Better watch your apps - MJ Keith

Download Better watch your apps - MJ Keith

Post on 14-Sep-2014




0 download

Embed Size (px)


My HouSecCon presentation on android applications security and arm exploitation


<p>Better watch your apps! November 4 ,2010</p> <p>MJ Keith GCIA, GCIHAlert Logic - Security Researcher</p> <p>Smart phonesBlackberry IphoneAndroidWindows mobile</p> <p>MarketsIphone marketOpen to developersApps are reviewed and approved by appleTethering apps disguised as flashlight makes it in!Android marketOpen to developersModerated by usersSome restriction from wireless provider.Blackberry market Hoping to get market share back.Who is writing these apps? </p> <p>Focus on MalwareHow can malware affect you?Blackhat 2010these arn't the permissions your looking for...App attackSeveral othersWhy are we only looking at malware?Is ADOBE software malware?Well maybe...</p> <p>Size doesn't matter</p> <p>Size doesn't matterDo you allow users to install untrusted apps?Every program installed presents a riskPatch management requiredDo you allow users to connect personal laptops?Policies are in place but can you really stop it?If users can connect, they will connectMac filtering helps but not a complete fix</p> <p>AndroidArchitectureArm 32 bitOSLinuxBionic.libcAppsDalvik JVM (kinda)All apps written in java</p> <p>PermissionsEach app creates its own user - linux stylecache data can be stored in apps directory or in the sdcardcache data is sandboxed / sdcard is accessible to everyone Intents can request data or actions from other appsGranular control of certain privileged actionsMaking phone calls / sending sms /access to personal data</p> <p>Where I startedBugs in your pocketAnyone can submit an application - no assumption that QA has taken place.How many android apps do nothing but crash?Tons of bugsapps crashing = exploitable TheoryApps will be easy to hackThey will not be protecting user dataApps create aggregation points that can be used to attack users</p> <p>Target app profileWEB APIAttacker</p> <p>Testing beginsTargeting smaller distribution apps that make calls to internets yeah both of them Basic server client setupOnline storageFinancial data = checks &gt; 1,000 usersContact data = Addressbook PRO &gt; 6,000 usersScoreboards = Speedx &gt; 500,000 users</p> <p>Checks &gt; 1,000 usersCloud storageAllows you to store purchases and payments data.Password protected</p> <p>ChecksUses HTTP json API Easy to sniff with ariodumpPassword only used on phoneUser id (this is just an int) used to access cloud serverGuess the user number Full access to rw dataCan reset password but who cares </p> <p>ChecksPOST /cloud/ HTTP/1.1X-Requested-With: XMLHttpRequestUser-Agent: Content-Length: 65Content-Type: application/x-www-form-urlencodedHost: checks.linein.orgConnection: Keep-Alive</p> <p>json=%7B%22user_id%22%3A%22680%22%2C%22action%22%3A%22import%22%7DHTTP/1.1 200 OKDate: Sat, 28 Aug 2010 01:41:26 GMTServer: Apache/1.3.41 Ben-SSL/1.59X-Powered-By: PHP/5.2.14Keep-Alive: timeout=2, max=200Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html</p> <p>193{"message":"imported successfully","cloud_data":"[{\"id\":\"1\",\"amount\":\"222\",\"cleared\":null,\"desc\":\"qqq\",\"check_date\":\"1282959385\",\"dateadded\":null},{\"id\":\"2\",\"amount\":\"333\",\"cleared\":null,\"desc\":\"ppp\",\"check_date\":\"1282959385\",\"dateadded\":null},{\"id\":\"3\",\"amount\":\"111\",\"cleared\":null,\"desc\":\"ooo\",\"check_date\":\"1282959385\",\"dateadded\":null}]"}0</p> <p>Addressbook PRO &gt; 6,000 usersSync and backup contact/locations to cloudHTTP json APIPassword protected here we go again...Same exact problem. Password only used on phoneCosts $4.99 kinda pricey to get data stolenGuess username and you have full controlYou also get the users MEID lol</p> <p>Addressbook PROPOST /apofasyncaddressbook.php HTTP/1.1content-type: application/x-www-form-urlencodedcontent-length: 10cache-control: no-store,no-cacheUser-Agent: Dalvik/1.1.0 (Linux; U; Android 2.0.1; Droid Build/ESD56)Host: www.apofa.comAccept: *, */*Connection: Keep-Alive</p> <p>&amp;n=testHTTP/1.1 200 OKDate: Fri, 27 Aug 2010 16:38:12 GMTServer: Apache/2.2.16 (CentOS) mod_ssl/2.2.16 0.9.8l DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 FrontPage/ PHP/5.2.13Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8</p> <p>193{"address":[{"id":"164","db_id":"2","title":"test","address":"blah.;'\";:)*&amp;=%","picon":"null\r\n\r\n","visit":"0","category":"Family","userid":"test","createdDate":"1282925803271","deviceid":"A00000555553"},{"id":"163","db_id":"1","title":"narf","address":"gggg gfggggg","picon":"null","visit":"0","category":"Family","userid":"test","createdDate":"1282925678434","deviceid":"A00000555553"}]}</p> <p>MEID/IMEI/ESNValue your wireless provider uses to auth your phone on the networkCould be called the phones MAC or SSNNot really intended to auth to anything except the wireless network.Often a target as it is used in cloningcdma sniffing techniques have been used by cloners for years</p> <p>Speedx &gt; 500,000 usersGame that uses a web API for scoringPretty simple Scores get posted to scoreboardScoreboard is read and displayed to userWhat fun could be had here? </p> <p>Speedx the hacksScoreboard API is easy to injectUses hmac but only value this protects is timeNumeric values are still stored as stringsIf strings ever make it to native code possible BOFFake scoreboard testMay not be able to get that many chars in real scoreboard</p> <p> ( 987): pid: 5860, tid: 5860 &gt;&gt;&gt; com.beepstreet.speedx 10,000,000 usersAppalisciousBump Android app is the new business cardGizmodoBump 2.0 Scores With Facebook, Twitter, And LinkedIn CapabilitiesEntrepreneurEntrepreneur's Annual 100 Brilliant Ideas - Mobile Tech top 10WSJPayPal Bumps iPhone Payments to New Level</p> <p>Bump from their siteQ. What is bump?A. Bump is a quick and easy way to connect two phones, simply bump them together. Share contacts info, pictures, calendar events, and even connect on social networks with just a bump.Q. How does it work?A. We use various techniques to limit the pool of potential matches, including location information and characteristics of the bump event. If you are bumping in a particularly dense area (ex, at a conference), and we cannot resolve a unique match after a single bump, we'll just ask you to bump again. Our CTO has a PhD in Quantum Mechanics and can show the math behind that, but we suggest downloading Bump and trying it yourself!Q. is bump secure?A. When we built Bump, our number one priority was creating the best possible user experience we could. Security of your personal information is a huge part of that experience. First, all communications between your phone and our servers are encrypted and sent using https - the same encryption that is used for online banking. Second, the nice thing about Bump is that *you* are in control of deciding with whom you share your information. You don't have to worry about anyone being able to get at your information unless you physically bump your phone with theirs.</p> <p>Bump My opinionQ. What is bump?A. another silly way to get owned and break your phone.Q. How does it work?A. your phone sends gps data and time of bump to their servers. If another bump matches you get an offer to connect. Took about 2 hrs.Q. Is bump secure?A. Online Banking encryption standards have really fallen.</p> <p>BumpA mailbox is created on the server using the MEID and the pathApp checks mailbox about once a second When bumped the time and location are sent to the bump serversIf a match is found the server leaves the connect data in the box and is retrieved on the next status checkNo authentication is usedNo unique values until data the other phone approves it</p> <p>Bump server</p> <p>BumpBump SentStatus okStatus checkBump matchedConfirm + dataOther user confirmsStatus checkOther user dataStatus check</p> <p>BumpProblemsPhone sets location and timeThis also includes fault toleranceChange gps accuracy from feet to milesSubmit multiple bumptimes at once ( discussed later) Since no auth is neededWe can intercept anything meant for victims phoneAfter we grab it we sleep so that they can re-bumpWe can create several bumpersMulti threaded bumpers can intercept all bumps in a locationTarget Conferences or dense population areas </p> <p>BumpSo...We can intercept anything on a specific targetWe can flood an area with bump to catch all dataWe could also flood users with a payloadImages are the obvious target but other options are availableStill no massive pwnage :(What else can be done?</p> <p>Paypal Bump</p> <p>Paypal BumpPaypal side is very secureUntil they ask you to create a pin6 digit pinBump APIAllows multiple bumptimesIntended to cover timezone differencesSubmit 10 bumptimes sec apartAPI key transferred in the clearUsed as the logon for the Bump siteI did not do this.Uses SSL only after all key values sent in cleartextTransfers MEID and phone# to other user </p> <p>DemoFun with paypal bump</p> <p>DemoFun with paypal bumpWhy does this work?Bump API uses MEID as unique identifierSends this value to other users appRegular bump requires a fake bump to get MEIDVZ apps all authenticate using Base64'd MEIDOther values submittedWhat else can we do with this?</p> <p>VZ apps</p> <p>My VZChange voice-mail passwordChange portal passwordLast 4 digits of credit cardMake a paymentGet or change mailing address Upgrade phone and have it sent somewhere elseFlaw effects all VZ usersOther stuff...</p> <p>VZ tonesPurchase several thousand ringtonesPurchase and set ringback tones Set Rickroll ringback tones on a few thousand phonesExposes where ringtones are hostedDownload all ringtones for free</p> <p>VZFixing the issue by the end of the monthAdding a vulnerability reporting emailVery cool guys</p> <p>Browser = all off themWebkit basedPermissionsAuth to googleCourse and fine gpsSdcard accessInternet accessEverything else you would expect</p> <p>Breaking Android's ArmJava app but data is passed to native back-endNo advisories for webkit on android0-days in the openCVE-2010-1807</p> <p>Breaking Android's Arm</p> <p>R1 gets over-written with a value of our choosing. I chose 0000b33f just for an example.</p> <p>I/DEBUG ( 28): Build fingerprint: 'generic/sdk/generic/:2.0.1/ESD54/20723:eng/test-keys'I/DEBUG ( 28): pid: 702, tid: 714 &gt;&gt;&gt; </p>