![Page 1: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/1.jpg)
Having fun with secure messengers and Android Wear (and Android Auto)
Artem Chaykin
Positive Technologies
CanSecWest’16
![Page 2: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/2.jpg)
Who I am? • Russian hacker / Putin’s agent • Mobile application security team lead • SCADA Strangelove Team • RDot.Org team member
![Page 3: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/3.jpg)
Android IPC basics • Private memory for each process • Data is passed through kernel module – Binder • Intent-based
![Page 4: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/4.jpg)
Intents • Intent is an object • App1 can send intents to exported components of App2
Intent
Packagename
Componentname
Ac0on Data
![Page 5: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/5.jpg)
Android IPC basics
Binder
App1
AppN
App2
![Page 6: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/6.jpg)
Android IPC basics
App1
Binder
IAc/vityManager
![Page 7: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/7.jpg)
Android IPC basics
App1
Binder
IAc/vityManager
App2
![Page 8: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/8.jpg)
Example 0x1: MobiDM
![Page 9: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/9.jpg)
Example 0x1: MobiDM
![Page 10: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/10.jpg)
Example 0x1: MobiDM
![Page 11: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/11.jpg)
PendingIntent
Intent
Iden/ty Permissions
• getActivity() • getService() • getBroadcast()
![Page 12: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/12.jpg)
PendingIntent App1
![Page 13: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/13.jpg)
PendingIntent App1
App2
pIntent
![Page 14: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/14.jpg)
PendingIntent App1
App2pIntent
![Page 15: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/15.jpg)
PendingIntent App1
App2pIntent
![Page 16: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/16.jpg)
PendingIntent
• AlarmManager • NotificationManager • Identity confirmation
![Page 17: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/17.jpg)
Example 0x2 – PendingIntent hijacking
• 3rd party push services • Identity confirmation
Victims:
![Page 18: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/18.jpg)
Example 0x2 – Victim:
![Page 19: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/19.jpg)
Example 0x2 – Victim:
• Exploit:
![Page 20: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/20.jpg)
Android Wear & Android Auto • Remote Input class is based on PendingIntent
![Page 21: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/21.jpg)
Android Wear & Android Auto • Remote Input class is based on PendingIntent
![Page 22: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/22.jpg)
Android Wear & Android Auto
![Page 23: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/23.jpg)
Android Wear & Android Auto
![Page 24: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/24.jpg)
Android Wear & Android Auto
Voicereply
![Page 25: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/25.jpg)
Example 0x3: Spam Victim:
• Bug:
![Page 26: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/26.jpg)
Example 0x3: Spam Victim:
• Bug:
![Page 27: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/27.jpg)
Example 0x3: Spam Victim:
• Exploit:
![Page 28: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/28.jpg)
Example 0x3: Spam Victim:
• Result:
![Page 29: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/29.jpg)
Example 0x3: Spam • Victims:
![Page 30: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/30.jpg)
Example 0x3: Intercepting Victim: • Bug:
![Page 31: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/31.jpg)
Example 0x3: Intercepting Victim: • Exploit:
![Page 32: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/32.jpg)
Example 0x3: Intercepting
• Android Auto victims:
• Android Wear victims:
![Page 33: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/33.jpg)
Detecting with Xposed module
![Page 34: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/34.jpg)
Fixes Still no thanks
• Signal – emailed Moxie – fixed same day – got “thanks” • Telegram – emailed security@ - partial fix after ~ 45 days -
![Page 35: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/35.jpg)
Microsoft
![Page 36: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/36.jpg)
Microsoft
![Page 37: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/37.jpg)
Fin! Questions?
![Page 38: Having fun with secure messengers and Android Wear€¦ · • SCADA Strangelove Team • RDot.Org team member . Android IPC basics • Private memory for each process • Data is](https://reader033.vdocuments.us/reader033/viewer/2022042620/5f41c33e069e9d529f4cf6e1/html5/thumbnails/38.jpg)