SlideShare a Scribd company logo

Remote Exploitation of the Dropbox SDK for Android

IBM Security
IBM Security

The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1

Technology
1 of 9
Download to read offline
REMOTE EXPLOITATION OF THE DROPBOX SDK FOR ANDROID Roee Hay and Or Peles IBM Security Systems {roeeh,orpeles}@il.ibm.com Abstract In today’s world personal data is on the cloud. Services, such as photo-hosting or general-purpose storage , should be accessible not only for the user, but also for apps that need access to the data on the user’s behalf. Interoperability has always been challenging in many aspects, including access control. In order to combat the latter, authorization protocols, such as OAuth 1 & 2, can securely grant apps access to personal data found in a target service, without disclosing the user’s credentials. In order to ease the development lifecycle, such services oftentimes provide a framework, or an SDK, that apps can utilize in order to communicate with the given service. These frameworks are very appealing for app developers since they abstract away the internals, and give the developers a simple client-side API they can use. From a security perspective, the frameworks themselves provide an extremely attractive attack surface for malicious attacks as an exploit of the framework could potentially affect numerous applications making use of it. In this paper we present a severe vulnerability (identified as CVE-2014-8889) within the Dropbox SDK for Android versions 1.5.4-1.6.1. This vulnerability can expose applications using the Dropbox SDK to severe local and remote attacks. As a Proof of Concept, we developed a remote drive-by attack which works against real world apps, including Microsoft Office Mobile and 1Password. We had responsibly re- ported the vulnerability to Dropbox which promptly provided a patched SDK (version 1.6.2). Developers are strongly encouraged to download it and update their apps. 1 Introduction The Dropbox SDK is a library that developers can download and add to their products. This library provides easy access to Dropbox features, such as downloading and uploading files, via a simple set of APIs. AppBrain provides statistics as to the prevalence of the use of the Dropbox SDK on Android [1]. According to these statistics, 0.31% of all applications use the Dropbox SDK. Of the top 500 apps in the Google Play Store, 1.41% use the Dropbox SDK. Interestingly, 1.32% of total app installations and 3.93% of app installations of the top 500 apps use the Dropbox SDK, respectively. While it is not a highly prevalent library, some extremely popular Android apps that may hold sensitive information use the Dropbox SDK, including Microsoft Office Mobile with over 10,000,000 downloads1 and AgileBits 1Password with over 100,000 downloads2 . The vulnerability that we discovered may affect any Android app that uses the Dropbox SDK versions 1.5.4-1.6.1. We examined 41 apps that use the Dropbox SDK for Android, out of which 31 apps (76%) were vulnerable to our attack (i.e. they used version 1.5.4-1.6.1). It’s noteworthy that the rest of the apps were vulnerable to a much simpler attack with the same consequences, but had been fixed by Dropbox with the 1.5.4 version of the SDK which they did not care to upgrade to. This paper is organized as follows. Section 2 gives a background on Inter-App Communication (IAC) in Android. Section 3 shows how IAC can be exploited in general locally by malware and remotely using drive- by techniques. Section 4 describes how the Dropbox SDK for Android uses OAuth for app authorization. In 1https://play.google.com/store/apps/details?id=com.microsoft.office.officehub 2https://play.google.com/store/apps/details?id=com.agilebits.onepassword 1
section 5 we deep-dive into the vulnerability we found within the Dropbox SDK for Android OAuth code. Section 6 presents a real attack, dubbed DroppedIn, that exploits the vulnerability. In section 7, we show that the threat is real by presenting case studies. We end with section 8 that presents a mitigation for the vulnerability. 2 Inter-App Communication (IAC) in Android Android applications are executed in a sandbox environment. The sandbox ensures data confidentiality and integrity as no application can access sensitive information held by another application without proper privileges. For example, Android’s stock browser application holds sensitive information such as cookies, cache and history which shouldn’t be accessed by third-party apps. The sandbox relies on several techniques including per-package Linux user-id assignment. Thus, resources, such as files, owned by one app cannot be accessed by default by other apps. While sandboxing is great for security, it may diminish interoperability as apps sometimes would like to talk to each other. Going back to the browser example, the browser would want to invoke the Google Play app when a user browsed to the Google Play website. In order to support this kind of functionality, Android provides high-level Inter-App Communication (IAC) mechanisms. This communication is usually done using special messages called Intents, which hold both the payload and the target application component. Intents can be sent explicitly, where the target application component is specified, or implicitly, where the target is left unspecified and is determined by Android according to other Intent parameters such as its URI scheme, action or category. 3 General Exploitation via Inter-App Communication The attack surface is greatly increased if the attacker can directly invoke application components, controlling the Intent’s payload. This is the case with exported application components. Such components can be attacked locally by malware. Activities, Android application components responsible for UI screens, can also be attacked remotely using drive-by exploitation techniques as shown by [2, 3]. In the local attack, illustrated by Figure 3.1, malware invokes the exported target application com- ponent with a malicious Intent (i.e. one that contains malicious data) by simply calling APIs such as Context.startActivity(Intent). In the case of remote drive-by exploitation, illustrated by Figure 3.2, a user is lured into browsing a malicious website. This site serves a web page that causes the browser to invoke the target activity with the malicious Intent. Malware App Malicious Intent Android Device Figure 3.1: Local Attack by Malware 4 OAuth & Dropbox The Dropbox SDK uses OAuth in order to authorize the app on a given Dropbox account. This process begins by an out-of-band registration of the app on the Dropbox website. The app then receives from Dropbox an app key and app secret which are saved - hard-coded - in the application. 2
App Browser Android Device Attacker Naive Browsing Malicious Intent Figure 3.2: Remote Drive-By Attack The app then exports the Dropbox-provided AuthActivity in the Android Manifest file as follows: <activity android:name="com.dropbox.client2.android.AuthActivity" ...> <intent -filter > <data android:scheme="db -<APP_KEY >" /> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.BROWSABLE" /> <category android:name="android.intent.category.DEFAULT" /> </intent -filter > </activity > The players of the Dropbox OAuth dance and their communication channels are depicted by Figure 4.1. The process starts by app code calling the Dropbox’s SDK’s static method start{OAuth2}Authentication of AndroidAuthSession with the needed data (i.e. app key and secret). These methods invoke AuthActivity using an Intent. The AuthActivity then generates a nonce and either invokes, again by using an Intent, the browser or the Dropbox app (if it is installed) in order to authenticate the user and authorize the app. This invocation contains the previously generated nonce. The browser or the Dropbox app return the access token, secret and nonce with additional data (e.g. uid) back to the app using an implicit Intent targeting the app’s unique URI scheme (db-<APP_KEY>). This causes AuthActivity’s onNewIntent method to be called. The latter checks if the incoming nonce matches the outgoing one. If it does, it accepts the token and saves it in its result static member. The token can then be saved on the Dropbox session for upcoming Dropbox SDK calls. There are two main threats in this process. The first one is stealing the returned OAuth access token. This would allow the attacker to access the authorized Dropbox resources. This attack could have been done by malware impersonating the App by registering a similar intent filter. However, the Dropbox SDK checks if there is another application with the same intent filter, so this threat is quite mitigated. The other threat is injecting an access token pertaining to the attacker. This will link the App with the attacker’s account instead of the victim’s, which may then either upload, without consent, sensitive information to the attacker, or download, again unknowingly, malicious data that may enable other attacks. This threat should have been mitigated by the nonce parameter (which was added to the SDK in version 1.5.4), however, as we show up next, an implementation-specific vulnerability exists that allows the attacker to actively cause the Dropbox SDK to leak that nonce to the attacker’s server. 5 Vulnerability We present a severe vulnerability, identified as CVE-2014-8889, that allows the adversary to insert an arbi- trary access token into the Dropbox SDK AuthActivity, completely bypassing the nonce protection. AuthActivity consumes various Intent extra parameters. Since it is an exported and browsable activity (and it must be, as per section 4), it can be invoked by both malware and malicious websites with arbitrary Intent extras (see section 3). Therefore special care must be taken when consuming these intent extras. 3
App Code App Dropbox SDK Browser Android Device Dropbox API Intents (nonce protected) HTTPS Java Figure 4.1: Dropbox OAuth Dance Consumption of a particular Intent extra parameter, named INTERNAL_WEB_HOST, has devastating results since it can be controlled by the attacker. When the browser is used to authenticate the user and authorize the app (i.e. when the Dropbox app is not installed), this parameter eventually controls the host that the browser surfs to, as we can see on Appendix A. The method startWebAuth is called by the AuthActivity’s onResume (which is also called after an Intent invokes the Activity). Thus if the attacker can generate an Intent targeting the activity, with INTERNAL_WEB_HOST pointing to his server, the authentication process will begin automatically, with the nonce being sent to the attacker’s server! 6 The DROPPEDIN Attack We created both local and remote (drive-by) end-to-end attacks. Both attacks require that the Dropbox app is not installed on the attacked device. Both attacks begin with by the adversary obtaining, out-of-band, an access token (ACCESS_TOKEN_KEY, ACCESS_TOKEN_SECRET) and uid pertained to his account and the attacked App. This is specially easy since the attacker can simply download the App to his device, authorize it on his Dropbox account and record the returned access token pair. The following four steps describe the remote attack which is also illustrated by Figure 6.1. The local attack is similar and requires malware running on the device. 6.1 Naive Browsing In this step the victim naively browses to a malicious website. This can be a website that is completely controlled by the attacker or a website that has been injected with malicious code, using other vulnerabilities, such as Cross-Site Scripting (XSS). 6.2 Active Nonce Leaking The malicious code automatically causes the victim’s browser to invoke the attacked App with an Intent that causes it to start the OAuth dance with the adversary instead of https://www.dropbox.com. This step allows the attacker to obtain the nonce. This invocation can be done by a simple HTTP redirect to Intent:#Intent;scheme=db-<APP_KEY>; S.EXTRA_INTERNAL_WEB_HOST=<ATTACKER-SERVER>; S.EXTRA_INTERNAL_APP_KEY=foo; S.EXTRA_INTERNAL_APP_SECRET=bar; end 4
App Code App Dropbox SDK Browser Android Device Attacker (1) Naive browsing (2.1) Sends exploit to app (2.2) Exploit (2.3) Nonce (2.4) Nonce (3.1) Sends token+nonce to app (3.2) Token +Nonce (4) Token Dropbox API (0) Gets token (Out-of-band) Figure 6.1: The DROPPEDIN Attack At time of writing, most of the popular browsers support invoking implicit Intents via the Intent URI scheme. 6.3 OAuth Access Token Injection The above Intent will eventually cause the browser to request https://attacker:443/1/connect (with the nonce as a GET parameter). This implies that succeeding in the last step requires that the attacker owns an SSL certificate of his own domain, but this is rather easy. Learning the nonce allows the attacker to simply inject his pre-generated access token into the App by another HTTP redirect to: db-<APP_KEY>://1/connect?oauth_token_secret=<ACCESS_TOKEN_SECRET> &oauth_token=<ACCESS_TOKEN_KEY> &uid=<UID> &state=<NONCE> If the access token injection is successful, it will be saved under AuthActivity.result. 6.4 OAuth Access Token Consumption by App At this point, AuthActivity’s result static member contains the attacker’s token. The missing piece of the puzzle is how the App consumes this data, which is up to the developer’s decision. In general, although other cases may exist, the client-side (App) code will initiate authentication on one of its Activities’ onCreate method, or when clicking on some button. It will then check for successful authentication and move the token to the Dropbox session on its onResume method. The key observation that enables the attack is the fact that onCreate and onResume are successively called (according to [4]). This implies that if the attacker injects his access token before the App’s activity is displayed, the access token will be consumed before the user enters his/her own credentials - see Section 7 for a deep-dive into specific cases. 7 Case Studies 7.1 Microsoft Office Mobile: Inject and Add New Link The Microsoft Office Mobile app allows uploading the user’s documents to the cloud. This app supports multiple Dropbox accounts. 5
In this case, the following normal chain of events takes place: 1. User tries to add a Dropbox account. This invokes the activity responsible for the Dropbox authenti- cation. 2. The activity’s onCreate method will automatically call startOAuth2Authentication of the SDK’s AndroidAuthSession. 3. The activity’s onResume method is called in a successive manner. It checks if the authentication has succeeded via AndroidAuthSession’s authenticationSuccessful. The latter returns a negative result. 4. User, via the browser, authenticates on Dropbox and authorizes the app. 5. The activity’s onResume method is called again, this time authenticationSuccessful returns a posi- tive result. The token is copied from AuthActivity to the session object and is consumed by the app. The activity is destroyed by calling Activity.finish 6. The account is added to the app. This flow can be attacked as follows - before step 1, the adversary injects his/her token by exploiting the vulnerability. The user then decides to add a new Dropbox account. He will be forwarded to the Dropbox website as usual, however, this time, on step 3 which happens in the background without the user’s consent, the authenticationSuccessful will succeed. The attacker’s token will be moved to the session object and the activity will be destroyed, thus step 5 will not even occur. Therefore, even if the user entered his own credentials, the adversary’s token will be used instead, creating a seamless attack. 7.2 1Password: Inject Before First Link The 1Password app falls under the category of password management apps (such as KeyPass), and uses the Dropbox SDK to synchronize the user’s vault (key store) with Dropbox. This app supports the use of a single Dropbox account and is used for syncing the local vault with Dropbox. Uploading it to a malicious Dropbox account has devastating results - the attacker can then crack it offline, and if a weak master password is used (which is still a prevalent problem [5]), it can be performed in a feasible time. Alternatively, the attacker can perform a Phishing attack in order to find the master password. A chain of events similar to 7.1 occurs when the user decides to sync. 1. User clicks on the ’Sync with Dropbox’ button. The button invokes the activity responsible for the Dropbox authentication. 2. The activity’s onCreate method will check if it is linked via AndroidAuthSession.isLinked(). If it’s not, it will invoke startAuthentication of AndroidAuthSession. 3. The activity’s onResume method is called in a successive manner. It will again call AndroidAuth- Session.isLinked(). If it returns false, it will check if the authentication has succeeded via An- droidAuthSession.authenticationSuccessful(). The latter returns a negative result. 4. User, via the browser, authenticates on Dropbox and authorizes the app. 5. The activity’s onResume method is called. Again, AndroidAuthSession.isLinked() returns false. However, this time authenticationSuccessful() returns a positive result. The app then calls fin- ishAuthentication which copies the token to the session object (which causes its isLinked method to return true). The token is then consumed by the app. 6. The sync process begins. This flow can be attacked as follows - before step 1, the adversary injects his token by exploiting the vulnerability. The user then decides to sync his account. He will be forwarded to the Dropbox website as usual, however, this time, on step 3 which happens in the background without the user’s consent, the authenticationSuccessful will succeed. The attacker’s token will be moved to the session object, thus step 5’s isLinked call will return true. Therefore, even if the user entered his own credentials, the adversary’s token will be used instead, creating a seamless attack. 6
7.3 DBRoulette: Inject and Re-link The DBRoulette app is bundled as a sample app together with the Dropbox SDK for Android. It is a basic app that authenticates the user and then loads a random photo from the user’s Dropbox’s Photos folder. The main activity of this app is DBRoulette whose onResume method simply overrides the previously stored credentials. This means that even if a Dropbox account has already been linked with DBRoulette, the attacker’s account will be used instead. In addition, the DBRoulette code that calls the authentication methods of the Dropbox SDK resides in an exported activity which means that the attacker can invoke it to complete a fully automatic attack. Figure 7.1 depicts a successful attack, with one of the authors’ thumb fetched from the attacker’s dropbox account instead of the victim’s. Figure 7.1: Attacked DBRoulette 8 Mitigation Dropbox SDK for Android version 1.6.2 has been released and incorporates a patch for this security vulner- ability. The Dropbox SDK’s AuthActivity no longer accepts input parameters from the incoming Intent’s extras. This makes it impossible for the attacker to control the host the Dropbox SDK communicates with in order to leak the nonce. Developers are strongly encouraged to update their SDK to the latest version. In order to avoid exploitation of slowly-updating apps, end-users (device owners) can install the Dropbox app which makes the attack impossible. 9 Disclosure Timeline December 1, 2014 - Vulnerabilities disclosed to vendor. December 2, 2014 - Vendor confirmed the issue, and started working on a patch. December 5, 2014 - Patch available (Dropbox SDK for Android version 1.6.2). March 11, 2015 - Public disclosure. 10 Acknowledgments Dropbox’s response to this security threat was particularly noteworthy. We had reported the issue to Dropbox, which acknowledged receipt after a mere 6 minutes. Less than 24 hours after the disclosure Dropbox provided us with a confirmation of the vulnerability and a patch was provided 4 days after the 7
private disclosure. We would like to thank the Dropbox team for issuing one of quickest patches we have ever witnessed. This with no doubt shows their commitment to the security of their end-users. References [1] AppBrain. Dropbox API - Android library statistics. http://www.appbrain.com/stats/libraries/ details/dropbox_api/dropbox-api. [2] Takeshi Terada. Attacking Android browsers via intent scheme URLs. 2014. http://www.mbsd.jp/ Whitepaper/IntentScheme.pdf. [3] Roee Hay & David Kaplan. Remote exploitation of the cordova framework. 2014. http://www. slideshare.net/ibmsecurity/remote-exploitation-of-the-cordova-framework. [4] Android. Activity. http://developer.android.com/reference/android/app/Activity.html. [5] Trustwave. 2014 business password analysis, 2014. https://gsr.trustwave.com/topics/ business-password-analysis/2014-business-password-analysis/. 8
A Appendix: Vulnerable Dropbox SDK Code 1 protected void onCreate ( Bundle savedInstanceState ) { 2 . . . 3 Intent intent = getIntent () ; 4 . . . 5 webHost = intent . getStringExtra (EXTRA INTERNAL WEB HOST) ; 6 i f ( null == webHost ) { 7 webHost = DEFAULT WEB HOST; 8 } 9 . . . 10 } 11 12 protected void onResume () { 13 . . . 14 String s t a t e = createStateNonce () ; 15 . . . 16 i f ( hasDropboxApp ( o f f i c i a l I n t e n t ) ) { 17 s t a r t A c t i v i t y ( o f f i c i a l I n t e n t ) ; 18 } 19 else { 20 startWebAuth ( s t a t e ) ; 21 } 22 . . . 23 authStateNonce = s t a t e ; 24 } 25 26 private void startWebAuth ( String s t a t e ) 27 { 28 String path = ”/ connect ” ; 29 Locale l o c a l e = Locale . getDefault () ; 30 31 String [ ] params = { 32 ” l o c a l e ” , l o c a l e . getLanguage ()+” ”+l o c a l e . getCountry () , 33 ”k ” , appKey , 34 ”s ” , getConsumerSig () , 35 ”api ” , apiType , 36 ”s t a t e ” , s t a t e }; 37 String u r l = RESTUtility . buildURL ( webHost , DropboxAPI .VERSION, path , params ) ; 38 Intent intent = new Intent ( Intent .ACTION VIEW, Uri . parse ( u r l ) ) ; 39 s t a r t A c t i v i t y ( intent ) ; 40 } 9

Recommended

SpoofedMe - Intruding Accounts using Social Login Providers
SpoofedMe - Intruding Accounts using Social Login Providers SpoofedMe - Intruding Accounts using Social Login Providers
SpoofedMe - Intruding Accounts using Social Login Providers IBM Security
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Serverijtsrd
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborgdanieloskarsson
 
The ultimate deal on open id uses
The ultimate deal on open id usesThe ultimate deal on open id uses
The ultimate deal on open id usesPing Identity
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidIBM Security
 
Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Frameworkijsrd.com
 
Oauth
OauthOauth
OauthRob Paok
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 

Recommended

SpoofedMe - Intruding Accounts using Social Login Providers
SpoofedMe - Intruding Accounts using Social Login Providers SpoofedMe - Intruding Accounts using Social Login Providers
SpoofedMe - Intruding Accounts using Social Login Providers IBM Security
 
Flaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security ServerFlaws in Oauth 2.0 Can Oauth be used as a Security Server
Flaws in Oauth 2.0 Can Oauth be used as a Security Serverijtsrd
 
OAuth Android Göteborg
OAuth Android GöteborgOAuth Android Göteborg
OAuth Android Göteborgdanieloskarsson
 
The ultimate deal on open id uses
The ultimate deal on open id usesThe ultimate deal on open id uses
The ultimate deal on open id usesPing Identity
 
Overtaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidOvertaking Firefox Profiles: Vulnerabilities in Firefox for Android
Overtaking Firefox Profiles: Vulnerabilities in Firefox for AndroidIBM Security
 
Review on OpenID Authentication Framework
Review on OpenID Authentication FrameworkReview on OpenID Authentication Framework
Review on OpenID Authentication Frameworkijsrd.com
 
Oauth
OauthOauth
OauthRob Paok
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 
Authorization in asp
Authorization in aspAuthorization in asp
Authorization in aspOPENLANE
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Niit Care
 
Open ID
Open IDOpen ID
Open IDdiwanshu.joshi
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal
 
Presentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandPresentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandHarini Anandakumar
 
Erikeldridge Yos V9
Erikeldridge Yos V9Erikeldridge Yos V9
Erikeldridge Yos V9JH Lee
 
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETVirtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETKrishna T
 
Sso cases Experience
Sso cases ExperienceSso cases Experience
Sso cases ExperienceVu Tran 14
 
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...guest96f6c68d
 
Social Aggregator Paper
Social Aggregator PaperSocial Aggregator Paper
Social Aggregator PaperAkchay Srivastava
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Vivek chan
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingRahul Roshan
 
Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Ahmed Ghazey
 
Dropbox facilities
Dropbox facilitiesDropbox facilities
Dropbox facilitiesBarbu Florin
 
Dropbox for business
Dropbox for businessDropbox for business
Dropbox for businessncsbusiness
 
Integrated Cloud Security
Integrated Cloud SecurityIntegrated Cloud Security
Integrated Cloud SecurityOneLogin
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Dropbox - Architecture and Business Prospective
Dropbox - Architecture and Business ProspectiveDropbox - Architecture and Business Prospective
Dropbox - Architecture and Business ProspectiveChiara Cilardo
 
B2B Integration in the Cloud
B2B Integration in the CloudB2B Integration in the Cloud
B2B Integration in the Cloudi8c
 
Android ppt with example of budget manager
Android ppt with example of budget managerAndroid ppt with example of budget manager
Android ppt with example of budget managerNalini Mehta
 
Dropbox Tutorial
Dropbox TutorialDropbox Tutorial
Dropbox TutorialMelissa
 

More Related Content

What's hot

Authorization in asp
Authorization in aspAuthorization in asp
Authorization in aspOPENLANE
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Niit Care
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal
 
Presentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandPresentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandHarini Anandakumar
 
Erikeldridge Yos V9
Erikeldridge Yos V9Erikeldridge Yos V9
Erikeldridge Yos V9JH Lee
 
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETVirtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETKrishna T
 
Sso cases Experience
Sso cases ExperienceSso cases Experience
Sso cases ExperienceVu Tran 14
 
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...guest96f6c68d
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11Vivek chan
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingRahul Roshan
 
Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Ahmed Ghazey
 

What's hot (14)

Authorization in asp
Authorization in aspAuthorization in asp
Authorization in asp
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11
 
Open ID
Open IDOpen ID
Open ID
 
Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
PayPal Access GDG DevFest
PayPal Access GDG DevFestPayPal Access GDG DevFest
PayPal Access GDG DevFest
 
Presentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini AnandPresentation On CLoudSweeper By Harini Anand
Presentation On CLoudSweeper By Harini Anand
 
Erikeldridge Yos V9
Erikeldridge Yos V9Erikeldridge Yos V9
Erikeldridge Yos V9
 
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NETVirtual Tech Days 2010 - Integrating Social Networks with ASP.NET
Virtual Tech Days 2010 - Integrating Social Networks with ASP.NET
 
Sso cases Experience
Sso cases ExperienceSso cases Experience
Sso cases Experience
 
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...
Developing Dynamic PeopleSoft Field Security Applications:A PeopleSoft Develo...
 
Social Aggregator Paper
Social Aggregator PaperSocial Aggregator Paper
Social Aggregator Paper
 
08 asp.net session11
08 asp.net session1108 asp.net session11
08 asp.net session11
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
 
Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid
 

Viewers also liked

Dropbox facilities
Dropbox facilitiesDropbox facilities
Dropbox facilitiesBarbu Florin
 
Dropbox for business
Dropbox for businessDropbox for business
Dropbox for businessncsbusiness
 
Integrated Cloud Security
Integrated Cloud SecurityIntegrated Cloud Security
Integrated Cloud SecurityOneLogin
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Dropbox - Architecture and Business Prospective
Dropbox - Architecture and Business ProspectiveDropbox - Architecture and Business Prospective
Dropbox - Architecture and Business ProspectiveChiara Cilardo
 
B2B Integration in the Cloud
B2B Integration in the CloudB2B Integration in the Cloud
B2B Integration in the Cloudi8c
 
Android ppt with example of budget manager
Android ppt with example of budget managerAndroid ppt with example of budget manager
Android ppt with example of budget managerNalini Mehta
 
Dropbox Tutorial
Dropbox TutorialDropbox Tutorial
Dropbox TutorialMelissa
 
Alumni portal ppt for projects
Alumni portal ppt for projectsAlumni portal ppt for projects
Alumni portal ppt for projectsShanker Goud
 
Data and Information - Input, Process and Output
Data and Information - Input, Process and OutputData and Information - Input, Process and Output
Data and Information - Input, Process and Outputshiplakeict
 
The IPO Model of Evaluation (Input-Process-Output)
The IPO Model of Evaluation (Input-Process-Output)The IPO Model of Evaluation (Input-Process-Output)
The IPO Model of Evaluation (Input-Process-Output)Janilo Sarmiento
 
Android Chromium Rendering Pipeline
Android Chromium Rendering PipelineAndroid Chromium Rendering Pipeline
Android Chromium Rendering PipelineHyungwook Lee
 
Computer Systems - Input, Process, Output
Computer Systems - Input, Process, OutputComputer Systems - Input, Process, Output
Computer Systems - Input, Process, Outputcorb201
 
Dropbox Startup Lessons Learned
Dropbox Startup Lessons LearnedDropbox Startup Lessons Learned
Dropbox Startup Lessons Learnedgueste94e4c
 
Community IT Webinar - Dropbox vs OneDrive
Community IT Webinar - Dropbox vs OneDriveCommunity IT Webinar - Dropbox vs OneDrive
Community IT Webinar - Dropbox vs OneDriveCommunity IT Innovators
 
ShareFile vs Box vs Dropbox
ShareFile vs Box vs DropboxShareFile vs Box vs Dropbox
ShareFile vs Box vs DropboxRapidScale
 
Alumni management
Alumni managementAlumni management
Alumni managementGagan Gupta
 

Viewers also liked (20)

Dropbox facilities
Dropbox facilitiesDropbox facilities
Dropbox facilities
 
Dropbox for business
Dropbox for businessDropbox for business
Dropbox for business
 
Integrated Cloud Security
Integrated Cloud SecurityIntegrated Cloud Security
Integrated Cloud Security
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Dropbox - Architecture and Business Prospective
Dropbox - Architecture and Business ProspectiveDropbox - Architecture and Business Prospective
Dropbox - Architecture and Business Prospective
 
B2B Integration in the Cloud
B2B Integration in the CloudB2B Integration in the Cloud
B2B Integration in the Cloud
 
Android ppt with example of budget manager
Android ppt with example of budget managerAndroid ppt with example of budget manager
Android ppt with example of budget manager
 
Dropbox Tutorial
Dropbox TutorialDropbox Tutorial
Dropbox Tutorial
 
Drop Box Ppt
Drop Box PptDrop Box Ppt
Drop Box Ppt
 
Alumni portal ppt for projects
Alumni portal ppt for projectsAlumni portal ppt for projects
Alumni portal ppt for projects
 
Data and Information - Input, Process and Output
Data and Information - Input, Process and OutputData and Information - Input, Process and Output
Data and Information - Input, Process and Output
 
The IPO Model of Evaluation (Input-Process-Output)
The IPO Model of Evaluation (Input-Process-Output)The IPO Model of Evaluation (Input-Process-Output)
The IPO Model of Evaluation (Input-Process-Output)
 
Android Chromium Rendering Pipeline
Android Chromium Rendering PipelineAndroid Chromium Rendering Pipeline
Android Chromium Rendering Pipeline
 
Computer Systems - Input, Process, Output
Computer Systems - Input, Process, OutputComputer Systems - Input, Process, Output
Computer Systems - Input, Process, Output
 
Dropbox Startup Lessons Learned
Dropbox Startup Lessons LearnedDropbox Startup Lessons Learned
Dropbox Startup Lessons Learned
 
Is Dropbox your next File Server?
Is Dropbox your next File Server?Is Dropbox your next File Server?
Is Dropbox your next File Server?
 
Community IT Webinar - Dropbox vs OneDrive
Community IT Webinar - Dropbox vs OneDriveCommunity IT Webinar - Dropbox vs OneDrive
Community IT Webinar - Dropbox vs OneDrive
 
ShareFile vs Box vs Dropbox
ShareFile vs Box vs DropboxShareFile vs Box vs Dropbox
ShareFile vs Box vs Dropbox
 
Alumni management
Alumni managementAlumni management
Alumni management
 
Hospital management system
Hospital management systemHospital management system
Hospital management system
 

Similar to Remote Exploitation of the Dropbox SDK for Android

Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android SystemNizar Maan
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Pentestflashkeybpardpaper
PentestflashkeybpardpaperPentestflashkeybpardpaper
PentestflashkeybpardpaperAndrey Apuhtin
 
Mobile Application Development -Lecture 09 & 10.pdf
Mobile Application Development -Lecture 09 & 10.pdfMobile Application Development -Lecture 09 & 10.pdf
Mobile Application Development -Lecture 09 & 10.pdfAbdullahMunir32
 
Android_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdfAndroid_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdfTalha Naqash
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...IJNSA Journal
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidThe Hacker News
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paperSravan Reddy
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksAmina WADDIZ
 
Android application development
Android application developmentAndroid application development
Android application developmentMd. Mujahid Islam
 

Similar to Remote Exploitation of the Dropbox SDK for Android (20)

Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android System
 
Apple Presentation.pptx
Apple Presentation.pptxApple Presentation.pptx
Apple Presentation.pptx
 
Android Basic- CMC
Android Basic- CMCAndroid Basic- CMC
Android Basic- CMC
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Pentestflashkeybpardpaper
PentestflashkeybpardpaperPentestflashkeybpardpaper
Pentestflashkeybpardpaper
 
Unit2
Unit2Unit2
Unit2
 
Aptech Apps
Aptech Apps Aptech Apps
Aptech Apps
 
Mobile Application Development -Lecture 09 & 10.pdf
Mobile Application Development -Lecture 09 & 10.pdfMobile Application Development -Lecture 09 & 10.pdf
Mobile Application Development -Lecture 09 & 10.pdf
 
Android beginners David
Android beginners DavidAndroid beginners David
Android beginners David
 
Android_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdfAndroid_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdf
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Multiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for AndroidMultiple Vulnerabilities in Mozilla Firefox for Android
Multiple Vulnerabilities in Mozilla Firefox for Android
 
Mobile testing android
Mobile testing androidMobile testing android
Mobile testing android
 
Google android white paper
Google android white paperGoogle android white paper
Google android white paper
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacks
 
Android application development
Android application developmentAndroid application development
Android application development
 

More from IBM Security

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...IBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...IBM Security
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...IBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...IBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?IBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...IBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...IBM Security
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020IBM Security
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityIBM Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident ResponseIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats IBM Security
 

More from IBM Security (20)

Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
 
Integrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM ResilientIntegrated Response with v32 of IBM Resilient
Integrated Response with v32 of IBM Resilient
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon BlackAccelerating SOC Transformation with IBM Resilient and Carbon Black
Accelerating SOC Transformation with IBM Resilient and Carbon Black
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?Are You Ready to Move Your IAM to the Cloud?
Are You Ready to Move Your IAM to the Cloud?
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat IntelligenceOrchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
IBM QRadar UBA
IBM QRadar UBA IBM QRadar UBA
IBM QRadar UBA
 
Mobile Vision 2020
Mobile Vision 2020Mobile Vision 2020
Mobile Vision 2020
 
Retail Mobility, Productivity and Security
Retail Mobility, Productivity and SecurityRetail Mobility, Productivity and Security
Retail Mobility, Productivity and Security
 
Close the Loop on Incident Response
Close the Loop on Incident ResponseClose the Loop on Incident Response
Close the Loop on Incident Response
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats Orchestrate Your Security Defenses; Protect Against Insider Threats
Orchestrate Your Security Defenses; Protect Against Insider Threats
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Remote Exploitation of the Dropbox SDK for Android

  • 1. REMOTE EXPLOITATION OF THE DROPBOX SDK FOR ANDROID Roee Hay and Or Peles IBM Security Systems {roeeh,orpeles}@il.ibm.com Abstract In today’s world personal data is on the cloud. Services, such as photo-hosting or general-purpose storage , should be accessible not only for the user, but also for apps that need access to the data on the user’s behalf. Interoperability has always been challenging in many aspects, including access control. In order to combat the latter, authorization protocols, such as OAuth 1 & 2, can securely grant apps access to personal data found in a target service, without disclosing the user’s credentials. In order to ease the development lifecycle, such services oftentimes provide a framework, or an SDK, that apps can utilize in order to communicate with the given service. These frameworks are very appealing for app developers since they abstract away the internals, and give the developers a simple client-side API they can use. From a security perspective, the frameworks themselves provide an extremely attractive attack surface for malicious attacks as an exploit of the framework could potentially affect numerous applications making use of it. In this paper we present a severe vulnerability (identified as CVE-2014-8889) within the Dropbox SDK for Android versions 1.5.4-1.6.1. This vulnerability can expose applications using the Dropbox SDK to severe local and remote attacks. As a Proof of Concept, we developed a remote drive-by attack which works against real world apps, including Microsoft Office Mobile and 1Password. We had responsibly re- ported the vulnerability to Dropbox which promptly provided a patched SDK (version 1.6.2). Developers are strongly encouraged to download it and update their apps. 1 Introduction The Dropbox SDK is a library that developers can download and add to their products. This library provides easy access to Dropbox features, such as downloading and uploading files, via a simple set of APIs. AppBrain provides statistics as to the prevalence of the use of the Dropbox SDK on Android [1]. According to these statistics, 0.31% of all applications use the Dropbox SDK. Of the top 500 apps in the Google Play Store, 1.41% use the Dropbox SDK. Interestingly, 1.32% of total app installations and 3.93% of app installations of the top 500 apps use the Dropbox SDK, respectively. While it is not a highly prevalent library, some extremely popular Android apps that may hold sensitive information use the Dropbox SDK, including Microsoft Office Mobile with over 10,000,000 downloads1 and AgileBits 1Password with over 100,000 downloads2 . The vulnerability that we discovered may affect any Android app that uses the Dropbox SDK versions 1.5.4-1.6.1. We examined 41 apps that use the Dropbox SDK for Android, out of which 31 apps (76%) were vulnerable to our attack (i.e. they used version 1.5.4-1.6.1). It’s noteworthy that the rest of the apps were vulnerable to a much simpler attack with the same consequences, but had been fixed by Dropbox with the 1.5.4 version of the SDK which they did not care to upgrade to. This paper is organized as follows. Section 2 gives a background on Inter-App Communication (IAC) in Android. Section 3 shows how IAC can be exploited in general locally by malware and remotely using drive- by techniques. Section 4 describes how the Dropbox SDK for Android uses OAuth for app authorization. In 1https://play.google.com/store/apps/details?id=com.microsoft.office.officehub 2https://play.google.com/store/apps/details?id=com.agilebits.onepassword 1
  • 2. section 5 we deep-dive into the vulnerability we found within the Dropbox SDK for Android OAuth code. Section 6 presents a real attack, dubbed DroppedIn, that exploits the vulnerability. In section 7, we show that the threat is real by presenting case studies. We end with section 8 that presents a mitigation for the vulnerability. 2 Inter-App Communication (IAC) in Android Android applications are executed in a sandbox environment. The sandbox ensures data confidentiality and integrity as no application can access sensitive information held by another application without proper privileges. For example, Android’s stock browser application holds sensitive information such as cookies, cache and history which shouldn’t be accessed by third-party apps. The sandbox relies on several techniques including per-package Linux user-id assignment. Thus, resources, such as files, owned by one app cannot be accessed by default by other apps. While sandboxing is great for security, it may diminish interoperability as apps sometimes would like to talk to each other. Going back to the browser example, the browser would want to invoke the Google Play app when a user browsed to the Google Play website. In order to support this kind of functionality, Android provides high-level Inter-App Communication (IAC) mechanisms. This communication is usually done using special messages called Intents, which hold both the payload and the target application component. Intents can be sent explicitly, where the target application component is specified, or implicitly, where the target is left unspecified and is determined by Android according to other Intent parameters such as its URI scheme, action or category. 3 General Exploitation via Inter-App Communication The attack surface is greatly increased if the attacker can directly invoke application components, controlling the Intent’s payload. This is the case with exported application components. Such components can be attacked locally by malware. Activities, Android application components responsible for UI screens, can also be attacked remotely using drive-by exploitation techniques as shown by [2, 3]. In the local attack, illustrated by Figure 3.1, malware invokes the exported target application com- ponent with a malicious Intent (i.e. one that contains malicious data) by simply calling APIs such as Context.startActivity(Intent). In the case of remote drive-by exploitation, illustrated by Figure 3.2, a user is lured into browsing a malicious website. This site serves a web page that causes the browser to invoke the target activity with the malicious Intent. Malware App Malicious Intent Android Device Figure 3.1: Local Attack by Malware 4 OAuth & Dropbox The Dropbox SDK uses OAuth in order to authorize the app on a given Dropbox account. This process begins by an out-of-band registration of the app on the Dropbox website. The app then receives from Dropbox an app key and app secret which are saved - hard-coded - in the application. 2
  • 3. App Browser Android Device Attacker Naive Browsing Malicious Intent Figure 3.2: Remote Drive-By Attack The app then exports the Dropbox-provided AuthActivity in the Android Manifest file as follows: <activity android:name="com.dropbox.client2.android.AuthActivity" ...> <intent -filter > <data android:scheme="db -<APP_KEY >" /> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.BROWSABLE" /> <category android:name="android.intent.category.DEFAULT" /> </intent -filter > </activity > The players of the Dropbox OAuth dance and their communication channels are depicted by Figure 4.1. The process starts by app code calling the Dropbox’s SDK’s static method start{OAuth2}Authentication of AndroidAuthSession with the needed data (i.e. app key and secret). These methods invoke AuthActivity using an Intent. The AuthActivity then generates a nonce and either invokes, again by using an Intent, the browser or the Dropbox app (if it is installed) in order to authenticate the user and authorize the app. This invocation contains the previously generated nonce. The browser or the Dropbox app return the access token, secret and nonce with additional data (e.g. uid) back to the app using an implicit Intent targeting the app’s unique URI scheme (db-<APP_KEY>). This causes AuthActivity’s onNewIntent method to be called. The latter checks if the incoming nonce matches the outgoing one. If it does, it accepts the token and saves it in its result static member. The token can then be saved on the Dropbox session for upcoming Dropbox SDK calls. There are two main threats in this process. The first one is stealing the returned OAuth access token. This would allow the attacker to access the authorized Dropbox resources. This attack could have been done by malware impersonating the App by registering a similar intent filter. However, the Dropbox SDK checks if there is another application with the same intent filter, so this threat is quite mitigated. The other threat is injecting an access token pertaining to the attacker. This will link the App with the attacker’s account instead of the victim’s, which may then either upload, without consent, sensitive information to the attacker, or download, again unknowingly, malicious data that may enable other attacks. This threat should have been mitigated by the nonce parameter (which was added to the SDK in version 1.5.4), however, as we show up next, an implementation-specific vulnerability exists that allows the attacker to actively cause the Dropbox SDK to leak that nonce to the attacker’s server. 5 Vulnerability We present a severe vulnerability, identified as CVE-2014-8889, that allows the adversary to insert an arbi- trary access token into the Dropbox SDK AuthActivity, completely bypassing the nonce protection. AuthActivity consumes various Intent extra parameters. Since it is an exported and browsable activity (and it must be, as per section 4), it can be invoked by both malware and malicious websites with arbitrary Intent extras (see section 3). Therefore special care must be taken when consuming these intent extras. 3
  • 4. App Code App Dropbox SDK Browser Android Device Dropbox API Intents (nonce protected) HTTPS Java Figure 4.1: Dropbox OAuth Dance Consumption of a particular Intent extra parameter, named INTERNAL_WEB_HOST, has devastating results since it can be controlled by the attacker. When the browser is used to authenticate the user and authorize the app (i.e. when the Dropbox app is not installed), this parameter eventually controls the host that the browser surfs to, as we can see on Appendix A. The method startWebAuth is called by the AuthActivity’s onResume (which is also called after an Intent invokes the Activity). Thus if the attacker can generate an Intent targeting the activity, with INTERNAL_WEB_HOST pointing to his server, the authentication process will begin automatically, with the nonce being sent to the attacker’s server! 6 The DROPPEDIN Attack We created both local and remote (drive-by) end-to-end attacks. Both attacks require that the Dropbox app is not installed on the attacked device. Both attacks begin with by the adversary obtaining, out-of-band, an access token (ACCESS_TOKEN_KEY, ACCESS_TOKEN_SECRET) and uid pertained to his account and the attacked App. This is specially easy since the attacker can simply download the App to his device, authorize it on his Dropbox account and record the returned access token pair. The following four steps describe the remote attack which is also illustrated by Figure 6.1. The local attack is similar and requires malware running on the device. 6.1 Naive Browsing In this step the victim naively browses to a malicious website. This can be a website that is completely controlled by the attacker or a website that has been injected with malicious code, using other vulnerabilities, such as Cross-Site Scripting (XSS). 6.2 Active Nonce Leaking The malicious code automatically causes the victim’s browser to invoke the attacked App with an Intent that causes it to start the OAuth dance with the adversary instead of https://www.dropbox.com. This step allows the attacker to obtain the nonce. This invocation can be done by a simple HTTP redirect to Intent:#Intent;scheme=db-<APP_KEY>; S.EXTRA_INTERNAL_WEB_HOST=<ATTACKER-SERVER>; S.EXTRA_INTERNAL_APP_KEY=foo; S.EXTRA_INTERNAL_APP_SECRET=bar; end 4
  • 5. App Code App Dropbox SDK Browser Android Device Attacker (1) Naive browsing (2.1) Sends exploit to app (2.2) Exploit (2.3) Nonce (2.4) Nonce (3.1) Sends token+nonce to app (3.2) Token +Nonce (4) Token Dropbox API (0) Gets token (Out-of-band) Figure 6.1: The DROPPEDIN Attack At time of writing, most of the popular browsers support invoking implicit Intents via the Intent URI scheme. 6.3 OAuth Access Token Injection The above Intent will eventually cause the browser to request https://attacker:443/1/connect (with the nonce as a GET parameter). This implies that succeeding in the last step requires that the attacker owns an SSL certificate of his own domain, but this is rather easy. Learning the nonce allows the attacker to simply inject his pre-generated access token into the App by another HTTP redirect to: db-<APP_KEY>://1/connect?oauth_token_secret=<ACCESS_TOKEN_SECRET> &oauth_token=<ACCESS_TOKEN_KEY> &uid=<UID> &state=<NONCE> If the access token injection is successful, it will be saved under AuthActivity.result. 6.4 OAuth Access Token Consumption by App At this point, AuthActivity’s result static member contains the attacker’s token. The missing piece of the puzzle is how the App consumes this data, which is up to the developer’s decision. In general, although other cases may exist, the client-side (App) code will initiate authentication on one of its Activities’ onCreate method, or when clicking on some button. It will then check for successful authentication and move the token to the Dropbox session on its onResume method. The key observation that enables the attack is the fact that onCreate and onResume are successively called (according to [4]). This implies that if the attacker injects his access token before the App’s activity is displayed, the access token will be consumed before the user enters his/her own credentials - see Section 7 for a deep-dive into specific cases. 7 Case Studies 7.1 Microsoft Office Mobile: Inject and Add New Link The Microsoft Office Mobile app allows uploading the user’s documents to the cloud. This app supports multiple Dropbox accounts. 5
  • 6. In this case, the following normal chain of events takes place: 1. User tries to add a Dropbox account. This invokes the activity responsible for the Dropbox authenti- cation. 2. The activity’s onCreate method will automatically call startOAuth2Authentication of the SDK’s AndroidAuthSession. 3. The activity’s onResume method is called in a successive manner. It checks if the authentication has succeeded via AndroidAuthSession’s authenticationSuccessful. The latter returns a negative result. 4. User, via the browser, authenticates on Dropbox and authorizes the app. 5. The activity’s onResume method is called again, this time authenticationSuccessful returns a posi- tive result. The token is copied from AuthActivity to the session object and is consumed by the app. The activity is destroyed by calling Activity.finish 6. The account is added to the app. This flow can be attacked as follows - before step 1, the adversary injects his/her token by exploiting the vulnerability. The user then decides to add a new Dropbox account. He will be forwarded to the Dropbox website as usual, however, this time, on step 3 which happens in the background without the user’s consent, the authenticationSuccessful will succeed. The attacker’s token will be moved to the session object and the activity will be destroyed, thus step 5 will not even occur. Therefore, even if the user entered his own credentials, the adversary’s token will be used instead, creating a seamless attack. 7.2 1Password: Inject Before First Link The 1Password app falls under the category of password management apps (such as KeyPass), and uses the Dropbox SDK to synchronize the user’s vault (key store) with Dropbox. This app supports the use of a single Dropbox account and is used for syncing the local vault with Dropbox. Uploading it to a malicious Dropbox account has devastating results - the attacker can then crack it offline, and if a weak master password is used (which is still a prevalent problem [5]), it can be performed in a feasible time. Alternatively, the attacker can perform a Phishing attack in order to find the master password. A chain of events similar to 7.1 occurs when the user decides to sync. 1. User clicks on the ’Sync with Dropbox’ button. The button invokes the activity responsible for the Dropbox authentication. 2. The activity’s onCreate method will check if it is linked via AndroidAuthSession.isLinked(). If it’s not, it will invoke startAuthentication of AndroidAuthSession. 3. The activity’s onResume method is called in a successive manner. It will again call AndroidAuth- Session.isLinked(). If it returns false, it will check if the authentication has succeeded via An- droidAuthSession.authenticationSuccessful(). The latter returns a negative result. 4. User, via the browser, authenticates on Dropbox and authorizes the app. 5. The activity’s onResume method is called. Again, AndroidAuthSession.isLinked() returns false. However, this time authenticationSuccessful() returns a positive result. The app then calls fin- ishAuthentication which copies the token to the session object (which causes its isLinked method to return true). The token is then consumed by the app. 6. The sync process begins. This flow can be attacked as follows - before step 1, the adversary injects his token by exploiting the vulnerability. The user then decides to sync his account. He will be forwarded to the Dropbox website as usual, however, this time, on step 3 which happens in the background without the user’s consent, the authenticationSuccessful will succeed. The attacker’s token will be moved to the session object, thus step 5’s isLinked call will return true. Therefore, even if the user entered his own credentials, the adversary’s token will be used instead, creating a seamless attack. 6
  • 7. 7.3 DBRoulette: Inject and Re-link The DBRoulette app is bundled as a sample app together with the Dropbox SDK for Android. It is a basic app that authenticates the user and then loads a random photo from the user’s Dropbox’s Photos folder. The main activity of this app is DBRoulette whose onResume method simply overrides the previously stored credentials. This means that even if a Dropbox account has already been linked with DBRoulette, the attacker’s account will be used instead. In addition, the DBRoulette code that calls the authentication methods of the Dropbox SDK resides in an exported activity which means that the attacker can invoke it to complete a fully automatic attack. Figure 7.1 depicts a successful attack, with one of the authors’ thumb fetched from the attacker’s dropbox account instead of the victim’s. Figure 7.1: Attacked DBRoulette 8 Mitigation Dropbox SDK for Android version 1.6.2 has been released and incorporates a patch for this security vulner- ability. The Dropbox SDK’s AuthActivity no longer accepts input parameters from the incoming Intent’s extras. This makes it impossible for the attacker to control the host the Dropbox SDK communicates with in order to leak the nonce. Developers are strongly encouraged to update their SDK to the latest version. In order to avoid exploitation of slowly-updating apps, end-users (device owners) can install the Dropbox app which makes the attack impossible. 9 Disclosure Timeline December 1, 2014 - Vulnerabilities disclosed to vendor. December 2, 2014 - Vendor confirmed the issue, and started working on a patch. December 5, 2014 - Patch available (Dropbox SDK for Android version 1.6.2). March 11, 2015 - Public disclosure. 10 Acknowledgments Dropbox’s response to this security threat was particularly noteworthy. We had reported the issue to Dropbox, which acknowledged receipt after a mere 6 minutes. Less than 24 hours after the disclosure Dropbox provided us with a confirmation of the vulnerability and a patch was provided 4 days after the 7
  • 8. private disclosure. We would like to thank the Dropbox team for issuing one of quickest patches we have ever witnessed. This with no doubt shows their commitment to the security of their end-users. References [1] AppBrain. Dropbox API - Android library statistics. http://www.appbrain.com/stats/libraries/ details/dropbox_api/dropbox-api. [2] Takeshi Terada. Attacking Android browsers via intent scheme URLs. 2014. http://www.mbsd.jp/ Whitepaper/IntentScheme.pdf. [3] Roee Hay & David Kaplan. Remote exploitation of the cordova framework. 2014. http://www. slideshare.net/ibmsecurity/remote-exploitation-of-the-cordova-framework. [4] Android. Activity. http://developer.android.com/reference/android/app/Activity.html. [5] Trustwave. 2014 business password analysis, 2014. https://gsr.trustwave.com/topics/ business-password-analysis/2014-business-password-analysis/. 8
  • 9. A Appendix: Vulnerable Dropbox SDK Code 1 protected void onCreate ( Bundle savedInstanceState ) { 2 . . . 3 Intent intent = getIntent () ; 4 . . . 5 webHost = intent . getStringExtra (EXTRA INTERNAL WEB HOST) ; 6 i f ( null == webHost ) { 7 webHost = DEFAULT WEB HOST; 8 } 9 . . . 10 } 11 12 protected void onResume () { 13 . . . 14 String s t a t e = createStateNonce () ; 15 . . . 16 i f ( hasDropboxApp ( o f f i c i a l I n t e n t ) ) { 17 s t a r t A c t i v i t y ( o f f i c i a l I n t e n t ) ; 18 } 19 else { 20 startWebAuth ( s t a t e ) ; 21 } 22 . . . 23 authStateNonce = s t a t e ; 24 } 25 26 private void startWebAuth ( String s t a t e ) 27 { 28 String path = ”/ connect ” ; 29 Locale l o c a l e = Locale . getDefault () ; 30 31 String [ ] params = { 32 ” l o c a l e ” , l o c a l e . getLanguage ()+” ”+l o c a l e . getCountry () , 33 ”k ” , appKey , 34 ”s ” , getConsumerSig () , 35 ”api ” , apiType , 36 ”s t a t e ” , s t a t e }; 37 String u r l = RESTUtility . buildURL ( webHost , DropboxAPI .VERSION, path , params ) ; 38 Intent intent = new Intent ( Intent .ACTION VIEW, Uri . parse ( u r l ) ) ; 39 s t a r t A c t i v i t y ( intent ) ; 40 } 9