Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 41

CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)

Mar. 13, 2019
0 likes 314 views

0

Share

Download to read offline

Education

For a college class: Hacking Mobile Devices at CCSF

Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell

Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml

Recommended

Related Books

Free with a 30 day trial from Scribd

See all
Fighting Forward: Your Nitty-Gritty Guide to Beating the Lies That Hold You Back Hannah Brencher
(3.5/5)
Free
No One Succeeds Alone: Learn Everything You Can from Everyone You Can Robert Reffkin
(4/5)
Free
Dedicated: The Case for Commitment in an Age of Infinite Browsing Pete Davis
(5/5)
Free
Let's Talk About Hard Things Anna Sale
(4/5)
Free
High Conflict: Why We Get Trapped and How We Get Out Amanda Ripley
(4.5/5)
Free
Girl, Wash Your Face: Stop Believing the Lies About Who You Are so You Can Become Who You Were Meant to Be Rachel Hollis
(3.5/5)
Free
Uninvited: Living Loved When You Feel Less Than, Left Out, and Lonely Lysa TerKeurst
(4.5/5)
Free
Never Split the Difference: Negotiating As If Your Life Depended On It Chris Voss
(4.5/5)
Free
Boundaries Updated and Expanded Edition: When to Say Yes, How to Say No To Take Control of Your Life Henry Cloud
(4/5)
Free
Maybe You Should Talk to Someone: A Therapist, HER Therapist, and Our Lives Revealed Lori Gottlieb
(4.5/5)
Free
Girl, Stop Apologizing: A Shame-Free Plan for Embracing and Achieving Your Goals Rachel Hollis
(3.5/5)
Free
Dry: A Memoir Augusten Burroughs
(4.5/5)
Free
The 7 Habits of Highly Effective People Personal Workbook Stephen R. Covey
(4/5)
Free
Less Fret, More Faith: An 11-Week Action Plan to Overcome Anxiety Max Lucado
(4.5/5)
Free
How May I Serve Karen Mathews
(3.5/5)
Free
The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life Mark Manson
(4.5/5)
Free

Related Audiobooks

Free with a 30 day trial from Scribd

See all
Dad on Pills: Fatherhood and Mental Illness Chris Gethard
(5/5)
Free
Already Enough: A Path to Self-Acceptance Findaway
(0/5)
Free
Beyond Small Talk: How to Have More Dynamic, Charismatic and Persuasive Conversations Patrick King
(4.5/5)
Free
Full Out: Lessons in Life and Leadership from America's Favorite Coach Monica Aldama
(4.5/5)
Free
A Body to Love: Cultivate Community, Body Positivity, and Self-Love in the Age of Social Media Angelina Caruso
(4/5)
Free
Stress and Stressors: Avoiding and Managing Stress and Burnout at Work Brandy Payne
(4.5/5)
Free
Extraordinary Awakenings: When Trauma Leads to Transformation Steve Taylor
(3.5/5)
Free
My Friend Fear: How to Move Through Social Anxiety and Embrace the Life You Want Rose Berry
(4/5)
Free
Mindset Shifts: Embracing a Life of Personal Growth Tara Omorogbe
(5/5)
Free
Self-Help for the Helpless: A Beginner's Guide to Personal Development, Understanding Self-care, and Becoming Your Authentic Self Shelley Wilson
(5/5)
Free
Minimal Finance: Forging Your Own Path to Financial Freedom Sam Dixon Brown
(3.5/5)
Free
The Design Thinking Mindset: How to Access the Power of Innovation Darin Eich
(5/5)
Free
Bloom Forward: Healing from Trauma Emmy Marie
(4/5)
Free
Power, for All: How It Really Works and Why It's Everyone's Business Julie Battilana
(4.5/5)
Free
Feeding the Soul (Because It's My Business): Finding Our Way to Joy, Love, and Freedom Tabitha Brown
(5/5)
Free
Necessary Conversations: Changing Your Mindset to Communicate Confidently and Productively Liz Nolley Tillman
(5/5)
Free

CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)

  1. 1. CNIT 128 Hacking Mobile Devices 8. Identifying and Exploiting 
 Android Implementation Issues Part 1
  2. 2. Topics • Part 1 • Reviewing Pre-installed Applications • Exploiting Devices • Start through "Explanation of Privilege Levels" (up to p. 375)
  3. 3. Topics • Part 2 • Exploiting Devices • "Practical Physical Attacks" (p. 376) through • "Man-in-the-Middle Exploits" (up to p. 401)
  4. 4. Topics • Part 3 • Exploiting Devices • "Injecting Exploits for JavaScript Interfaces" (p. 401) and following • Infiltrating User Data
  5. 5. Reviewing Pre-Installed Applications
  6. 6. Root Access • Each installed app has its own attack surface • But when you exploit an app, you get access with the privileges of that app • Not root access • But you can often exfiltrate user data without root access
  7. 7. Find Powerful Apps
  8. 8. INSTALL PACKAGES • Exploiting an app with this permission allows an attacker to install a Trojan app • Permission level signature|system • Defined by the android package
  9. 9. Drozer on an Emulator • Real devices have many more apps with this dangerous permission
  10. 10. Apps Running as System • On an emulator • Many more on a real device (66 in book)
  11. 11. Finding Remote Attack Vectors
  12. 12. Techniques • Trick user into installing a malicious app • Server-side: exploit a listening port • Client-side: open a malicious document
  13. 13. Browsers and Document Readers • Frequently vulnerable • Complex parsers written in native code • Fuzzers can fund vulnerabilities • Samsung has Polaris Viewer for PDFs by default • No PDF reader on my emulator
  14. 14. BROWSEABLE Activities • Allows users to open content inside an installed app rather than the browser • App stores installed on the device use this functionality • To open links that point to apps
  15. 15. Manifest • From a rogue Drozer agent • Opening a link starting with pwn:// will open this activity • But not in an iframe anymore <activity android:name="com.mwr.dz.PwnActivity"> <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="pwn" /> </intent-filter> </activity>
  16. 16. Two Methods • Via pwn:// URI or "web intent" <a href="pwn://me">Start drozer<a> <a href="intent://me/#Intent;scheme=pwn;end">
 Start Drozer</a>
  17. 17. Many apps use BROWSABLE filters on my emulator
  18. 18. Custom Update Mechanisms • Apps often write their own update mechanisms • Rather than using the Play Store • This requires the INSTALL_PACKAGES permission • Code may be vulnerable • May check for a new file over HTTP or broken HTTPS
  19. 19. Remote Loading of Code • Link Ch 8b
  20. 20. Remote Loading of Code • Apps can load new code at runtime • Using the Java Reflection API • With the DexClassLoader class • May load code over the network, or from a local location that can be overwritten by other applications • May cause code injection vulnerabilities
  21. 21. WebViews • Recipe for disaster • Using a WebView • Defining a JavaScript interface • Loading from a cleartext source or having SSL bypass code • Targeting API versions prior to 17 or using an Android version earlier than 4.2 • May allow JavaScript code injection
  22. 22. Listening Services • Android is unlikely to have listening ports • My Genymotion has a few
  23. 23. Messaging Applications • Examples, may be vulnerable • Short Message Service (SMS) • Multimedia Messaging Service (MMS) • Commercial Mobile Alert System (CMAS) • Email clients • Chat clients
  24. 24. Finding Local Vulnerabilities • Manual process • Download all installed apps • Convert them to readable source code • Use grep to search for vulnerabilities • Or use Drozer's scanner modules
  25. 25. Drozer's SQLi Scanner • Doesn't find the Sieve SQL injection
  26. 26. Exploiting Devices
  27. 27. Remote and Local Exploits • Remote exploit • Gives attacker a foothold on the device • Such as software exploits, MITM attacks, or malware • Local exploit • Requires a foothold on the device already • Local privilege escalation
  28. 28. Using Attack Tools
  29. 29. • Performs ARP poisoning, DNS spoofing, etc. • We're using local proxy settings • You need ettercap to perform real MITM attacks on a LAN Ettercap
  30. 30. Burp • Can inspect and modify traffic • Sends fake TLS certificates • Burp can be added as a "trusted CA"
  31. 31. Burp Extensions • Supposedly you can add Python code
  32. 32. Burp Extensions • But it doesn't work • After several hours, I couldn't make any of the useful examples work • Scripts just fail without sending any error messages anywhere • It's torture • Just ignoring Burp and writing Python scripts outside it seems far more useful
  33. 33. Drozer • Infrastructure Mode • Runs a Drozer server, as a C&C server • Make "rogue agents" which are like malware • Custom-built to phone home to the Drozer server • Much like Metasploit
  34. 34. Privilege Levels
  35. 35. Non-System App without Context • Ex: a shell from a Web browser • Attacker has privileges of the compromised app • Can navigate filesystem under the app's user account • Cannot use Java libraries • Cannot install packages, or read SMS, etc.
  36. 36. Non-System App with Context • Attacker takes over app's execution flow and can load arbitrary classes • Attacker camn retrieve app Context • Can do anything the app can do
  37. 37. Installed Package • Can request arbitrary permissions • Can be granted them, depending on protection level
  38. 38. ADB Shell Access • Can install apps • Can interact with apps as a developer
  39. 39. System User Access • Running as system user, can • Install apps • Change device configuration • Access data from any app's private directory
  40. 40. Root User Access • Ultimate power, can • Install apps • Read and write RAM • Manipulate any aspect of the device

×