM Corporation IBM Security Systems 8 (1) Taking Over the Backend Client Back-end App Attacker
    9. 9. © 2014 IBM Corporation IBM Security Systems 9 (2) Man-in-the Middle (MiTM) Client Back-end App Attacker
    10. 10. © 2014 IBM Corporation IBM Security Systems 10 (3) Malicious Apps Client Back-end Attacker App
    11. 11. © 2014 IBM Corporation IBM Security Systems 11 © 2014 IBM Corporation Malicious Apps
    12. 12. © 2014 IBM Corporation IBM Security Systems 12 The Android Threat Model  Apps in Android are sandboxed from each other:  Each app package runs with a different Linux user-id so by default resources created by one app cannot be accessed by another app  Apps are constrained:  A-Very-Cool-Game cannot just send SMSs.  Some constraints can be relaxed at deployment time by using permissions.  These features protect the integrity and confidentiality of:  The Installed Apps.  The Android system. Browser Mail SMSPhone Contacts Search
    13. 13. © 2014 IBM Corporation IBM Security Systems 13 Two Types of Malicious Apps  (1) Attack the System  Abuse system services for its own profit e.g.  Premium SMSs and MMS  GPS access  System log access  No vulnerability is required.  Suspicious use of permissions! Source: http://www.threattracksecurity.com/it- blog/russian-language-facebook-android-app- premium-sms-is-out-daily-service-fees-are-in/
    14. 14. © 2014 IBM Corporation IBM Security Systems 14 Two Types of Malicious Apps  (2) Attack other Apps  Try to subvert the integrity and/or confidentiality of other applications  Target applications must be vulnerable.  No suspicious use of permissions!
    15. 15. © 2014 IBM Corporation IBM Security Systems 15 Inter-Process-Communication in Android  Apps want to be able to talk to each other:  For feature reuse.  This is achieved by Inter-Process Mechanisms, controlled by special objects called Intents.  Intents carry both the destination information and the payload data.  When an application component is willing to receive Intents from external apps, it becomes exported and opens a hole in the Android Sandbox! Browser Google Play Store Phone
    16. 16. © 2014 IBM Corporation IBM Security Systems 16 A Typical Attack by a Malicious App  For a vulnerable app to be exploited, it must accept external Intents, i.e. open the IPC channel in its manifest file.  The Malicious App initiates a malicious intent targeting the vulnerable app.  The Intent’s payload is specific to the vulnerability found in the App  e.g. an SQL Injection payload. Vulnerable App Malicious App Malicious Intent
    17. 17. © 2014 IBM Corporation IBM Security Systems 17 © 2014 IBM Corporation The Mobile Analyzer
    18. 18. © 2014 IBM Corporation IBM Security Systems 18 The Mobile Analyzer: Modus Operandi  (1) Explore. Discover of the elements of the application that should be tested  In Classic Web: This is done by crawling.  Mobile Analyzer: We analyze the Android manifest file and dynamically learn of Intent parameters.  (2) Attack. Trigger the vulnerabilities  In Classic Web : Done by sending HTTP requests with malicious data.  Mobile Analyzer : We send Intents with malicious payloads using our security knowledge.  (3) Validate.  In Classic Web: Done by looking at the HTTP responses (Black-box / DAST) or by placing hooks on the target app (Glass-box / IAST).  Mobile Analyzer: We mainly do it by placing hooks on the target mobile app (IAST).
    19. 19. © 2014 IBM Corporation IBM Security Systems 19 The Mobile Analyzer: In Front of the Scenes Uploads an APK Our Client
    20. 20. © 2014 IBM Corporation IBM Security Systems 20 The Mobile Analyzer: In Front of the Scenes Receives a Security Report Our Client
    21. 21. © 2014 IBM Corporation IBM Security Systems 21 Debug Flag enablement Insecure Pending Intent Memory Corruptions Client-side SQL Injection UI Spoofing Client-side Denial-of- Service It Detects Many Issue Types! Cross- Application Scripting (XAS) Android Fragment Injection Insecure File Rights Insecure Class Loading Activity & Service Hijacking Cross-Site Scripting via Man-in-the- Middle Weak Random Number Generators
    22. 22. © 2014 IBM Corporation IBM Security Systems 22 © 2014 IBM Corporation Demo
    23. 23. © 2014 IBM Corporation IBM Security Systems 23 Structure of the DoNothing App Intent(data) Log (Native code) SQLite DB data data Exported activity Exported activity
    24. 24. © 2014 IBM Corporation IBM Security Systems 24 The Developer’s Mistake Intent(data) data data Exported activity Exported activity Log (Native code) SQLite DB
    25. 25. © 2014 IBM Corporation IBM Security Systems 25 © 2014 IBM Corporation Case Study: NYTimes Cross-Application Scripting
    26. 26. © 2014 IBM Corporation IBM Security Systems 26 Cross-Application Scripting (XAS)  The Vulnerable app contains an embedded browser (WebView)  Due to bad input validation, The URL of the embedded browser can be controlled by a malicious app with problematic URI schemes, such as ‘javascript://’ or ‘file://’:  WebView.loadURL(url)  Injecting these schemes enables the attacker to execute JS code in the context of the vulnerable app  Subverts the Android’s sandboxing as it allows the attacker to steal information pertaining to the vulnerable app Vulnerable App Malicious App Intent: javascript://…
    27. 27. © 2014 IBM Corporation IBM Security Systems 27 The NYTimes Vulnerability protected void onCreate(Bundle bundle) { … g.getSettings().setJavaScriptEnabled(true); g.getSettings().setCacheMode(2); g.getSettings().setSavePassword(false); … cookiemanager.removeAllCookie(); … s = getIntent().getStringExtra("url"); if(TextUtils.isEmpty(s)) s = h.l().f(); if(getIntent().getBooleanExtra("hideTitle", false)) setTitle(""); g.loadUrl(s); } * Issue was fixed in August 2013 as per our responsible disclosure
    28. 28. © 2014 IBM Corporation IBM Security Systems 28 Stealing the Session-ID Client Back-end NYT NYTimes Session-ID
    29. 29. © 2014 IBM Corporation IBM Security Systems 29 Stealing the Session-ID Client Back-end NYT NYTimes Session-ID Attacker Steals Client Session-ID
    30. 30. © 2014 IBM Corporation IBM Security Systems 30 Stealing the Session-ID Client Back-end NYT Attacker NYTimes Session-ID Stolen Client Session-ID
    31. 31. © 2014 IBM Corporation IBM Security Systems 31 Goal & Impact  The Attacker would like to leak some sensitive NYTimes files:  The session identifier is found under NYTIMES_PREFS.xml.  Impact: User impersonation. root@android:/data/data/com.nytimes.android/shared_prefs # ls NYTIMES_BLOGCATS.xml NYTIMES_ENT.xml NYTIMES_PREFS.xml cSPrefs.xml com.nytimes.android_preferences.xml ny_times_widget.xml uptAdsQueue.xml uptEventsQueue.xml root@android:/data/data/com.nytimes.android/shared_prefs # cat NYTIMES_PREFS.xml ... <string name="NYT-S"> 18CBbkG2ru6usGm4bmrmZvSlDZeHDEfrlQxsnMdUmY896gFXg1szP13uvJJp.6isWKzDs7ugEhp41N4bsEDh836YV.Ynx4rkFI </string> ...
    32. 32. © 2014 IBM Corporation IBM Security Systems 32 Exploitation: Abusing file:// URI schemes  The javascript:// URI scheme cannot access files.  We cause the embedded browser of NYTimes to load a globally readable file via the file:// URI scheme.  This file contains JS code that leaks NYTIMES_PREFS.xml NYTimesMalicious app AJAX file://data/…/nyt/ NYTIMES_PREFS.xml Malicious.html <string name="NYT-S"> 18CBbkG2ru6usGm4bmrmZvSlD ZeHDEfrlQxsnMdUmY896gFXg1 szP13uvJJp.6isWKzDs7ugEhp 41N4bsEDh836YV.Ynx4rkFI </string> NYTIMES_PREFS.xml Intent: file://data/malicious/Malicious.html
    33. 33. © 2014 IBM Corporation IBM Security Systems 33 © 2014 IBM Corporation Demo
    34. 34. © 2014 IBM Corporation IBM Security Systems 34 © 2014 IBM Corporation Questions
    35. 35. © 2014 IBM Corporation IBM Security Systems 35 © 2014 IBM Corporation IBM Security Systems 35 www.ibm.com/security © Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

    ×