extracting all yoursecrets: vulnerabilities in android ... · “with this in mind, you...
TRANSCRIPT
![Page 1: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/1.jpg)
Extracting All Your Secrets:Vulnerabilities in Android
Password Managers
Stephan Huber, Siegfried Rasthofer, Steven Arzt
Fraunhofer SIT
![Page 2: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/2.jpg)
2
Stephan
• Mobile Security Researcher at Fraunhofer SIT
• Enjoys teaching students in Android (app) hacking
• Twitter: @teamsik
Siegfried
• Malware and VulnerabilityResearcher at Fraunhofer SIT
• Founder of CodeInspect
• Web: www.rasthofer.info
• Twitter: @teamsik
![Page 3: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/3.jpg)
Acknowledgements
• Benedikt Hiemenz
• Daniel Hitzel
• Daniel Magin
• Joseph Varghese
• Julien Hachenberger
• Max Kolhagen
• Michael Tröger
• Philipp Roskosch
• Wittmann Andreas
3
![Page 4: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/4.jpg)
90 Accounts*
*https://thycotic.com
![Page 5: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/5.jpg)
Public Key Crypto Biometric
Password Manager
Pictures ...
Notebook
![Page 6: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/6.jpg)
Password Manager
Source: https://www.getkeepsafe.com/about.html
![Page 7: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/7.jpg)
7
![Page 8: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/8.jpg)
8
App GooglePlay Downloads
Keeper 10 – 50 m
Keepsafe 10 – 50 m
1Password 1 – 5 m
Dashlane 1 – 5 m
Lastpass 1 – 5 m
Avast 0.5 – 1 m
MyPasswords 0.5 – 1 m
F-Secure 100 – 500 k
PasswordManger 50 – 100 k
![Page 9: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/9.jpg)
9
Password Manager
Autofill
Secure Synchronization
Confidential Password Storage
Custom Browser
Comfort Feature (PIN login)
![Page 10: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/10.jpg)
10
Internet
App
Account Manager(master password)
File(master password)
PW-Manager App
user1:pw1user2:pw2
...
Database
PC
![Page 11: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/11.jpg)
11
Internet
App
Account Manager(master password)
File(master password)
PW-Manager App
user1:pw1user2:pw2
...
Database
PC
“No-root scenario“
![Page 12: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/12.jpg)
12
Internet
App
Account Manager(master password)
File(master password)
PW-Manager App
user1:pw1user2:pw2
...
Database
PC
![Page 13: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/13.jpg)
13
Manual Filling
Automatically Filling
![Page 14: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/14.jpg)
14
user****
user1****
user2****
user3****
Password Manager
Manual Filling
http://twitter.com/login
Clipboard
![Page 15: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/15.jpg)
15
Password Manager
user:pass
clipboard „sniffer“- app (no permissions required)
user:pass
Receiver Apps
Manual Filling - Attack
![Page 16: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/16.jpg)
16
user****
user1****
user2****
user3****
Password Manager
Automatically Filling
?user1
****
![Page 17: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/17.jpg)
17
Accessibility Services
Source: https://developer.android.com
“An accessibility service is an application that provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device. For example, users who are driving, taking care of a young child or attending a very loud party might need additional or alternative interface feedback.“
![Page 18: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/18.jpg)
18
user****
user1****
user2****
user3****
Password Manager
Automatically Filling
? Twitter-App(com.twitter.android)
![Page 19: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/19.jpg)
19
Automatically Filling
Twitter-App(com.twitter.android)
Password Manager
![Page 20: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/20.jpg)
Automatically Filling - Attack
reversecom.twitter
com.twitter.twitterleak
matches
inject credentials
find fieldtextPassword
20
prefix
![Page 21: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/21.jpg)
DEMODEMO TIME !
21
![Page 22: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/22.jpg)
22
File(master password)
PW-Manager App
user1:pw1user2:pw2
...
Database
PC
![Page 23: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/23.jpg)
Use Backup Function
23
*
* https://github.com/nelenkov/android-backup-extractor
adbadb
tar –xvf mybackup.tar
cat KeyStorage.xml
backup com.fsecure.key
<string name="master_password">secretpass</string>
![Page 24: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/24.jpg)
24
File(master password)
PW-Manager App
user1:pw1user2:pw2
...
Database
![Page 25: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/25.jpg)
25
API accessing browser elements
credentials
PW Manager
![Page 26: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/26.jpg)
26
API accessing browser elements
credentials
Pw Manager
![Page 27: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/27.jpg)
27
Password Manager
user****
user1****
user2****
user3****
Custom Browser
http://twitter.com/login
autofilluser1
****
![Page 28: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/28.jpg)
28
Custom Browser
http://twitter.com/login
Password Manager
local app folder
![Page 29: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/29.jpg)
Details about the Browser
• Browser is part of the app
• Running in the same process, part of the sandbox
• Based on WebView API
• Supports file:// URI *
29
*until Android 6
![Page 30: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/30.jpg)
NOT A COOKIE,CREDENTIALS !
30
![Page 31: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/31.jpg)
md5(„pincodeValue“) *
base64(encr(key, PIN))
31
*obfuscated attribute values (for this example)
file:///data/data/package.name/shared_prefs/passwords_pref.xml
![Page 32: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/32.jpg)
32
![Page 33: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/33.jpg)
public abstract class LPCommon {
//first part of the key
protected static String aA = "ldT52Fjsnjdn4390";
//second part of the key
protected static String aB = "89y23489h989fFFF";
Let‘s Look into the App Code
AES-Key: ldT52Fjsnjdn439089y23489h989fFFF
33
![Page 34: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/34.jpg)
34
Account Manager(master password)
File(master password)
PW-Manager App
user1:pw1user2:pw2
...
Database
![Page 35: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/35.jpg)
Android AccountManger
• „This class provides access to a centralized registry for the user‘s online accounts …“
• SQLITE Database for storing tokens or temporary Credentials
• API provides access for Application
35
/data/system/users/0 # ls -l accounts.db
-rw-rw---- system system 241664 2017-04-03 10:58 accounts.db
![Page 36: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/36.jpg)
“With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly(). Instead, you should store a cryptographically secure token that would be of limited use to an attacker.
If your user credentials are protecting something valuable, you should carefullyconsider doing something similar.”
https://developer.android.com/training/id-auth/custom_auth.html
Quote google developer (AccountManager)
36
![Page 37: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/37.jpg)
DEMO TIME !
37
![Page 38: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/38.jpg)
AccountManager
System
accounts.db
38
![Page 39: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/39.jpg)
AccountManager
System
com.dashlane
email:passwd
Target App
accounts.db
account type
39
![Page 40: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/40.jpg)
AccountManager
System
com.dashlane
email:passwd
UID:123
Target App
accounts.db
email:passwd
account type
40
![Page 41: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/41.jpg)
Attacker App
AccountManager
System
com.dashlane
email:passwd
com.dashlane
mail1:pass1
UID:123
Target App
accounts.db
email:passwd
account type
41
*https://thenounproject.com/term/grab/121228/
*
account type
![Page 42: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/42.jpg)
Attacker App
AccountManager
System
com.dashlane
email:passwd
com.dashlane
mail1:pass1
UID:123 UID:456
Target App
accounts.db
email:passwd
account type
42
COLLISION!
account type
![Page 43: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/43.jpg)
Attacker App
AccountManager
System
com.dashlane
mail1:pass1
accounts.db
email:passwd
43
account type
![Page 44: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/44.jpg)
Attacker App
AccountManager
System
com.dashlane
email:passwd
UID:456
accounts.db
email:passwd
44
Read Account Data
account type
![Page 45: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/45.jpg)
try {
Account account = new Account("[email protected] ", "com.dashlane");
AccountManager acmanager =
AccountManager.get(getApplicationContext());
//requires permission android.permission.AUTHENTICATE_ACCOUNTS
acmanager.addAccountExplicitly(account, „DUMMY", null);
} catch (Exception e) {
Log.e(TAG, "Acc Exception " + e.getMessage());
}
try {
AccountManager acmgr = AccountManager.get(getApplicationContext());
Account[] accounts = acmgr.getAccountsByType("com.dashlane");
for (Account a : accounts) {
String password =
AccountManager.get(getApplicationContext()).getPassword(a);
…
} catch (Exception e) {
e.printStackTrace();
}
Reading form AccountManager
Writing into AccountManager
45
catch collision
![Page 46: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/46.jpg)
Further Fails
• Custom crypto-algorithm
• AES in ECB mode for database encryption
• Delivered browser do not consider subdomains in form fields
• Data leakage in browser
• Custom transport security
46
![Page 47: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/47.jpg)
Improvements
• Use Android KeyStore (since Android 6 AES key support)
• Use key derivation function (e.g. API PBKDF2, FBconceal)
• NO hardcoded keys
• Use AES/CBC or AES/GCM
• Do not abuse AccountManager
47
![Page 48: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/48.jpg)
48
Keeper Lastp 1Pass MyPass Avast F-Sec Keeps. PwMgr MyPass Dash
Master/PIN X X X X X X X X
HardcodedKey
X X X X
SandboxBypass
X X X X X
Side channel X X X X X
Subdomain X X X X X X
Data leakage X X X
Partial encryption
X
Broken sync. X
www.sit4.me/pw-manager
![Page 49: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/49.jpg)
Summary
• We showed several non root attacks on Androidpassword managers
• Convenience functions weaken or destroy security
• All findings were reported and fixed
49
![Page 50: Extracting All YourSecrets: Vulnerabilities in Android ... · “With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly().Instead,](https://reader033.vdocuments.us/reader033/viewer/2022042300/5ecab9e64737b473d609d5b0/html5/thumbnails/50.jpg)
50
Stephan HuberEmail: [email protected]
Dr. Siegfried RasthoferEmail: [email protected]
Twitter: @teamsikWebsite: www.team-sik.org