Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Android Task Hijacking

664 views

Published on

Android Task Hijacking — уязвимость Android, которая позволяет подменить любое приложение, используя только стандартные механизмы и не требуя специальных разрешений. Такой подход не требует наличия root-прав на устройстве и Google спокойно пропускает такие приложения в Store. Из-за того что уязвимость находится на уровне системы, подмене подвержены все приложения на устройстве, в том числе системные. Докладчик расскажет о технических подробностях, покажет, как работает эта уязвимость, и поделится возможными решениями.

Published in: Technology
  • Be the first to comment

Android Task Hijacking

  1. 1. Android Task hijacking Evgeny Blashko Yury Shabalin Отдел Тестирования Информационной Безопасности приложений «Сбербанк Технологии»
  2. 2. whoami • Evgeny Blashko VTB24, 2A-SOFT - Developing Mobile Applications - Mobile application security analysis • Yury Shabalin Positive Technologies, Alfa-Bank – SSDL integration, source code analysis – Mobile application security analysis – Developing
  3. 3. History • USENIX Security Symposium 2015, Towards Discovering and Understanding Task Hijacking in Android In our research we find more interesting features…
  4. 4. Some Theory
  5. 5. Some Theory
  6. 6. Standard Behavior
  7. 7. Standard Behavior
  8. 8. Standard Behavior
  9. 9. What is "taskAffinity“ means
  10. 10. How "taskAffinity" works
  11. 11. Task hijacking
  12. 12. Magic
  13. 13. How to spread?
  14. 14. Transition #1 Demo example Press Intro Press Back
  15. 15. Hijacking state transition #1 Возврат к “исходному” приложению
  16. 16. Useful advance to solve the problem • Transition #1 – Don’t specify launchMode = “singleTask” – Don’t set FLAG_ACTIVITY_NEW_TASK If it necessary, use it with: FLAG_ACTIVITY_CLEAR_TASK
  17. 17. Transition #2 Demo example Press Фото
  18. 18. Hijacking state transition #2 Заменяем любое приложение малварью
  19. 19. Transition #3 Demo example Press Фото
  20. 20. Hijacking state transition #3 Весьма вероятный случай
  21. 21. Useful advance to solve the problem • Transition #2 and #3 – May be it’s good idea to create service, that would check another task with “taskAffinity” of your application – Or create service that will compare certificate of application that run with taskAffinity of your application
  22. 22. Hijacking state transition #4 Редкий случай
  23. 23. Useful advance to solve the problem • Transition #4 – Don’t specify allowReparenting – Don’t specify taskAffinity
  24. 24. Transition #5 Demo example
  25. 25. Hijacking state transition #5 Развитие Activity Hijacking
  26. 26. Useful advance to solve the problem • Transition #5 – Use explicit Intents if the destination Activity is predetermined – Verify the destination Activity if linking with another application
  27. 27. Hijacking state transition #6 Prevent App uninstallation
  28. 28. - Is my application vulnerable? - Yes. Vulnerability % of apps* Run malware from Launcher instead of legitim App 100 Send implicit intent for exported activities 93,9 Send implicit intent for exported activities and use intent FLAG_ACTIVITY_NEW_TASK 65,5 Contains public exported activity and launchMode=“singleTask” 14,2 Contains public exported activity and allowTaskReparenting=“true” 1,4 * Statistics from research in 2015
  29. 29. Android versions & devices vulnerable to spoof from launcher Android version Vulnerable Android 5.x Yes Android 6.x Yes Android 7.x Yes CyanogenMod 12.1 No MIUI Yes Device Vulnerable Nexus x.x Yes Xiaomi Yes Samsung Yes LG Yes * No permission needed * System Apps also vulnerable
  30. 30. Android Security Team 90 days left, so we can publish results
  31. 31. Useful advance to solve the problem • Transition #1 – Don’t specify launchMode = “singleTask” – Don’t set FLAG_ACTIVITY_NEW_TASK If it necessary, use it with: FLAG_ACTIVITY_CLEAR_TASK • Transition #4 – Don’t specify allowReparenting – Don’t specify taskAffinity
  32. 32. Useful advance to solve the problem • Transition #5 – Use explicit Intents if the destination Activity is predetermined – Verify the destination Activity if linking with another application • Transition #2 , #3 and #6 – May be it’s good idea to create service, that would check another task with “taskAffinity” of your application
  33. 33. And you installed "calculator for an accountant"?
  34. 34. Questions?
  35. 35. AppSec Need You! iOS Android Java developer Pentest
  36. 36. Telegram: @R1p4eg Mail: Yury.shabalin@gmail.com Mail: 30russian@gmail.com Telegram: @jd7drw

×