Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Circumventing mobile app stores security
checks using Hybrid Frameworks and HTML5-fu.
(damn, that’s a long title)
PHDays 7...
what’s the talk about?
what’s the talk about?
- In-app updates
what’s the talk about?
- In-app updates
- Hybrid frameworks (Cordova, Phonegap, …)
what’s the talk about?
- In-app updates
- Hybrid frameworks (Cordova, Phonegap, …)
- But mostly HOW I got into this.
Mobile
development
landscape
http://geospatialtraining.com/anatomy-of-a-hybrid-mobile-gis-application/
http://geospatialtraining.com/anatomy-of-a-hybrid-mobile-gis-application/
https://cordova.apache.org/docs/en/latest/guide/support/index.html
My experience with
Shodan as a “dev”
ionic project structure
- Bunch of stuff in the root folder:
ionic project structure
- Bunch of stuff in the root folder:
- configuration files (config.xml, package.json, …)
ionic project structure
- Bunch of stuff in the root folder:
- configuration files (config.xml, package.json, …)
- folders...
ionic project structure
- Bunch of stuff in the root folder:
- configuration files (config.xml, package.json, …)
- folders...
ionic project structure
- Bunch of stuff in the root folder:
- configuration files (config.xml, package.json, …)
- folders...
ionic project structure
- Bunch of stuff in the root folder:
- configuration files (config.xml, package.json, …)
- folders...
the view side
the view side
the controller side
the controller side
the controller side
the controller side
Mobile apps and
permissions
I guess you all remember that?
http://uk.businessinsider.com/uber-takes-tons-of-your-private-data--but-so-does-lyft-2014-11
https://koodous.com/apks/70cfd8c87523681db4cde042237eed2b3acaaa663728fc75748e9f071548c5ab
Definitely a malware :-)
https://koodous.com/apks/59b9080727accd0f9f3b0980e8b633ab9d749be74932f94907b75947ef9a271d/analysis
Not a malware!
https://blog.kaspersky.com/google-io2015-news/8850/
https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-with-android-os/
distributing apps
in real-life
Create your profile
on the marketplace
Usual workflow
Create your profile
on the marketplace
Develop and
test your app
Usual workflow
Create your profile
on the marketplace
Develop and
test your app
Submit your app
Usual workflow
Create your profile
on the marketplace
Develop and
test your app
Submit your app
Release it to your
users
Usual workflow
Create your profile
on the marketplace
Develop and
test your app
Submit your app
Release it to your
users
Usual workflow
U...
What if we could…
- Push updates
- Without re-submitting the app on
the stores?
Create your profile
on the marketplace
Develop and
test your app
Submit your app
Release it to your
users
slightly modifie...
Create your profile
on the marketplace
Develop and
test your app
Submit your app
Release it to your
users
slightly modifie...
Create your profile
on the marketplace
Develop and
test your app
Submit your app
Release it to your
users
slightly modifie...
But many
others...
http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html
but... How?
http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html
but... How?
http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html
but... How?
http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html
but... How?
FOLDER PWN
http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html
setup 101
cordova plugin add cordova-plugin-code-push@latest
cordova plugin add cordova-plugin-whitelist
Install both
plug...
setup 101
cordova plugin add cordova-plugin-code-push@latest
cordova plugin add cordova-plugin-whitelist
npm install -g co...
setup 101
setup 101
setup 101
ready to go!
$ code-push release-cordova phdays ios -m --description
"Added Contacts stealing functionality"
https://githu...
ready to go!
$ code-push release-cordova phdays ios -m --description
"Added Contacts stealing functionality"
$ code-push r...
ready to go!
$ code-push release-cordova phdays ios -m --description
"Added Contacts stealing functionality"
$ code-push r...
works as expected
- CodePush update downloaded to a specific folder in
Internal Storage
works as expected
- CodePush update downloaded to a specific folder in
Internal Storage
- Similar to how you do persistenc...
works as expected
- CodePush update downloaded to a specific folder in
Internal Storage
- Similar to how you do persistenc...
Downsides (thankfully)
- You can’t add new permissions without repackaging your
whole app (and re-submitting it)
- Eg. Add...
Downsides (thankfully)
- You can’t add new permissions without repackaging your
whole app (and re-submitting it)
- Eg. Add...
Downsides (thankfully)
- You can’t add new permissions without repackaging your
whole app (and re-submitting it)
- Eg. Add...
Back to the shodan project
- I could have asked for the Camera permission (without the
BarCode scanner functionality)
Back to the shodan project
- I could have asked for the Camera permission (without the
BarCode scanner functionality)
- Pu...
Back to the shodan project
- I could have asked for the Camera permission (without the
BarCode scanner functionality)
- Pu...
WRAP-UP
- “Logic” bug (because works as expected)
WRAP-UP
- “Logic” bug (because works as expected)
- Downsides to exploit those kind of techniques
- Have to pre-ask those ...
WRAP-UP
- “Logic” bug (because works as expected)
- Downsides to exploit those kind of techniques
- Have to pre-ask those ...
WRAP-UP
- “Logic” bug (because works as expected)
- Downsides to exploit those kind of techniques
- Have to pre-ask those ...
большой
спасибо!
вопросов?
(preferably in English ;)
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу
Upcoming SlideShare
Loading in …5
×

Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу

159 views

Published on

В докладе описывается новый вектор атак на магазины приложений с обходом проверки безопасности, которая проводится при публикации приложения в любом магазине приложений. Обычно после публикации мобильного приложения магазины запускают песочницу или проводят тестирование вручную и решают, является ли оно легитимным. Используя платформу Hybrid (например, Cordova), можно обновлять мобильные приложения без согласия пользователя и уведомления магазинов.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Обход проверки безопасности в магазинах мобильных приложений при помощи платформ Hybrid и HTML5-кунг-фу

  1. 1. Circumventing mobile app stores security checks using Hybrid Frameworks and HTML5-fu. (damn, that’s a long title) PHDays 7 - Moscow, Russia Paul AMAR - Security Researcher
  2. 2. what’s the talk about?
  3. 3. what’s the talk about? - In-app updates
  4. 4. what’s the talk about? - In-app updates - Hybrid frameworks (Cordova, Phonegap, …)
  5. 5. what’s the talk about? - In-app updates - Hybrid frameworks (Cordova, Phonegap, …) - But mostly HOW I got into this.
  6. 6. Mobile development landscape
  7. 7. http://geospatialtraining.com/anatomy-of-a-hybrid-mobile-gis-application/
  8. 8. http://geospatialtraining.com/anatomy-of-a-hybrid-mobile-gis-application/
  9. 9. https://cordova.apache.org/docs/en/latest/guide/support/index.html
  10. 10. My experience with Shodan as a “dev”
  11. 11. ionic project structure - Bunch of stuff in the root folder:
  12. 12. ionic project structure - Bunch of stuff in the root folder: - configuration files (config.xml, package.json, …)
  13. 13. ionic project structure - Bunch of stuff in the root folder: - configuration files (config.xml, package.json, …) - folders for the build (hooks, platforms, …)
  14. 14. ionic project structure - Bunch of stuff in the root folder: - configuration files (config.xml, package.json, …) - folders for the build (hooks, platforms, …) - resource for your app (res, resource folders)
  15. 15. ionic project structure - Bunch of stuff in the root folder: - configuration files (config.xml, package.json, …) - folders for the build (hooks, platforms, …) - resource for your app (res, resource folders) But most importantly, your app:
  16. 16. ionic project structure - Bunch of stuff in the root folder: - configuration files (config.xml, package.json, …) - folders for the build (hooks, platforms, …) - resource for your app (res, resource folders) But most importantly, your app: - in the www folder.
  17. 17. the view side
  18. 18. the view side
  19. 19. the controller side
  20. 20. the controller side
  21. 21. the controller side
  22. 22. the controller side
  23. 23. Mobile apps and permissions
  24. 24. I guess you all remember that?
  25. 25. http://uk.businessinsider.com/uber-takes-tons-of-your-private-data--but-so-does-lyft-2014-11
  26. 26. https://koodous.com/apks/70cfd8c87523681db4cde042237eed2b3acaaa663728fc75748e9f071548c5ab Definitely a malware :-)
  27. 27. https://koodous.com/apks/59b9080727accd0f9f3b0980e8b633ab9d749be74932f94907b75947ef9a271d/analysis Not a malware!
  28. 28. https://blog.kaspersky.com/google-io2015-news/8850/
  29. 29. https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-with-android-os/
  30. 30. distributing apps in real-life
  31. 31. Create your profile on the marketplace Usual workflow
  32. 32. Create your profile on the marketplace Develop and test your app Usual workflow
  33. 33. Create your profile on the marketplace Develop and test your app Submit your app Usual workflow
  34. 34. Create your profile on the marketplace Develop and test your app Submit your app Release it to your users Usual workflow
  35. 35. Create your profile on the marketplace Develop and test your app Submit your app Release it to your users Usual workflow Updates/Bugfixes/Feedbacks...
  36. 36. What if we could… - Push updates - Without re-submitting the app on the stores?
  37. 37. Create your profile on the marketplace Develop and test your app Submit your app Release it to your users slightly modified one Updates/Bugfixes/Feedbacks...
  38. 38. Create your profile on the marketplace Develop and test your app Submit your app Release it to your users slightly modified one Updates/Bugfixes/Feedbacks...
  39. 39. Create your profile on the marketplace Develop and test your app Submit your app Release it to your users slightly modified one Updates/Bugfixes/Feedbacks... Updates on-the-fly!
  40. 40. But many others...
  41. 41. http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html but... How?
  42. 42. http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html but... How?
  43. 43. http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html but... How?
  44. 44. http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html but... How?
  45. 45. FOLDER PWN
  46. 46. http://ryanjsalva.com/2016/05/01/publish-without-resubmitting-to-the-app-store.html
  47. 47. setup 101 cordova plugin add cordova-plugin-code-push@latest cordova plugin add cordova-plugin-whitelist Install both plugins to work with your app
  48. 48. setup 101 cordova plugin add cordova-plugin-code-push@latest cordova plugin add cordova-plugin-whitelist npm install -g code-push-cli code-push register code-push app add phdays code-push deployment list phdays -k Then, just set it up by: - registering, - adding your app, - displaying your keys
  49. 49. setup 101
  50. 50. setup 101
  51. 51. setup 101
  52. 52. ready to go! $ code-push release-cordova phdays ios -m --description "Added Contacts stealing functionality" https://github.com/Microsoft/cordova-plugin-code-push#getting-started Releasing some “pretty cool” feature within a “on-the-fly” update
  53. 53. ready to go! $ code-push release-cordova phdays ios -m --description "Added Contacts stealing functionality" $ code-push release-cordova phdays ios --rollout 25% https://github.com/Microsoft/cordova-plugin-code-push#getting-started Releasing the update to ¼ of your users
  54. 54. ready to go! $ code-push release-cordova phdays ios -m --description "Added Contacts stealing functionality" $ code-push release-cordova phdays ios --rollout 25% $ code-push release-cordova phdays ios -x https://github.com/Microsoft/cordova-plugin-code-push#getting-started Releasing the update but marking it disabled
  55. 55. works as expected - CodePush update downloaded to a specific folder in Internal Storage
  56. 56. works as expected - CodePush update downloaded to a specific folder in Internal Storage - Similar to how you do persistence of user state for example
  57. 57. works as expected - CodePush update downloaded to a specific folder in Internal Storage - Similar to how you do persistence of user state for example - (At runtime) CodePush SDK scans this folder to take the latest package - If none, it loads the one originally from the binary
  58. 58. Downsides (thankfully) - You can’t add new permissions without repackaging your whole app (and re-submitting it) - Eg. Adding Camera utilities from existing app
  59. 59. Downsides (thankfully) - You can’t add new permissions without repackaging your whole app (and re-submitting it) - Eg. Adding Camera utilities from existing app - Plugins have to be already imported in your app
  60. 60. Downsides (thankfully) - You can’t add new permissions without repackaging your whole app (and re-submitting it) - Eg. Adding Camera utilities from existing app - Plugins have to be already imported in your app - If previous conditions are granted, THEN modifying the controller will work and change the behaviour of the app
  61. 61. Back to the shodan project - I could have asked for the Camera permission (without the BarCode scanner functionality)
  62. 62. Back to the shodan project - I could have asked for the Camera permission (without the BarCode scanner functionality) - Push my app to the store(s)
  63. 63. Back to the shodan project - I could have asked for the Camera permission (without the BarCode scanner functionality) - Push my app to the store(s) - As soon as the feature would have been OK, I could have pushed it with “in-app” updates services.
  64. 64. WRAP-UP - “Logic” bug (because works as expected)
  65. 65. WRAP-UP - “Logic” bug (because works as expected) - Downsides to exploit those kind of techniques - Have to pre-ask those permissions initially etc.
  66. 66. WRAP-UP - “Logic” bug (because works as expected) - Downsides to exploit those kind of techniques - Have to pre-ask those permissions initially etc. - Check integrity of your www/ folder
  67. 67. WRAP-UP - “Logic” bug (because works as expected) - Downsides to exploit those kind of techniques - Have to pre-ask those permissions initially etc. - Check integrity of your www/ folder - App stores should make sure requested perms are all used - Even though, attackers could do ‘dumb’ calls to use those perms.
  68. 68. большой спасибо! вопросов? (preferably in English ;)

×