Successfully reported this slideshow.
Nov 4, 2012
This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure.
Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.
The Real Incident of Stealinga Droid App & DataAkash Mahajan and Ankur Bhargava @ DroidCon Bangalore 2012
What we stole The Android Application Package File All the encrypted files found in the external storage© Akash Mahajan DroidCon Bangalore 2012 2
Not only we successfully the app + data we it on another device which was rooted© Akash Mahajan DroidCon Bangalore 2012 3
Them devs made it more secure? A device ID check was added We reversed the applications added our device ID and compiled it again. Able to execute again, yay!© Akash Mahajan DroidCon Bangalore 2012 4
THE DROID JOBA standard Chinese made Tabletrunning Android 4.0 (Indian Brand)The application contained encrypteddata along with other resources. © Akash Mahajan DroidCon Bangalore 2012 5
We had written permission to steal!© Akash Mahajan DroidCon Bangalore 2012 6
All your data are belong to usAll the encrypted data was with usWe didn’t have the encryption keyBut we had the device with the key ininternal storage © Akash Mahajan DroidCon Bangalore 2012 7
GONE IN 300 SECONDSAndroid Backup API using Android DebugBridge because we had the package name.ADB pull command, YAY!> adb pull <remote> <local> © Akash Mahajan DroidCon Bangalore 2012 8
DISCLAIMER It is not Rocket Science Simple common security testing© Akash Mahajan DroidCon Bangalore 2012 9
The Simple HackWe knew find an exploit to root the devicemight take some time and skillApplication written for the same version ofAndroid will run in all devices © Akash Mahajan DroidCon Bangalore 2012 10
If the device having the application can’t be rooted, let us take the application to the rooted device.© Akash Mahajan DroidCon Bangalore 2012 11
The Simple HackOnce copied to the rooted device we could seewhat the application was doing using DDMS.Dalvik Debug Monitor Server provides amongother things process information about appsrunning on a device connected in USB debugmode. © Akash Mahajan DroidCon Bangalore 2012 12
The key to everythingIn this particular case, the encryption key wasrequired to decrypt the data.We didn’t have file permissions to reach the key.We decided not to go after the key. We weren’tbeing paid enough for that. © Akash Mahajan DroidCon Bangalore 2012 13
The Encryption ConundrumIf you give away your device, the only way youcan ensure safety of the data is by ensuring thatthe symmetric encryption key isn’t stolen.At any given point depending on the applicationthe key might be available in memory, tempfile/storage or on the chip itself. © Akash Mahajan DroidCon Bangalore 2012 14
The Encryption ConundrumBut because the device is with the thieves, theyhave all the time in the world to find it.If nothing works, they can always break openthe device and steal the key from the storage. © Akash Mahajan DroidCon Bangalore 2012 15
FREE CONSULTING /ChecklistDisable USB debugging portDisable USB itselfDon’t give internet access in the device.Obfuscate the source code.Provide a unique key for each device.© Akash Mahajan DroidCon Bangalore 2012 16
SUCCESS KIDZClient felt assured about their device securityDev had a more secure solutionWe get to pretend that we are Android securityexperts. We are not, just love the challenge.© Akash Mahajan DroidCon Bangalore 2012 17
WANTED DROID CHORS @ankurbhargava87 @makash© Akash Mahajan DroidCon Bangalore 2012 18