Android app security - 2019

1. Android Apps Security Shivasurya S

2. Android Architecture App Space Isolation Platform & User Apps Java & Kotlin API ( Additionally Native ) APK and system binary ( Normal Linux )

3. Attack Surface & Origin 1. Malicious App 2. Web links with Native Intents 3. Instant Apps 4. WebView API And even more

4. Tools 1. Dex2Jar 2. EnJarify from Google 3. Apktool ( Recompile ) 4. ADB Commands

5. Basic Components 1. Activity 2. Provider 3. Service 4. BroadcastReceiver

6. Magic of Manifest - AndroidManifest.xml 1. Provides crystal clear exported components 2. Entry point to any component with help of Intent filters 3. Network configurations 4. Permission model & Custom permissions

7. Rule #1 Exported=”true” Grab the components which has exported=”true” attribute from the Manifest

8. Rule #2 Permission Check Chain with the above Rule #1 and check for permission check ● Signature ● Normal ● Dangerous ● SystemSignature

9. Permission example

10. Rule #3 Intent-filter actions Chain with the above Rule #1 & 2 and check for permission check ● Considered as exported=”true” ● Contains Meta data for component action ● Filters data type, host, URI path check ● Fails if exported=”false”

11. Why Provider Component ? 1. Provider Exploits 2. Identifying security Impact

12. Provider Component 1. Provides Data Interface between Apps 2. Returns Cursors & File Objects 3. Whatsapp <-> Contacts Application 4. File Provider and Content Provider

13. Content Provider Basics

14. Provider - Vulnerable Code https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b 1999262

15. Provider - Vector https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b 1999262 content://MASKED_AUTHORITY/databases/history.db file:///data/data/VULNERABLE_APP_SPACE/database/history.db

16. Provider - Fixed Code https://code.videolan.org/videolan/vlc-android/commit/86051dd9753a126e454726d9141566d4b 1999262

17. Credits : BagiPro ( Hackerone ) 1. GrantURIPermission Concept - AndroidManifest 2. Chaining with Open Redirect via Intent 3. Compromising the Provider Android Open Redirect & grantURIPermissions

18. Open Redirect

19. GrantURIPermission - Code

20. GrantURIPermission - Vector

21. 1. Access all C-R-U-D queries in the provider 2. Direct impact on application sqlite database 3. Check for all tables and dump the database Exported Provider - Plain Vanilla bug 😊

22. 1. Providers without exported attribute are by open by default in API < 16 2. Apps that are compiled using <= 16 SDK without exported attribute is open in all API levels ( even above API level 17 ) Attention - Interesting Fact - Platform Feature/BUG

23. exported=”true”

24. Exploit

25. Before submitting Bug 1. If the provider doesn’t returns data even though the component is Exported ? 2. What type of data ? ( PII / public data / SD card data ) 3. Is Internal App space files are exposed ? 4. Is the provider is behind cryptographic function ( Not an Issue ) 5. Signature permission checks and UID check 6. No physical device access or Rooted Device case are accepted

26. Questions! Shivasurya S Zoho Corp.

Android app security - 2019

You are reading a preview.

Check these out next

Android app security - 2019

More Related Content

Recently uploaded (20)

Featured (20)

Android app security - 2019