Downloaded 98 times
Uploaded byGeorgia Weidman
Bypassing the Android Permission Model
Georgia Weidman discusses various ways that Android permissions can be bypassed, including through exploiting permissions, storing sensitive data without protection, and open interfaces. She demonstrates how apps can abuse permissions to access contacts and send SMS, how unprotected storage allows data access, and how interfaces can be used to trigger SMS sending without consent. Mitigations include securing data, limiting interfaces, and ensuring updates are available to patch vulnerabilities.
More Related Content
![[Wroclaw #1] Android Security Workshop](https://cdn.slidesharecdn.com/ss_thumbnails/owaspplwroclaw1-160225150939-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Bypassing the Android Permission Model
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
![[DevFest Strasbourg 2025] - NodeJs Can do that !!](https://cdn.slidesharecdn.com/ss_thumbnails/devfeststrasbourg2025-nodejscandothat-251127142731-da65b6fd-thumbnail.jpg?width=640&height=640&fit=bounds)
Bypassing the Android Permission Model
- 1. Bypassing the AndroidPermission Model Georgia Weidman Founder and CEO, Bulb Security LLC
- 2. Is the permissionmodel working? Are users making good decisions?
- 3.
- 4.
- 5. Demo explained Permissions: − Read IMEI − Read Contacts − Send SMS We exploited every one of these
- 6.
- 7. Rooting Android forEvil (DroidDream)
- 8.
- 9.
- 10.
- 11. DroidDream Rooting Exploid CVE-2010-Easy (RageAgainsttheCage)
- 12.
- 13. DroidDream Root Payload Permission model no longer applies − installed packages − All personal data − Send to C&C
- 14. Rooting Android forEvil (DroidDream)
- 15.
- 16. Mitigation Users update their phones That means they need the updates pushed out That means you third party platforms!!
- 19. Android Storage Sdcard VFAT With apps Only visible to app (default) World readable
- 20. Demo Exploiting bad storagepractices
- 21. Demo Explained Stores sensitive data on the sdcard Sdcard is VFAT Everything is world readable
- 22. Demo Explained Discovers how the data is stored Accesses it Sends it to an attacker
- 23.
- 24.
- 25.
- 26. Wait? How dowe get source code? Winzip/7zip etc. dex2jar jd-gui Whitepaper with more info: http://cdn01.exploit-db.com/wp- content/themes/exploit/docs/17717.pdf
- 30. Nonsensical Code while (true) { if (i < 0); String str; while (true) { return; try {
- 31. Mitigation Store information securely Not on sdcard Not in source code Not world readable
- 32. Android Interfaces Call other programs Don't reinvent the wheel Take a picture Twitter from photo app
- 33. Demo Exploiting open interfacewith SMS functionality
- 34. Demo Explained When it is called it sends an SMS Caller can set the number and message Sadly this is considered useful!
- 35. Demo Explained Calls the SMSBroadcastr Sends number and message Sends an SMS
- 36.
- 37.
- 38.
- 39. Mitigations Don't have dangerous functionality available in interfaces Require user interaction (click ok) Require-permission tag in manifest for interface
- 40. Contact Georgia Weidman georgiaweidman.com bulbsecurity.com georgia@bulbsecurity.com @georgiaweidman
Editor's Notes
- #2 Song lyrics Android permission model- how does it work. Explicitly ask for permissions Users must accept or deny
- #3 Edit and Read SMS, send SMS, receive SMS Modify/delete USB storage contents Prevent phone from sleeping, write sync settings GPS data Services that cost you money Act as account authenticator, manage accounts Read and write to your personal information including contact data Phone calls, read phone state and identity Full network access
- #4 Now that I am doing a lot of development I know why this happens. I used to rag on developers for doing this, but after having my app crash over and over and me spending hours on google and rewriting code and putting debugging statements in, unable to come up with a good reason why a very simple instruction is crashing my app, and then realizing its because I forgot to ask for the permission, I see why developers would just ask for every permission imaginable right off the bat
- #5 So naturally I wrote an app to demo how ridiculously easy it is to abuse users acceptance of dangerous permissions
- #7 Anyone used a tool like this to root your Android phone? They use known exploits to give you root so you can load custom firmwares etc.
- #8 Trojaned Android apps on the official android market. Antivirus finds it now, doesn't find my app. Pretends to be a normal app, runs exploits and steals your data in the background
- #9 That's all. It actually does abuse the IMEI one right off the bat before it even roots your phone.
- #10 Pretended to be different apps, games, ads, dirty apps
- #11 Droiddream takes all the code from the regular apps and calls the it so to the user it looks like the app is running normally but it runs evil code in the background
- #12 Tried two different known root exploits for Android Both were patched in Android 2.2.1 which was released before the droiddream story broke Not necessarily patched when droiddream was written
- #13 These are the same sorts of roots that tools like these use In fact from reading the source of both I have reason to believe that the ragegainstthecage payload in droiddream was actually copied from z4root
- #14 So after it runs the root exploits if it is successful then it installs a system service. Only firmware apps should be system. System services have access to additional permissions and the permission model breaks down around system services. System app steals your data and sends it to a C&C
- #15 The moral of the story is Droiddream was an evil app masquerading as a beneign one
- #16 What's to stop these guys from doing the same?
- #17 For a while Android had the best updating mechanism out there for a smartphone Iphone you had to plug it in blackberry you had to plug it in Android pushes over the air, so do the others now Problem with Android is third party. Google releases new versions and Google phones get it. Others have to port it. There have been instances of new versions taking 6 months to push out to everyone. Older phones don't update. G1 still runs Android 1.6. That phone I rooted for Mom's fried
- #18 So far we've looked at apps that were meant to be evil by their developers. Now we are going to look at what I consider to be next generation flaws.
- #19 Benign apps that have flaws that allow bad code to take advantage of it. I'm not talking about traditional attack vectors like buffer overflows. Those are old and uninteresting. What I'm interested in here is getting permissions we shouldn't by piggybacking on poorly coded apps.