Bypassing the Android Permission Model - Hack In Paris · PDF fileBypassing the Android Permission Model. ... but after having\ഠmy app crash over and over and me spending hours on
43
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
Song lyrics Android permission model- how does it work. Explicitly ask for permissions Users must accept or deny
Is the permission model working? Are users making good decisions?
Présentateur
Commentaires de présentation
Edit and Read SMS, send SMS, receive SMS Modify/delete USB storage contents Prevent phone from sleeping, write sync settings GPS data Services that cost you money Act as account authenticator, manage accounts Read and write to your personal information including contact data Phone calls, read phone state and identity Full network access
Most Popular Android App
Présentateur
Commentaires de présentation
Now that I am doing a lot of development I know why this happens. I used to rag on developers for doing this, but after having my app crash over and over and me spending hours on google and rewriting code and putting debugging statements in, unable to come up with a good reason why a very simple instruction is crashing my app, and then realizing its because I forgot to ask for the permission, I see why developers would just ask for every permission imaginable right off the bat
Demo
App abusing permissions
Présentateur
Commentaires de présentation
So naturally I wrote an app to demo how ridiculously easy it is to abuse users acceptance of dangerous permissions
Demo explained
Permissions:− Read IMEI− Read Contacts− Send SMS
We exploited every one of these
Rooting Android
Présentateur
Commentaires de présentation
Anyone used a tool like this to root your Android phone? They use known exploits to give you root so you can load custom firmwares etc.
Rooting Android for Evil(DroidDream)
Présentateur
Commentaires de présentation
Trojaned Android apps on the official android market. Antivirus finds it now, doesn't find my app. Pretends to be a normal app, runs exploits and steals your data in the background
DroidDream Permissions
INTERNET
READ_PHONE_STATE
CHANGE_WIFI_STATE
ACCESS_WIFI_STATE
Présentateur
Commentaires de présentation
That's all. It actually does abuse the IMEI one right off the bat before it even roots your phone.
DroidDream
Présentateur
Commentaires de présentation
Pretended to be different apps, games, ads, dirty apps
DroidDream
Présentateur
Commentaires de présentation
Droiddream takes all the code from the regular apps and calls the it so to the user it looks like the app is running normally but it runs evil code in the background
DroidDream Rooting
ExploidCVE-2010-Easy (RageAgainsttheCage)
Présentateur
Commentaires de présentation
Tried two different known root exploits for Android Both were patched in Android 2.2.1 which was released before the droiddream story broke Not necessarily patched when droiddream was written
DroidDream Root Payload
Permission model no longer applies− installed packages− All personal data− Send to C&C
Présentateur
Commentaires de présentation
So after it runs the root exploits if it is successful then it installs a system service. Only firmware apps should be system. System services have access to additional permissions and the permission model breaks down around system services. System app steals your data and sends it to a C&C
Rooting Android
Présentateur
Commentaires de présentation
What's to stop these guys from doing the same?
Demo
Demo: Malicious post root payload
How the Botnet Works
Bot Receives a Message
Bot Decodes User Data
Checks for Bot Key
Performs Functionality
Mitigation
Users update their phones That means they need the updates pushed out
That means you third party platforms!!
Présentateur
Commentaires de présentation
For a while Android had the best updating mechanism out there for a smartphone Iphone you had to plug it in blackberry you had to plug it in Android pushes over the air, so do the others now Problem with Android is third party. Google releases new versions and Google phones get it. Others have to port it. There have been instances of new versions taking 6 months to push out to everyone. Older phones don't update. G1 still runs Android 1.6. That phone I rooted for Mom's fried
Présentateur
Commentaires de présentation
So far we've looked at apps that were meant to be evil by their developers. Now we are going to look at what I consider to be next generation flaws.
Présentateur
Commentaires de présentation
Benign apps that have flaws that allow bad code to take advantage of it. I'm not talking about traditional attack vectors like buffer overflows. Those are old and uninteresting. What I'm interested in here is getting permissions we shouldn't by piggybacking on poorly coded apps.
Android Storage
Sdcard VFAT
With apps Only visible to app (default) World readable
Demo
Exploiting bad storage practices
Demo Explained
Stores sensitive data on the sdcard Sdcard is VFAT Everything is world readable
Demo Explained
Discovers how the data is stored Accesses it Sends it to an attacker
Code Examples
Vulnerable Code Malicious Code
BadSaveFile
BadSendFile
Wait? How do we get source code?
Winzip/7zip etc.dex2jarjd-gui
Whitepaper with more info: http://cdn01.exploit-db.com/wp-content/themes/exploit/docs/17717.pdf
Nonsensical Code
while (true){if (i < 0);String str;while (true){return;try{
Mitigation
Store information securely Not on sdcard
Not in source code
Not world readable
Android Interfaces
Call other programs
Don't reinvent the wheel
Take a picture
Twitter from photo app
Demo
Exploiting open interface with SMS functionality
Demo Explained
When it is called it sends an SMS Caller can set the number and message Sadly this is considered useful!
Demo Explained
Calls the SMSBroadcastr Sends number and message Sends an SMS
Code Examples
Vulnerable Code Malicious Code
SMSBroadcastr
SMSIntent
Mitigations
Don't have dangerous functionality available in interfaces