Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

1,471 views

Published on

CanSecWest2016

Published in: Internet
  • Be the first to comment

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

  1. 1. Having fun with secure messengers and Android Wear (and Android Auto) Artem Chaykin Positive Technologies CanSecWest’16
  2. 2. Who I am? •  Russian hacker / Putin’s agent •  Mobile application security team lead •  SCADA Strangelove Team •  RDot.Org team member
  3. 3. Android IPC basics •  Private memory for each process •  Data is passed through kernel module – Binder •  Intent-based
  4. 4. Intents •  Intent is an object •  App1 can send intents to exported components of App2 Intent Package name Component name Ac0on Data
  5. 5. Android IPC basics Binder App 1 App N App 2
  6. 6. Android IPC basics App1 Binder IAc/vityManager
  7. 7. Android IPC basics App1 Binder IAc/vityManager App2
  8. 8. Example 0x1: MobiDM
  9. 9. Example 0x1: MobiDM
  10. 10. Example 0x1: MobiDM
  11. 11. PendingIntent Intent Iden/ty Permissions •  getActivity() •  getService() •  getBroadcast()
  12. 12. PendingIntent App1
  13. 13. PendingIntent App1 App2 pIntent
  14. 14. PendingIntent App1 App2 pIntent
  15. 15. PendingIntent App1 App2 pIntent
  16. 16. PendingIntent •  AlarmManager •  NotificationManager •  Identity confirmation
  17. 17. Example 0x2 – PendingIntent hijacking •  3rd party push services •  Identity confirmation Victims:
  18. 18. Example 0x2 – Victim:
  19. 19. Example 0x2 – Victim: •  Exploit:
  20. 20. Android Wear & Android Auto •  Remote Input class is based on PendingIntent
  21. 21. Android Wear & Android Auto •  Remote Input class is based on PendingIntent
  22. 22. Android Wear & Android Auto
  23. 23. Android Wear & Android Auto
  24. 24. Android Wear & Android Auto Voice reply
  25. 25. Example 0x3: Spam Victim: •  Bug:
  26. 26. Example 0x3: Spam Victim: •  Bug:
  27. 27. Example 0x3: Spam Victim: •  Exploit:
  28. 28. Example 0x3: Spam Victim: •  Result:
  29. 29. Example 0x3: Spam •  Victims:
  30. 30. Example 0x3: Intercepting Victim: •  Bug:
  31. 31. Example 0x3: Intercepting Victim: •  Exploit:
  32. 32. Example 0x3: Intercepting •  Android Auto victims: •  Android Wear victims:
  33. 33. Detecting with Xposed module
  34. 34. Fixes Still no thanks •  Signal – emailed Moxie – fixed same day – got “thanks” •  Telegram – emailed security@ - partial fix after ~ 45 days -
  35. 35. Microsoft
  36. 36. Microsoft
  37. 37. Fin! Questions?

×