Better watch your apps - MJ Keith
Upcoming SlideShare
Loading in...5

Better watch your apps - MJ Keith



My HouSecCon presentation on android applications security and arm exploitation

My HouSecCon presentation on android applications security and arm exploitation



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Better watch your apps - MJ Keith Better watch your apps - MJ Keith Presentation Transcript

  • Better watch your apps! November 4 ,2010 MJ Keith GCIA, GCIH Alert Logic - Security Researcher
  • Smart phones
    • Blackberry
    • Iphone
    • Android
    • Windows mobile
  • Markets
    • Iphone market
      • Open to developers
      • Apps are reviewed and approved by apple
        • Tethering apps disguised as flashlight makes it in!
    • Android market
      • Open to developers
      • Moderated by users
        • Some restriction from wireless provider.
    • Blackberry market
      • Hoping to get market share back.
    • Who is writing these apps?
  • Focus on Malware
    • How can malware affect you?
      • Blackhat 2010
        • these arn't the permissions your looking for...
        • App attack
        • Several others
    • Why are we only looking at malware?
      • Is ADOBE software malware?
        • Well maybe...
  • Size doesn't matter
  • Size doesn't matter
    • Do you allow users to install untrusted apps?
      • Every program installed presents a risk
        • Patch management required
    • Do you allow users to connect personal laptops?
      • Policies are in place but can you really stop it?
        • If users can connect, they will connect
          • Mac filtering helps but not a complete fix
  • Android
    • Architecture
      • Arm 32 bit
    • OS
      • Linux
        • Bionic.libc
    • Apps
      • Dalvik JVM (kinda)
      • All apps written in java
  • Permissions
    • Each app creates its own user - linux style
      • cache data can be stored in apps directory or in the sdcard
        • cache data is sandboxed / sdcard is accessible to everyone
      • Intents can request data or actions from other apps
    • Granular control of certain privileged actions
      • Making phone calls / sending sms /access to personal data
  • Where I started
    • Bugs in your pocket
      • Anyone can submit an application - no assumption that QA has taken place.
      • How many android apps do nothing but crash?
        • Tons of bugs
        • apps crashing = exploitable
      • Theory
        • Apps will be easy to hack
        • They will not be protecting user data
        • Apps create aggregation points that can be used to attack users
  • Target app profile WEB API Attacker
  • Testing begins
    • Targeting smaller distribution apps that make calls to internets – yeah both of them
      • Basic server client setup
        • Online storage
          • Financial data = checks > 1,000 users
          • Contact data = Addressbook PRO > 6,000 users
          • Scoreboards = Speedx > 500,000 users
  • Checks > 1,000 users
    • Cloud storage
      • Allows you to store purchases and payments data.
      • Password protected
  • Checks
    • Uses HTTP json API
      • Easy to sniff with ariodump
      • Password only used on phone
      • User id (this is just an int) used to access cloud server
        • Guess the user number
          • Full access to rw data
          • Can reset password but who cares
  • Checks POST /cloud/ HTTP/1.1 X-Requested-With: XMLHttpRequest User-Agent: Content-Length: 65 Content-Type: application/x-www-form-urlencoded Host: Connection: Keep-Alive json=%7B%22user_id%22%3A%22680%22%2C%22action%22%3A%22import%22%7D HTTP/1.1 200 OK Date: Sat, 28 Aug 2010 01:41:26 GMT Server: Apache/1.3.41 Ben-SSL/1.59 X-Powered-By: PHP/5.2.14 Keep-Alive: timeout=2, max=200 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html 193 {"message":"imported successfully","cloud_data":"[{"id":"1","amount":"222","cleared":null,"desc":"qqq","check_date":"1282959385","dateadded":null},{"id":"2","amount":"333","cleared":null,"desc":"ppp","check_date":"1282959385","dateadded":null},{"id":"3","amount":"111","cleared":null,"desc":"ooo","check_date":"1282959385","dateadded":null}]"} 0
  • Addressbook PRO > 6,000 users
    • Sync and backup contact/locations to cloud
      • HTTP json API
    • Password protected – here we go again...
      • Same exact problem. Password only used on phone
    • Costs $4.99 – kinda pricey to get data stolen
    • Guess username and you have full control
      • You also get the users MEID lol
  • Addressbook PRO POST /apofasyncaddressbook.php HTTP/1.1 content-type: application/x-www-form-urlencoded content-length: 10 cache-control: no-store,no-cache User-Agent: Dalvik/1.1.0 (Linux; U; Android 2.0.1; Droid Build/ESD56) Host: Accept: *, */* Connection: Keep-Alive &n=test HTTP/1.1 200 OK Date: Fri, 27 Aug 2010 16:38:12 GMT Server: Apache/2.2.16 (CentOS) mod_ssl/2.2.16 0.9.8l DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 FrontPage/ X-Powered-By: PHP/5.2.13 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 193 {"address":[{"id":"164","db_id":"2","title":"test","address":"blah.;'";:)*&=%","picon":"nullrnrn","visit":"0","category":"Family","userid":"test","createdDate":"1282925803271","deviceid":"A00000555553"},{"id":"163","db_id":"1","title":"narf","address":"gggg gfggggg","picon":"null","visit":"0","category":"Family","userid":"test","createdDate":"1282925678434","deviceid":"A00000555553"}]}
    • Value your wireless provider uses to auth your phone on the network
    • Could be called the phones MAC or SSN
      • Not really intended to auth to anything except the wireless network.
    • Often a target as it is used in cloning
      • cdma sniffing techniques have been used by cloners for years
  • Speedx > 500,000 users
    • Game that uses a web API for scoring
      • Pretty simple
        • Scores get posted to scoreboard
        • Scoreboard is read and displayed to user
      • What fun could be had here?
  • Speedx – the hacks
    • Scoreboard API is easy to inject
      • Uses hmac but only value this protects is time
      • Numeric values are still stored as strings
        • If strings ever make it to native code possible BOF
        • Fake scoreboard test
          • May not be able to get that many chars in real scoreboard
    ( 987): pid: 5860, tid: 5860 >>> com.beepstreet.speedx <<< ( 987): signal 11 (SIGSEGV), fault addr f142a741 ( 987): r0 00414141 r1 00000000 r2 f142a741 r3 ffffffff ( 987): r4 b000f448 r5 00004141 r6 00000000 r7 00119dc8 ( 987): r8 ad00ee40 r9 0000bd18 10 4186bc38 fp 00000000 ( 987): ip 00000000 sp bec737b0 lr b000099f pc 0003d6bc cpsr 80000030 I/DEBUG ( 987): #00 pc 0003d6bc /system/lib/ I/DEBUG ( 987): #01 pc 00055f94 /system/lib/
  • Speedx – the hacks
    • The scoreboard stores the data submitted and then does a “select * from scores” (I think) to provide the scores to the user.
    • What the user sees
  • Speedx – the hacks What is really there.. {&quot;alltime&quot;:{&quot;new&quot;:{&quot;place&quot;:1,&quot;percents&quot;:99},&quot;table&quot;:[{&quot;aid&quot;:&quot;22a0000015s079eb&quot;,&quot;name&quot;:&quot;narf&quot;,&quot;comment&quot;:&quot;narf&quot;,&quot;date&quot;:&quot;1270335048557&quot;,&quot;score&quot;:&quot;999999&quot;},{&quot;aid&quot;:&quot;22a1030007c697eb&quot;,&quot;name&quot;:&quot;Justin&quot;,&quot;comment&quot;:&quot;for kat&quot;,&quot;date&quot;:&quot;1268933296866&quot;,&quot;score&quot;:&quot;102835&quot;},{&quot;aid&quot;:&quot;200149694edadfc&quot;,&quot;name&quot;:&quot;guilou&quot;,&quot;comment&quot;:&quot;au calme...&quot;,&quot;date&quot;:&quot;1268771950965&quot;,&quot;score&quot;:&quot;97028&quot;},{&quot;aid&quot;:&quot;22a1500007c697eb&quot;,&quot;name&quot;:&quot;Justin&quot;,&quot;comment&quot;:&quot;for kat&quot;,&quot;date&quot;:&quot;1267511769050&quot;,&quot;score&quot;:&quot;83541&quot;},{&quot;aid&quot;:&quot;20016203ca460ead&quot;,&quot;name&quot;:&quot;Fred&quot;,&quot;comment&quot;:&quot;u013au0093u008e~~~~~~&quot;,&quot;date&quot;:&quot;1267684428484&quot;,&quot;score&quot;:&quot;71843&quot;},{&quot;aid&quot;:&quot;2006659695197d84&quot;,&quot;name&quot;:&quot;cjd313&quot;,&quot;comment&quot;:&quot;u0107u0083u00a8!u00e7u017cu0165u0107u02dbu009fu00e9u0087u008cu0107u00adu0165u00e4u015fu0086u0103u0080u0082My QQ:502202&quot;,&quot;date&quot;:&quot;1267113644819&quot;,&quot;score&quot;:&quot;70690&quot;},{&quot;aid&quot;:&quot;200145969662417e&quot;,&quot;name&quot;:&quot;John Black&quot;,&quot;date&quot;:&quot;1267368779421&quot;,&quot;score&quot;:&quot;63475&quot;},{&quot;aid&quot;:&quot;200145969662710&quot;,&quot;name&quot;:&quot;Hans_97&quot;,&quot;comment&quot;:&quot;alles gut&quot;,&quot;date&quot;:&quot;1268503563353&quot;,&quot;score&quot;:&quot;58040&quot;},{&quot;aid&quot;:&quot;2001455554fea233&quot;,&quot;name&quot;:&quot;prophetu&quot;,&quot;comment&quot;:&quot;salutare..!&quot;,&quot;date&quot;:&quot;1267806544079&quot;,&quot;score&quot;:&quot;52352&quot;},{&quot;aid&quot;:&quot;200145966534e904&quot;,&quot;name&quot;:&quot;Ecloud.ShangHai&quot;,&quot;comment&quot;:&quot;u8349u6ce5u9a6c&quot;,&quot;date&quot;:&quot;1270101863661&quot;,&quot;score&quot;:&quot;48931&quot;},{&quot;aid&quot;:&quot;null&quot;,&quot;name&quot;:&quot;shanghai min&quot;,&quot;comment&quot;:&quot;shanghai min&quot;,&quot;date&quot;:&quot;1269935680096&quot;,&quot;score&quot;:&quot;48399&quot;},{&quot;aid&quot;:&quot;2001459964de306a&quot;,&quot;name&quot;:&quot;dantist&quot;,&quot;comment&quot;:&quot;Russian Federation 4pda :)&quot;,&quot;date&quot;:&quot;1267518905207&quot;,&quot;score&quot;:&quot;46980&quot;},{&quot;aid&quot;:&quot;200145eee4fea233&quot;,&quot;name&quot;:&quot;prophetu&quot;,&quot;comment&quot;:&quot;salutare..!&quot;,&quot;date&quot;:&quot;1267458383257&quot;,&quot;score&quot;:&quot;46896&quot;},{&quot;aid&quot;:&quot;2001459554de306a&quot;,&quot;name&quot;:&quot;dantist&quot;,&quot;comment&quot;:&quot;Russian Federation 4pda :)&quot;,&quot;date&quot;:&quot;1267614148830&quot;,&quot;score&quot;:&quot;46455&quot;},{&quot;aid&quot;:&quot;null&quot;,&quot;name&quot;:&quot;David&quot;,&quot;comment&quot;:&quot;u7ffbu6c9fu91ccu2026&quot;,&quot;date&quot;:&quot;1269871815973&quot;,&quot;score&quot;:&quot;46374&quot;},{&quot;aid&quot;:&quot;22a00666rd5f502&quot;,&quot;name&quot;:&quot;jeff&quot;,&quot;comment&quot;:&quot;aaaaaaaah! i died!&quot;,&quot;date&quot;:&quot;1270272256156&quot;,&quot;score&quot;:&quot;44884&quot;},{&quot;aid&quot;:&quot;20014666c29b96a&quot;,&quot;name&quot;:&quot;egi&quot;,&quot;date&quot;:&quot;1267711523732&quot;,&quot;score&quot;:&quot;42208&quot;},{&quot;aid&quot;:&quot;null&quot;,&quot;name&quot;:&quot;u8d85u97e6u8d85u9038u662fu5c0fu7acbu7684u7238&quot;,&quot;comment&quot;:&quot;u97e6u8d85u9038u662fu5927u5927u795e&quot;,&quot;date&quot;:&quot;1269335458359&quot;,&quot;score&quot;:&quot;41503&quot;},{&quot;aid&quot;:&quot;2044441f4a86b8e65&quot;,&quot;name&quot;:&quot;Soaa-&quot;,&quot;comment&quot;:&quot;omai!&quot;,&quot;date&quot;:&quot;1267660861088&quot;,&quot;score&quot;:&quot;40826&quot;},{&quot;aid&quot;:&quot;22a5550007c697eb&quot;,&quot;name&quot;:&quot;Justin&quot;,&quot;comment&quot;:&quot;for kat&quot;,&quot;date&quot;:&quot;1268320628749&quot;,&quot;score&quot;:&quot;40505&quot;},{&quot;aid&quot;:&quot;2006669694f24ea3&quot;,&quot;name&quot;:&quot;RMB&quot;,&quot;comment&quot;:&quot;HTC Hero&quot;,&quot;date&quot;:&quot;1270246209401&quot;,&quot;score&quot;:&quot;40360&quot;},
  • Conclusion – so far...
    • Original theory proved!
      • Phones abstraction layer hides the vulns from users
      • Plenty of data to steal
      • Scoreboards can be used as attack vector
    • But...
      • Limited targets/victims
      • Unrealistic attacks (too many chars)
      • Too easy and kinda boring
  • Stepping it up
    • New plan
      • Target the most popular apps
        • Still need apps that connect out
        • Funnier attacks
          • I will happily waste a zero day to rickroll someone :)
        • Need serious pwnage not just weak API attacks
      • Back to the market
  • MyBackup PRO > 1,000,000 users
    • 3 rd Most popular paid app
    • Cloud storage for data and apps (root only)
    • HTTPS – higher difficulty level
    • Password protected
      • we shall see
  • MyBackup PRO
    • Setup phone for MITM ssl
      • Turned out to be pointless, their cert was invalid
    • My username is my #@!% MEID!
      • It sends this to my email
      • It does authenticate to the API and provides a basic auth token.
    • POST /MyBackup/BackupsExec/UploadFiles4.aspx HTTP/1.0
    • Cache-Control: no-cache
    • Pragma: no-cache
    • Authorization: Basic bWJwcm86bWJwcm80dUFuZG1lQW5kQWxs
    • ty: 0
    • v: 252
  • MyBackup PRO
    • Finally an app that really uses the password!
    • Authorization: Basic bWJwcm86bWJwcm80dUFuZG1lQW5kQWxs
      • W00T! My stuff is actually safe!
  • MyBackup PRO
    • SIKE!!!
    • Authorization: Basic bWJwcm86bWJwcm80dUFuZG1lQW5kQWxs
      • un-Base64'd = mbpro:mbpro4uAndmeAndAll
        • I think they used alternating case to make it more secure
      • Get the users MEID and upload whatever you want to the backups directory
  • MyBackup PRO
    • Backup file
      • Zip file includes several sqlite db's plus other files
        • Sqlite for instructions and settings
        • Files for images and apps
    • Trojan the backup – root user attack
      • Just trojan you own phone and create a backup
      • Upload backup to victims storage
      • ???????
      • profit!
  • MyBackup PRO
    • NOT SO FAST!!!
      • The user has to approve the apps
        • No worries ;)
        • notatrojan (sms forwarder)
        • The user gets one more conformation request but why would they stop now?
  • MyBackup PRO
    • Attacking regular users.
      • Same basic method but this time we focus on settings
        • Bookmarks can be altered to go to other sites
        • System (icon) bookmarks can be changed to point at other apps
        • Network settings...JACKPOT!
          • All your DNS are belong to me.
            • If settings conflict with network it falls back to dhcp
  • Bump > 10,000,000 users
    • Appaliscious
      • Bump Android app is the new business card
    • Gizmodo
      • Bump 2.0 Scores With Facebook, Twitter, And LinkedIn Capabilities
    • Entrepreneur
      • Entrepreneur's Annual 100 Brilliant Ideas - Mobile Tech top 10
    • WSJ
      • PayPal Bumps iPhone Payments to New Level
  • Bump – from their site
    • Q. What is bump?
    • A. Bump is a quick and easy way to connect two phones, simply bump them together. Share contacts info, pictures, calendar events, and even connect on social networks with just a bump.
    • Q. How does it work?
    • A. We use various techniques to limit the pool of potential matches, including location information and characteristics of the bump event. If you are bumping in a particularly dense area (ex, at a conference), and we cannot resolve a unique match after a single bump, we'll just ask you to bump again. Our CTO has a PhD in Quantum Mechanics and can show the math behind that, but we suggest downloading Bump and trying it yourself!
    • Q. is bump secure?
    • A. When we built Bump, our number one priority was creating the best possible user experience we could. Security of your personal information is a huge part of that experience. First, all communications between your phone and our servers are encrypted and sent using https - the same encryption that is used for online banking . Second, the nice thing about Bump is that *you* are in control of deciding with whom you share your information. You don't have to worry about anyone being able to get at your information unless you physically bump your phone with theirs.
  • Bump – My opinion
    • Q. What is bump?
      • A. another silly way to get owned and break your phone.
    • Q. How does it work?
      • A. your phone sends gps data and time of bump to their servers. If another bump matches you get an offer to connect. Took about 2 hrs.
    • Q. Is bump secure?
      • A. Online Banking encryption standards have really fallen.
  • Bump
    • A “mailbox” is created on the server using the MEID and the path
      • App checks “mailbox” about once a second
      • When bumped the time and location are sent to the bump servers
        • If a match is found the server leaves the connect data in the box and is retrieved on the next status check
        • No authentication is used
        • No unique values until data the other phone approves it
  • Bump server
  • Bump Bump Sent Status ok Status check Bump matched Confirm + data Other user confirms Status check Other user data Status check
  • Bump
    • Problems
      • Phone sets location and time
        • This also includes fault tolerance
          • Change gps accuracy from feet to miles
          • Submit multiple bumptimes at once ( discussed later)
      • Since no auth is needed
        • We can intercept anything meant for victims phone
          • After we grab it we sleep so that they can re-bump
        • We can create several bumpers
          • Multi threaded bumpers can intercept all bumps in a location
          • Target Conferences or dense population areas
  • Bump
    • So...
      • We can intercept anything on a specific target
      • We can flood an area with bump to catch all data
        • We could also flood users with a payload
          • Images are the obvious target but other options are available
    • Still no massive pwnage :(
      • What else can be done?
  • Paypal Bump
  • Paypal Bump
    • Paypal side is very secure
      • Until they ask you to create a pin
        • 6 digit pin
    • Bump API
      • Allows multiple bumptimes
        • Intended to cover timezone differences
          • Submit 10 bumptimes ¼ sec apart
      • API key transferred in the clear
        • Used as the logon for the Bump site
          • I did not do this.
      • Uses SSL only after all key values sent in cleartext
        • Transfers MEID and phone# to other user
  • Demo
    • Fun with paypal bump
  • Demo
    • Fun with paypal bump
    • Why does this work?
      • Bump API uses MEID as unique identifier
        • Sends this value to other users app
        • Regular bump requires a fake bump to get MEID
      • VZ apps all authenticate using
        • Base64'd MEID
        • Other values submitted
      • What else can we do with this?
  • VZ apps
  • My VZ
    • Change voice-mail password
    • Change portal password
    • Last 4 digits of credit card
      • Make a payment
    • Get or change mailing address
      • Upgrade phone and have it sent somewhere else
    • Flaw effects all VZ users
    • Other stuff...
  • VZ tones
    • Purchase several thousand ringtones
    • Purchase and set ringback tones
      • Set Rickroll ringback tones on a few thousand phones
    • Exposes where ringtones are hosted
      • Download all ringtones for free
  • VZ
    • Fixing the issue by the end of the month
    • Adding a vulnerability reporting email
    • Very cool guys
  • Browser = all off them
    • Webkit based
    • Permissions
      • Auth to google
      • Course and fine gps
      • Sdcard access
      • Internet access
      • Everything else you would expect
  • Breaking Android's Arm
    • Java app but data is passed to native back-end
    • No advisories for webkit on android
      • 0-days in the open
      • CVE-2010-1807
  • Breaking Android's Arm R1 gets over-written with a value of our choosing. I chose “0000b33f” just for an example. I/DEBUG ( 28): Build fingerprint: 'generic/sdk/generic/:2.0.1/ESD54/20723:eng/test-keys' I/DEBUG ( 28): pid: 702, tid: 714 >>> <<< I/DEBUG ( 28): signal 11 (SIGSEGV), fault addr 00000030 I/DEBUG ( 28): r0 00000000 r1 0000b33f r2 45d320a0 r3 fffffffe I/DEBUG ( 28): r4 aa413738 r5 45357c10 r6 45d320a0 r7 0039bda0 I/DEBUG ( 28): r8 45358d88 r9 426f6ed8 10 426f6ec0 fp 002e9150 I/DEBUG ( 28): ip 00000006 sp 45357bd8 lr aa0479eb pc aa00c142 cpsr 60000030 I/DEBUG ( 28): #00 pc 0000c142 /system/lib/ I/DEBUG ( 28): #01 pc 000479e6 /system/lib/ I/DEBUG ( 28): #02 pc 002b9d70 /system/lib/ I/DEBUG ( 28): #03 pc 002ba95a /system/lib/ I/DEBUG ( 28): #04 pc 002bad8a /system/lib/ I/DEBUG ( 28): #05 pc 002badba /system/lib/ I/DEBUG ( 28): #06 pc 002b8a2c /system/lib/ I/DEBUG ( 28): #07 pc 002b8a46 /system/lib/ I/DEBUG ( 28): #08 pc 001cba26 /system/lib/ I/DEBUG ( 28): #09 pc 001d22b4 /system/lib/
  • Breaking Android's Arm Using other registers to track pc : I/DEBUG ( 28): Build fingerprint: 'generic/sdk/generic/:2.0.1/ESD54/20723:eng/test-keys' I/DEBUG ( 28): pid: 737, tid: 749 >>> <<< I/DEBUG ( 28): signal 4 (SIGILL), fault addr 0057817c I/DEBUG ( 28): r0 0057814c r1 00578150 r2 00578154 r3 00578158 I/DEBUG ( 28): r4 0057815c r5 00578160 r6 45c170f8 r7 0067c950 I/DEBUG ( 28): r8 45458d80 r9 426f9ee0 10 426f9ec8 fp 002eaf68 I/DEBUG ( 28): ip 00000006 sp 45457b10 lr aa00c149 pc 0057817c cpsr 00000010 I/DEBUG ( 28): #00 pc 0057817c [heap] I/DEBUG ( 28): #01 pc 0000c146 /system/lib/ I/DEBUG ( 28): #02 pc 000479e6 /system/lib/ I/DEBUG ( 28): #03 pc 002b9d70 /system/lib/ I/DEBUG ( 28): #04 pc 002ba95a /system/lib/ I/DEBUG ( 28): #05 pc 002bad8a /system/lib/ I/DEBUG ( 28): #06 pc 002badba /system/lib/
  • Demo 2:
  • Lessons Learned
    • Not if but when
      • Attacks are going to happen. Be prepared
    • Phones are an abstraction layer
      • The apps behaviors are not that different from pc software from 10 years ago
        • Researching the apps is difficult and providers are not going to help
      • The phones security is to keep you out, not attackers
      • Security by obscurity only gets you so far
    • Phones and laptops are the same thing and should be treated that way
      • Policies need to be put in place to at least protect the company
      • Security teams need more tools to keep an eye on phones
    • Just because the developers intent was not malicious does not mean it won't be used that way by others
  • Better watch you apps! Thank you