Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CNIT 128 7. Attacking Android Applications (Part 1)

137 views

Published on

For a college class: Hacking Mobile Devices at CCSF

Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml

Published in: Education
  • Be the first to comment

CNIT 128 7. Attacking Android Applications (Part 1)

  1. 1. CNIT 128 Hacking Mobile Devices 5. Attacking Android Applications Part 1
  2. 2. Topics • Part 1 • Exposing Security Model Quirks • Attacking Application Components 
 (to p. 271) • Part 2 • Attacking Application Components (finishes)
  3. 3. Topics • Part 3 • Accessing Storage and Logging • Misusing Insecure Communications • Exploiting Other Vectors • Additional Testing Techniques
  4. 4. Three Main Components
  5. 5. Application Container • Ways to defeat application sandbox • Gain access to app data • Malicious app on a device • Physical access to device • Other vulnerabilities in the app
  6. 6. Communications • ARP poisoning • Hosting a malicious wireless network • Compromising upstream providers • Intercept and modify traffic
  7. 7. Internet Server • Server may have vulnerabilities • Compromised server exposes all information flowing to and from mobile apps
  8. 8. Exposing Security Model Quirks
  9. 9. Interacting with App Components
  10. 10. targetSdkVersion • Determines default publishing of components • Other values: compileSdkVersion and minSdkVersion (link Ch 7a)
  11. 11. Android Distribution Dashboard • Link Ch 7b
  12. 12. Explicitly Exported Components • Explicitly 
 exported • Unspecified; will be exported implicitly if targetSdkVersion < 17
  13. 13. Implicitly Exported • Any component using an <intent-filter> is exported by default • Like this activity
  14. 14. Finding Exported Components • Examine Manifest • Drozer's attacksurface module shows exported components
  15. 15. app.<component>.info • Broadcast receivers exposed by the Android browser
  16. 16. Intent Filters • -i switch
  17. 17. Supreme User Contexts • root and system users can interact with application components • Even when they are not exported • Components that are not exported in the manifest are private • Limited to internal use by the app • Only attackers with root privileges can attack them
  18. 18. Permission Protection Levels • Best protection is a custom permission with protection level signature • Only apps with the same signature can have that permission
  19. 19. Protection Level Downgrade Attack • The first app that sets a permission's protection level wins • Later apps can't change it • A malicious app that defines a permission first can downgrade its permission level, for example to normal • Fixed in Android 5.0 • Links Ch 7e, 7f
  20. 20. Attacking Application Components (to p. 271)
  21. 21. Intents • Intent is a data object that defines a task to be performed • To start an activity, call startActivity(Intent) • sendBroadcast(Intent) sends to a broadcast receiver • startService(Intent) sends to a service • Intent is generic, does not specify tye type of component receiving it
  22. 22. Example • Link Ch 7g
  23. 23. Explicit Intents • State the component that must receive it • Using setComponent() or setClass() • Bypasses the intent resolution process in the OS • Directly delivers the intent to the specified component
  24. 24. Implicit Intent • Does not specify the component to be used • Relies on the OS to determine the best candidate to deliver it to • Ex: "Play this MP3" • Using whatever player is available • A box may pop up asking the user which app to use
  25. 25. Example • This intent tells the Android system to display a webpage • All installed Web browsers should be registered to via an intent filter
  26. 26. Intent Filters • Defined by installed apps • Filters can match • Action • Data • Category • Action is mandatory
  27. 27. Example Intent Filters
  28. 28. Example Intent Filters
  29. 29. am: Activity Manager • Part of Android • Lets you send intents to app components • Link Ch 7h
  30. 30. • Sieve: vulnerable password manager
  31. 31. Attack Surface
  32. 32. Activity Info • No Permissions on them: they are unprotected • Any app or user can launch them
  33. 33. PIN Bypass • Reveals usernames
  34. 34. Auditing Content Providers • Only /Keys requires permissions
  35. 35. Finding URIs • /Passwords requires no permissions
  36. 36. Password Exposure • It's not in plaintext yet
  37. 37. SQL Injection • SQL error indicates vulnerability • Enumerate table names
  38. 38. Reveal Plaintext Password
  39. 39. Real-World Examples
  40. 40. Lock Screen Bypass • adb shell am start -n com.android.settings/ com.android.settings.ChooseLockGeneric --ez confirm_credentials false --ei lockscreen.password_type 0 --activity-clear-task •
  41. 41. Tapjacking • Malicious app overlays a false UI on top of buttons • So taps activate something unexpected • Using toasts --small graphic elements
  42. 42. Recently-Used App Screenshots • May contain sensitive info • Stored in RAM • Only available to privileged users
  43. 43. Fragment Injection • On Android 4.3 and earlier • Using a "fragment", could change PIN without knowing old PIN
  44. 44. Opens this screen directly

×