Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Passwords on a Phone

346 views

Published on

A talk given at DEF CON 25 in the Packet Hacking Village by Sam Bowne on July 29, 2017. For more information see https://samsclass.info

Published in: Education
  • Be the first to comment

Passwords on a Phone

  1. 1. Passwords on a Phone DEF CON 25 Packet Hacking Village July 29, 2017
  2. 2. Me • Sam Bowne • Twitter: @sambowne • Instructor at City College San Francisco • All materials freely available at samsclass.info
  3. 3. Persistent Login •Users remain logged in even after shutting off their phone •How does the app remember who you are?
  4. 4. Target == GOOD
  5. 5. Target AU Android App
  6. 6. User Login
  7. 7. Server Response Random Number, stored in a cookie THIS IS THE RIGHT WAY
  8. 8. Staples == BAD
  9. 9. Tested in Jan 2017
  10. 10. Locally Stored Password • Right away this shows a problem • WHY store the password? <string name="encryptedPassword"> CT9SVzhhRaufBzCvmwENWQ== </string>
  11. 11. 1. Best way: Don't. Use a cookie 2. Use Android KeyChain 3. Encrypt with with a public key • Private key is kept secret on a server 4. Encrypt with with a private key • Private key is "hidden" on the phone (under the mat) 5. Store data unencrypted on the phone
  12. 12. Special Password • aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaA123 • 32 identical characters at beginning <string name="encryptedPassword"> 5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx </string>
  13. 13. Decode p = '5V/uOkjK/Pxnb8yo7OdXzuVf7jpIyvz8Z2/ MqOznV84Chyt5lFv9LDpXXmJq9fUx' >>> p.decode("base64").encode("hex") 'e55fee3a48cafcfc676fcca8ece757cee55fee3a4 8cafcfc676fcca8ece757ce02872b79945bfd2c3a5 75e626af5f531' e55fee3a48cafcfc676fcca8ece757ce e55fee3a48cafcfc676fcca8ece757ce 02872b79945bfd2c3a575e626af5f531
  14. 14. Read Smali Code
  15. 15. Constructing the Key
  16. 16. Final Key
  17. 17. Encryption Test
  18. 18. Notification • Notified Jan 2, 2017 • Automated response said it would be fixed • No response to follow-up email • April 13 -- Staples became homework
  19. 19. Notification • Fixed by May 9, 2017
  20. 20. Plaintext Password Storage
  21. 21. Plaintext Login
  22. 22. Broken SSL
  23. 23. A Feature, Not a Bug
  24. 24. Password Stored with Reversible Encryption
  25. 25. Home Depot Locally stored password is encrypted
  26. 26. Unpack APK
  27. 27. Salt -> Key
  28. 28. Complete Decryption
  29. 29. Kroger
  30. 30. Kroger
  31. 31. Safeway
  32. 32. Safeway
  33. 33. Walgreens
  34. 34. Walgreens
  35. 35. Multiple Vulnerabilities
  36. 36. Fixed

×