This presentation has been published at DEFCON 27 DEMO LABS. A brief of our research is that attackers are able to hook and intercept cloud credentials by dynamic analysis of mobile applications that use cloud backend. More details of the information can be checked at https://sofrida.github.io and https://github.com/june5079/soFrida

1. 1
soFrida
Dynamic Analysis Tool for Mobile Apps
with Cloud Backend
@DEFCON 27 DEMO LABS
Hyunjun Park
Korea Univ. / Samsung SDS
Soyeon Kim
Samsung SDS
Seungjoo Kim*
Korea Univ.
and Yeongjin Jang
Oregon State Univ.
* Corresponding Author

2. 2
H y u n J u n P a r k
K o r e a U n i v e r s i t y
&
S a m s u n g S D S
j u n e _ p a r k @ k o r e a . a c . k r
j u n e 5 0 7 9 @ g m a i l . c o m
Hyunjun Park is a senior engineer of Samsung SDS in South Korea and a
graduate student of Korea University. His daily job is pentesting a broad range of
Samsung products including smart phone, smart TV, wearable devices, etc. He
also serves as a main staff of Kimchicon Security Conference in South Korea.

3. 3
S o y e o n K i m
S a m s u n g S D S
s s o y o u n k @ g m a i l . c o m
Soyeon Kim is a security researcher of Samsung SDS in South Korea. She mainly
doing a security assessment of Samsung IoT products. She is interested in
analyzing Android apps and IOS apps using Frida.

4. 4
S e u n g j o o ( G a b r i e l ) K i m
K o r e a U n i v e r s i t y
s k i m 7 1 @ k o r e a . a c . k r
Seungjoo (Gabriel) Kim is a professor of Graduate School of Information Security at Korea
University from 2011. For the past 7 years he was an associate professor of Sungkyunkwan
University and have 5 years of back ground of team leader of Cryptographic Technology
Team and also IT Security Evaluation Team of KISA(Korea Internet & Security Agency). In
addition to being a professor, he is positioning a director of CHAOS(Center for High-
Assurance Operating Systems), a head of SANE(Security Analysis aNd Evaluation) Lab, an
adviser of hacking club ‘CyKor(two-times champion of DEF CON CTF 2015 & 2018)’ of
Korea University, and a founder/advisory director of an international security & hacking
conference ‘SECUINSIDE’.
• Corresponding Author
• This work was supported by Institute for Information & communications
Technology Promotion(IITP) grant funded by the Korea government(MSIP)
(IITP-2017-0-00184, Self-Learning Cyber Immune Technology Development)

5. 5
TOPICS
B a c k g r o u n d
E x p l a i n w h y c l o u d d a t a l e a k
E x p e r i m e n t
S h a r e h o w I g o t
m o t i v a t e d
A t t a c k Ve c t o r s
E x p l a i n d e t a i l e d v e c t o r s
To a t t a c k c l o u d r e s o u r c e
M i t i g a t i o n s
R e c o m m e n d a t i o n t o m i t i g a t e
v u l n e r a b i l i t i e s
Understand how to collect Android Apps and
Find Cloud Vulnerabilities though SDK

6. 6
“What if
you can directly extract
AWS access keys from
mobile apps?”

7. 7
RESULT OF RESEARCH
s o F r i d a I n t r o d u c t i o n
We ' v e i n s p e c t 4 m i l l i o n s o f A n d r o i d a p p s a n d f o u n d c r i t i c a l v u l n e r a b i l i t i e s o n m u l t i p l e a p p s .
We ' v e p u b l i s i s h e d d e t a i l s o f s t a t i s t i c s d a t a o f o u r r e s e a r c h o n h t t p s : / / s o f r i d a . g i t h u b . i o
253
A p p s a r e C l a s s i f i e d
a s V u l n e r a b l e
2700
A p p s a r e
p o t e n t i a l l y v u l n e r a b l e
( U s i n g A W S S D K )
53
A p p s h a s c r i t i c a l l y
v u l n e r a b l e
( D a t a c a n b e l e a k e d )
But only 3 developers responded us

8. 8
June, 8, 2019
• We sent a notification to
each developer of the
vulnerable apps, and
also notified that we
would release the list of
vulnerable apps through
this site after 2 weeks.
TIMELINE
s o F r i d a I n t r o d u c t i o n
June, 6, 2019
• We had identified 2,700+
android apps which were
potentially vulnerable.
• We began in-depth
analysis of these 2700+
apps, and classified 236
apps as “actually risky”.
June, 19, 2019
• We reported the
vulnerability details and
the list of vulnerable
Korean apps to
KISA(Korea Internet &
Security Agency),
NSR(National Security
Research Institute) and
FSI(Financial Security
Institute).
June, 21, 2019
• Among the developers we
contacted, only 3
developers contacted us
again.
• We contacted to security
team of AWS, and asked
them to help each app
developer take an action.
June, 25, 2019
• As CSP’s request, we
sent them the entire list
of vulnerable apps,
which were classfied as
actually risky by soFrida.
June, 27, 2019
• CSP asked us to hold
publishing the list of
vulernable apps.
• As their request, we
finally decided to delay
publishing the list until
they took enough action.

9. 9
U b e r D a t a L e a k
( 2 0 1 6 )
T i m e W a r n e r C a b l e
( 2 0 1 7 )
F e d E x
( 2 0 1 8 )
AWS Account Hacked
Personal Information
of 57 Million users
4 Million Customer Records
Exposed Via AWS S3
119,000 US Citizen’s
Personal Information
Leaked
DATA LEAK HISTORY
B A C K G R O U N D
Unfortunately, oftentimes developers grant public access permission to the AWS Service.
W h a t ’ s
N e x t ?

10. 10
WHY IT HAPPENS
B A C K G R O U D N D
T h e r e a r e 3 r e a s o n s f o r c l o u d d a t a l e a k a g e
Root key used / All users have same keys / Key Values are hardcoded
K e y M a n a g e m e n t F a i l u r e
READ/WRITE permission to everyone, Users are not seperate
C l o u d P e r m i s s i o n F a i l u r e
No Cloudtrail, No Logging, No Alerting
N o M o n i t o r i n g , N o R e s p o n s e

11. 11
Open S3 Bucket WriteAble To Any Aws User
(https://hackerone.com/reports/209223)
S3 Resouces are publicly accessible and writable to anonymous users.
! Cloud misconfiguration (No Key, No Permission Setting)
B A C K G R O U N D
CLOUD MISCONFIG
Cloud resources are publicly accessible or writable
All Permissions are granted to users
Root-Key given

12. 12
DJI BugBounty ($30,000)
AWS AccessKeyId and SecretKeyId are found at Github
http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf
! Key Values are hardcoded
B A C K G R O U N D
KEY EXPOSED
AWS Key-Pairs are exposed to public
(github, src codes)

13. 13
“AWS S3 has own bucket name
But I don’t know what it is”
“But what if I can guess and
check Bucket name?"

14. 14
AWS S3
Bruteforce
with Wordlists
E x p e r i m e n t
You can simply send requests and figure out whether bucket exist or not.
I used word combinations with target name and wordlists based on
Bug bounty experience.
S3 Address looks like this:
BUCKET.s3.amazonaws.com
s3.amazonaws.com/BUCKET
s3.ap-northeast-2.amazonaws.com/BUCKET (Region Info Added)
Fedex-bucket.s3.amazonaws.com

15. 15
“But, It is not enough
Because…"
Too much efforts to find just one bucket.
It doesn’t guarantee that bucket is publicly accessible even you found bucket name
(Mostly “ACCESS DENIED”)
Not Efficient
This attack depends on luck
Even though you find public opend bucket, you can’t recognize who owns the bucket.
(Anyone can register bucket with non-used bucket name)
Not Reliable

16. 16
Let’s move on
to the
Access keys

17. 17
WHAT IT MEANS YOU HAVE ACCESS KEYS
A T T A C K V E C T O R S
Like a user name and password, you must use both the access key ID and secret access key together to
authenticate your requests. Manage your access keys as securely as you do your user name and password.
Key-pairs should not be open to users.
If access keys are exposed to public
Attacker can use them to access
to cloud resource
U N V E I L A C C E S S K E Y S
Access keys only works for the designated one.
If you have them, you can specify
the owner of services.
S P E C I F Y TA R G E T
You can authorize to the cloud
resource
with access keys
A C C E S S G R A N T E D

18. 18
AWS Mobile
SDK
Architecture
A T T A C K V E C T O R S
You can SECURELY(?) access to the
Cloud resources using AWS mobile SDK
(SDK is Integrated in mobile apps)

19. 19
AWS SDK INTEGRATED
WITH MOBILE APPS
A T T A C K V E C T O R S
You can simply check if mobile apps includes AWS SDK by searching
“com.amazonaws”
If SDK included, the app may connect to “own cloud resources” using “Access Keys”

20. 20
soFrida ATTACK DIAGRAM
A T T A C K V E C T O R S
A c o m p a n y i s a n a s s o c i a t i o n o r c o l l e c t i o n o f i n d i v i d u a l s , w h e t h e r n a t u r a l p e r s o n s , l e g a l p e r s o n s , o r a
m i x t u r e o f b o t h . C o m p a n y m e m b e r s s h a r e a c o m m o n p u r p o s e a n d u n i t e i n o r d e r t o f o c u s .
A company is an association or
collection of individuals, whether
C o l l e c t i n g
A p p s
A company is an association or
collection of individuals, whether
C h e c k
M o b i l e S D K
A company is an association or
collection of individuals, whether
K E Y
E x t r a c t i o n
A company is an association or
collection of individuals, whether
E x p l o i t
C l o u d R e s .

21. 21
AUTOMATED ANALYSIS WITH SOFRIDA
Using “soFrida”, you can check app is secure for key extraction and cloud is configured properly.
Download : https://github.com/june5079/soFrida
Tutorials : https://www.youtube.com/watch?v=l8B3vrJg7zk
https://www.youtube.com/watch?v=l8B3vrJg7zk
* Download APK from Google Play
* Get Detail Information of App
* Manage Your Own App
* AWS Key Extraction by Dynamic Analysis
* AWS Misconfiguration Check
* Pull APK Files from Own Device

22. 22
A T T A C K V E C T O R S
KEY EXTRACTION
AWS Access Keys will be used while cloud authentication with SDK.
Decompile apk file and find target class and method to extract keys.
Hooking point

23. 23
A T T A C K V E C T O R S
KEY EXTRACTION
AWS Access Keys will be used while cloud authentication with SDK.
Decompile apk file and find target class and method to extract keys.
All Access Keys Extracted

24. 24
CASE ONE
When app launches, It authenticate to cloud server
using mobile SDK.
Access keys can be extracted by hooking
com.amazonaws classes
CASE TWO
App does not authenticate to cloud server
When app launches.
You need “trigger”
to wake up cloud authentication.

25. 25
Time to
Open the door

26. 26
D E M O
S E C T I O N
AWS S3 Exploitaion

27. 27
A N O T H E R M I S T A K E S
Some apps include AWS Access Keys in APK.
Which means you literally got the keys to the cloud.
Access keys in
APK
Access keys should be designated to only one service.
But some apps are sharing access keys so that attacker can exploit multiple cloud resource.
Key shared
For different
services

28. 28
Mitigations

29. 29
Check whether cloud resources
Has too much permission.
S E C U R E C O N F I G
Do not access to cloud directly.
Use API gateway for relaying
Request/response data.
S E C U R E A R C H I T E C T U R E
For abusing detection,
Set up logging and monitoring
BUG BOUNTY PROGRAM!!!
M O N I T O R I N G

30. 30
USE REST API
M I T I G A T I O N S
Do not access cloud resource from client-side.
Rest API will prevent exposure of access keys.
Build own Rest API
Instead of using
Aws SDK

31. 31
COLLECTING APPS FROM PLAYSTORE
A T T A C K V E C T O R S
Collecting apk files is really painful and time consuming work.
I collected android apps as many as possible for testing
+ 160 Countries
+ 60 Categories
And…
Not loading at once
(Scroll down required)

32. 32
COLLECTING APPS FROM PLAYSTORE
A T T A C K V E C T O R S
Ideas from “InstaPy” which automates social media interaction using Sellenium module.
Crawling pakage_name of apps and downloaded using GpAPI (https://github.com/NoMore201/googleplay-api)

33. 33
CHECK MOBILE SDK
A T T A C K V E C T O R S
With simple greping, you can find which apps include mobile sdk.
Thousands of android apps found.
“aws-android-sdk”
…
“windowsazure”

34. 34
A T T A C K V E C T O R S
KEY EXTRACTION
AWS Access Keys will be used while cloud authentication with SDK.
Decompile apk file and find target class and method to extract keys.

35. 35
GET IN TOUCH
We welcom any feedback or questions about soFrida
H y u n j u n P a r k
j u n e 5 0 7 9 @ g m a i l . c o m
j u n e _ p a r k @ k o r e a . a c . k r
F. B / Tw i t : j u n e 5 0 7 9

36. 36
Thank you