Successfully reported this slideshow.

This is the secure droid you are looking for

0

Share

Loading in …3
×
1 of 84
1 of 84

This is the secure droid you are looking for

0

Share

Description

Presentation made on Pixels Camp on the 7th of November in 2016.

Transcript

  1. 1. URL url = new URL("https://pixels.camp"); URLConnection urlConnection = url.openConnection();
  2. 2. URL url = new URL("https://devpixels.local"); URLConnection urlConnection = url.openConnection();
  3. 3. SSLContext mySSLContext = SSLContext.getInstance("TLS");
  4. 4. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom());
  5. 5. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local");
  6. 6. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local"); HttpsURLConnection urlConnection = HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(mySSLContext.getSocketFactory());
  7. 7. TrustManager mySuperCustomTrustManager = new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkServerTrusted(X509Certificate[] chain,String authType) throws CertificateException { } public void checkClientTrusted(X509Certificate[] chain,String authType) throws CertificateException { } };
  8. 8. URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
  9. 9. HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String s, SSLSession sslSession) { return true; } }); URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
  10. 10. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.loadUrl(“https://devpixels.local”);
  11. 11. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.setWebViewClient(new WebViewClient() { public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); } }); myWebView.loadUrl(“https://devpixels.local”);
  12. 12. final class JavaScriptInterface { @JavascriptInterface public String getSomeString() { return "string"; } } WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.getSettings().setJavaScriptEnabled(true); myWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
  13. 13. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); }
  14. 14. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); } String keyStoreType = KeyStore.getDefaultType(); KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("PixelsCampLeaf", ca);
  15. 15. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore);
  16. 16. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null);
  17. 17. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); URL url = new URL("https://pixels.camp"); HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(context.getSocketFactory()); InputStream in = urlConnection.getInputStream();
  18. 18. public class accessfile extends ContentProvider {
  19. 19. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); }
  20. 20. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){
  21. 21. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){ … File f = new File(getContext().getString(R.string._sdcard), uri.getPath());
  22. 22. Uri targURI = Uri.parse("content://pt.claudio.security/../../../../../data/data/p t.claudio.security.pixelscamp_content/files/mysecretfile.txt");
  23. 23. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) {
  24. 24. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SELECT _id, description FROM notes WHERE _id = 1{ { Projection Selection
  25. 25. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase();
  26. 26. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase(); Cursor cursor = queryBuilder.query(db, projection, selection,selectionArgs, null, null, sortOrder);
  27. 27. String[] selectionArgs = { "first string", "second@string.com" }; String selection = "name=? AND email=?"; Cursor cursor = db.query("TABLE_NAME", null,selection, selectionArgs, null);
  28. 28. /res/xml/excludes.xml
  29. 29. /res/xml/excludes.xml <application> android:fullBackupContent="@xml/excludes" </application>
  30. 30. /res/xml/excludes.xml <application> android:fullBackupContent="@xml/excludes" </application> <?xml version="1.0" encoding="utf-8"?> <full-backup-content> <exclude domain="sharedpref" path="MyPrefsFile.xml"/> </full-backup-content>
  31. 31. <full-backup-content> <include domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> <exclude domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> </full-backup-content>
  32. 32. /res/xml/network_security_config.xml
  33. 33. /res/xml/network_security_config.xml <application> android:networkSecurityConfig="@xml/network_security_config" </application>
  34. 34. /res/xml/network_security_config.xml <application> android:networkSecurityConfig="@xml/network_security_config" </application> <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">http.badssl.com</domain> </domain-config> </network-security-config>
  35. 35. security.claudio.pt @clviper github.com/clviper Q&A

Editor's Notes

  • For us to have secure communication with have to rely on HTTPS yada yada
  • HTTPS is based on certificates and depend on their validation yada yada yada
  • Some of the validations include those above, explain a little bit
  • Optionally we also have Certificate Pinning a little later. So let’s imagine two scenarios of a developer creating a mobile app for pixels camp..
  • So the production envirionment will be pixels.camp and this settings we would make a secure connection to the website..
  • But actually I am using my local dev setup, and I am using a self signed certificate and therefore I keep getting errors. So my first idea is to Google a little bit to find a way to solve this errors…
  • This is where things go South… Well I found some nice guys in Stackoverflow that pointed me to a way to get rid off those pesky errors..
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain. So the errors when away. Awesome.
  • So let’s say that I have a second scenario that actually I have a online server with a valid certificate but actually not the right hostname. Well stackoverflow to the rescue..
  • Explain. Again the errors went away. But what are the implications of this patches?
  • Well…. Image that Ron is using your application in his coffee, using his public hotspot. Yada Yada Yada Yada
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • So enter Webviews…
  • Explain
  • Explain
  • Explain
  • Video with metasploit with payload to exploit JavascriptInterface
  • Well…. Ron not happy!
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Video with exploiting the content provider
  • So for bónus points, we can even indirectly break application sandbox……..
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain.
  • So for those wondering what does parameters mean, let’s imagine a SQL query. Projection represents the fields choosen for the query and Selection the fields users in the Where clause. The sortOrder are the fields that we would define in the Order by. The selectionArgs I will talk about them later.
  • Explain
  • Explain
  • Video with exploiting the content provider
  • Explain Selection Args
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Description

    Presentation made on Pixels Camp on the 7th of November in 2016.

    Transcript

    1. 1. URL url = new URL("https://pixels.camp"); URLConnection urlConnection = url.openConnection();
    2. 2. URL url = new URL("https://devpixels.local"); URLConnection urlConnection = url.openConnection();
    3. 3. SSLContext mySSLContext = SSLContext.getInstance("TLS");
    4. 4. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom());
    5. 5. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local");
    6. 6. SSLContext mySSLContext = SSLContext.getInstance("TLS"); mySSLContext.init(null, new TrustManager[] { mySuperCustomTrustManager },new SecureRandom()); URL url = new URL("https://devpixels.local"); HttpsURLConnection urlConnection = HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(mySSLContext.getSocketFactory());
    7. 7. TrustManager mySuperCustomTrustManager = new X509TrustManager() { public X509Certificate[] getAcceptedIssuers() { return null; } public void checkServerTrusted(X509Certificate[] chain,String authType) throws CertificateException { } public void checkClientTrusted(X509Certificate[] chain,String authType) throws CertificateException { } };
    8. 8. URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
    9. 9. HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String s, SSLSession sslSession) { return true; } }); URL url = new URL("https://devpixels.camp"); URLConnection urlConnection = url.openConnection();
    10. 10. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.loadUrl(“https://devpixels.local”);
    11. 11. WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.setWebViewClient(new WebViewClient() { public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); } }); myWebView.loadUrl(“https://devpixels.local”);
    12. 12. final class JavaScriptInterface { @JavascriptInterface public String getSomeString() { return "string"; } } WebView myWebView = (WebView) findViewById(R.id.webview); myWebView.getSettings().setJavaScriptEnabled(true); myWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
    13. 13. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); }
    14. 14. CertificateFactory cf = CertificateFactory.getInstance("X.509"); InputStream caInput = getResources().openRawResource(R.raw.pixels); Certificate ca; try { ca = cf.generateCertificate(caInput); } finally { caInput.close(); } String keyStoreType = KeyStore.getDefaultType(); KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("PixelsCampLeaf", ca);
    15. 15. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore);
    16. 16. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null);
    17. 17. String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); SSLContext context = SSLContext.getInstance("TLS"); context.init(null, tmf.getTrustManagers(), null); URL url = new URL("https://pixels.camp"); HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection(); urlConnection.setSSLSocketFactory(context.getSocketFactory()); InputStream in = urlConnection.getInputStream();
    18. 18. public class accessfile extends ContentProvider {
    19. 19. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); }
    20. 20. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){
    21. 21. public class accessfile extends ContentProvider { public static final String AUTHORITY = "pt.claudio.security"; public static final Uri CONTENT_URI = Uri.parse("content://" + AUTHORITY + "/"); private static final HashMap<String, String> MIME_TYPES = new HashMap<String, String>(); private static final UriMatcher sURIMatcher = new UriMatcher(UriMatcher.NO_MATCH); static { sURIMatcher.addURI(AUTHORITY, "folder/", FOLDER); sURIMatcher.addURI(AUTHORITY, "file/", FILE); } … public ParcelFileDescriptor openFile(Uri uri, String mode){ … File f = new File(getContext().getString(R.string._sdcard), uri.getPath());
    22. 22. Uri targURI = Uri.parse("content://pt.claudio.security/../../../../../data/data/p t.claudio.security.pixelscamp_content/files/mysecretfile.txt");
    23. 23. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) {
    24. 24. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SELECT _id, description FROM notes WHERE _id = 1{ { Projection Selection
    25. 25. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase();
    26. 26. public Cursor query(Uri uri, String[] projection, String selection,String[] selectionArgs, String sortOrder) { SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder(); queryBuilder.setTables(Table.TABLE_NOTE) SQLiteDatabase db = database.getWritableDatabase(); Cursor cursor = queryBuilder.query(db, projection, selection,selectionArgs, null, null, sortOrder);
    27. 27. String[] selectionArgs = { "first string", "second@string.com" }; String selection = "name=? AND email=?"; Cursor cursor = db.query("TABLE_NAME", null,selection, selectionArgs, null);
    28. 28. /res/xml/excludes.xml
    29. 29. /res/xml/excludes.xml <application> android:fullBackupContent="@xml/excludes" </application>
    30. 30. /res/xml/excludes.xml <application> android:fullBackupContent="@xml/excludes" </application> <?xml version="1.0" encoding="utf-8"?> <full-backup-content> <exclude domain="sharedpref" path="MyPrefsFile.xml"/> </full-backup-content>
    31. 31. <full-backup-content> <include domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> <exclude domain=["file" | "database" | "sharedpref" | "external" | "root"] path="string" /> </full-backup-content>
    32. 32. /res/xml/network_security_config.xml
    33. 33. /res/xml/network_security_config.xml <application> android:networkSecurityConfig="@xml/network_security_config" </application>
    34. 34. /res/xml/network_security_config.xml <application> android:networkSecurityConfig="@xml/network_security_config" </application> <?xml version="1.0" encoding="utf-8"?> <network-security-config> <domain-config cleartextTrafficPermitted="false"> <domain includeSubdomains="true">http.badssl.com</domain> </domain-config> </network-security-config>
    35. 35. security.claudio.pt @clviper github.com/clviper Q&A

    Editor's Notes

  • For us to have secure communication with have to rely on HTTPS yada yada
  • HTTPS is based on certificates and depend on their validation yada yada yada
  • Some of the validations include those above, explain a little bit
  • Optionally we also have Certificate Pinning a little later. So let’s imagine two scenarios of a developer creating a mobile app for pixels camp..
  • So the production envirionment will be pixels.camp and this settings we would make a secure connection to the website..
  • But actually I am using my local dev setup, and I am using a self signed certificate and therefore I keep getting errors. So my first idea is to Google a little bit to find a way to solve this errors…
  • This is where things go South… Well I found some nice guys in Stackoverflow that pointed me to a way to get rid off those pesky errors..
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain. So the errors when away. Awesome.
  • So let’s say that I have a second scenario that actually I have a online server with a valid certificate but actually not the right hostname. Well stackoverflow to the rescue..
  • Explain. Again the errors went away. But what are the implications of this patches?
  • Well…. Image that Ron is using your application in his coffee, using his public hotspot. Yada Yada Yada Yada
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • Yada Yada… so another impact is the possibility to manipulate returned information. That reminds me of a particular component that can be very dangerours.
  • So enter Webviews…
  • Explain
  • Explain
  • Explain
  • Video with metasploit with payload to exploit JavascriptInterface
  • Well…. Ron not happy!
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • So enter Webviews…
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Video with exploiting the content provider
  • So for bónus points, we can even indirectly break application sandbox……..
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain.
  • So for those wondering what does parameters mean, let’s imagine a SQL query. Projection represents the fields choosen for the query and Selection the fields users in the Where clause. The sortOrder are the fields that we would define in the Order by. The selectionArgs I will talk about them later.
  • Explain
  • Explain
  • Video with exploiting the content provider
  • Explain Selection Args
  • Explain
  • Explain
  • Explain
  • Explain
  • Explain
  • More Related Content

    Related Books

    Free with a 30 day trial from Scribd

    See all

    ×