bypassing the android permission model - hack in the box ... - ge… · bypassing the android...
TRANSCRIPT
![Page 1: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/1.jpg)
Bypassing the Android Permission Model
Georgia WeidmanFounder and CEO, Bulb Security LLC
![Page 2: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/2.jpg)
Is the permission model working? Are users making good decisions?
![Page 3: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/3.jpg)
Most Popular Android App
![Page 4: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/4.jpg)
Demo
App abusing permissions
![Page 5: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/5.jpg)
Demo explained
Permissions:− Read IMEI− Read Contacts− Send SMS
We exploited every one of these
![Page 6: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/6.jpg)
Rooting Android
![Page 7: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/7.jpg)
Rooting Android for Evil(DroidDream)
![Page 8: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/8.jpg)
DroidDream Permissions
INTERNET
READ_PHONE_STATE
CHANGE_WIFI_STATE
ACCESS_WIFI_STATE
![Page 9: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/9.jpg)
DroidDream
![Page 10: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/10.jpg)
DroidDream
![Page 11: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/11.jpg)
DroidDream Rooting
Exploid
CVE-2010-Easy (RageAgainsttheCage)
![Page 12: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/12.jpg)
DroidDream Root Payload
Permission model no longer applies− installed packages− All personal data− Send to C&C
![Page 13: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/13.jpg)
Rooting Android
![Page 14: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/14.jpg)
Demo
Demo: Malicious post root payload
![Page 15: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/15.jpg)
![Page 16: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/16.jpg)
![Page 17: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/17.jpg)
![Page 18: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/18.jpg)
How the Botnet Works
Bot Receives a Message
Bot Decodes User Data
Checks for Bot Key
Performs Functionality
![Page 19: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/19.jpg)
Mitigation
Users update their phones That means they need the updates pushed out
That means you third party platforms!!
![Page 20: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/20.jpg)
![Page 21: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/21.jpg)
![Page 22: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/22.jpg)
Android Storage
Sdcard VFAT
With apps Only visible to app (default) World readable
![Page 23: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/23.jpg)
Demo
Exploiting bad storage practices
![Page 24: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/24.jpg)
Demo Explained
Stores sensitive data on the sdcard Sdcard is VFAT Everything is world readable
![Page 25: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/25.jpg)
Demo Explained
Discovers how the data is stored Accesses it Sends it to an attacker
![Page 26: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/26.jpg)
Code Examples
Vulnerable Code
Malicious Code
![Page 27: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/27.jpg)
BadSaveFile
![Page 28: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/28.jpg)
BadSendFile
![Page 29: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/29.jpg)
Wait? How do we get source code?
Winzip/7zip etc.
dex2jar
jd-gui
Whitepaper with more info: http://cdn01.exploit-db.com/wp-content/themes/exploit/docs/17717.pdf
![Page 30: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/30.jpg)
![Page 31: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/31.jpg)
![Page 32: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/32.jpg)
![Page 33: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/33.jpg)
Nonsensical Code
while (true)
{
if (i < 0);
String str;
while (true)
{
return;
try
{
![Page 34: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/34.jpg)
Mitigation
Store information securely Not on sdcard
Not in source code
Not world readable
![Page 35: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/35.jpg)
Android Interfaces
Call other programs
Don't reinvent the wheel
Take a picture
Twitter from photo app
![Page 36: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/36.jpg)
Demo
Exploiting open interface with SMS functionality
![Page 37: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/37.jpg)
Demo Explained
When it is called it sends an SMS Caller can set the number and message Sadly this is considered useful!
![Page 38: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/38.jpg)
Demo Explained
Calls the SMSBroadcastr Sends number and message Sends an SMS
![Page 39: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/39.jpg)
Code Examples
Vulnerable Code
Malicious Code
![Page 40: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/40.jpg)
SMSBroadcastr
![Page 41: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/41.jpg)
SMSIntent
![Page 42: Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission](https://reader035.vdocuments.us/reader035/viewer/2022062402/5f0360f67e708231d408ebfb/html5/thumbnails/42.jpg)
Mitigations
Don't have dangerous functionality available in interfaces
Require user interaction (click ok)
Require-permission tag in manifest for interface