abusing web apis through scripted android applications
play

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL - PowerPoint PPT Presentation

Sep 19, 2022 •113 likes •879 views

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle Researcher Studying Malicious Messaging (Email/Social Networks/etc) Data/Trend Analysis in Security @ramblinpeck @barracudalabs Past Lives SCADA,

  1. ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS

  3. DANIEL PECK Barracuda Labs Principle Researcher Studying Malicious Messaging (Email/Social Networks/etc) Data/Trend Analysis in Security @ramblinpeck @barracudalabs Past Lives SCADA, Snort Jockey, Reverser (not so past?), Assessment Work

  4. SESSION ROADMAP Brief overview of android/dalvik vm Reversing an apk Disassembly and static analysis Dynamic Analysis Control/scripting for our own usage Do the dumb thing first and build on the work of smarter people.

  5. Hot social app that I want tospambe a part of Great web interface, great api once we have a few hundred thousand accounts, but protected

  6. SOLUTION People are too worried about “friction” to put many safeguard/throttling into mobile apps Create our own client that mimics mobile app for api purposes. Lets target android

  7. ASSUMPTIONS AND HOPES Twacebook has a well documented API thats protected using Oauth We'll probably need to extract some keys They probably use their own api for android app

  8. BUILD ON EXISTING TOOLS

  9. INTERCEPTING APP COMMUNICATIONS Need to MitM to be able to view tx/rx Proxydroid https://github.com/madeye/proxydroid (https://github.com/madeye/proxydroid) Run all/some of android traffic through our proxy SSL The developers at Twacebook aren't idiots

  11. Create and add a cert to your testing device Easy, and writeups all over so won't detail, basics for 2.x devices: $ adb pull /system/etc/security/cacerts.bks $ keytool … $ adb push cacerts.bks /system/etc/security Gotchas Make sure you have the right version of bouncycastle otherwise things break in not­fun ways Different/easier procedures on Android 4.0+ devices

  12. BURP PROXY Invisible proxying, generates cert on demand, but you have to provide hostname Look at dns requests/guess hostnames to tell burp to use for generated certs Done automatically in 1.4.12 release http://releases.portswigger.net/2012/08/v1412.html (http://releases.portswigger.net/2012/08/v1412.html)

  13. INTERCEPTED TRAFFIC POST /create_account HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 296 Accept-Encoding: gzip,deflate User-Agent: TwacebookAndroidApp(build 6294, v1.8.64) Host: mobileapi.twacebook.com Connection: Keep-Alive Cache-Control: no-cache auth_consumer_key=40iqOgCcXqfwwqoa02D7nQ oauth_nonce=0437A32D733151CABA3A06A12243CD0A oauth_signature_method=HMAC-SHA1 oauth_timestamp=1340141019 oauth_version=1.0 x_auth_mode=client_auth x_auth_password=f00bar%24

  14. x_auth_username=jimbo oauth_signature=v%2FVnCJrssg9D07Zdy%2F8dPSapv8s%3D

  15. OAUTH Consumers requests a consumer key and consumer secret from provider End users allow provider to grant a token and token secret to consumer to make requests on their behalf Signs requests (HMAC­SHA1 usually) with consumer secret & token secret

  16. MORE OAUTH Users don't have to give their password to third party apps Thats good Providers get to restrict apps accessing their api to only (honest) approved ones, essentially DRM Thats bad Designed and works well for server ← → server Thats good

  17. Used extensively for mobile/desktop apps Thats just everyone fooling themselves

  20. DISASSEMBLY AND DECOMPILATION Apktool http://code.google.com/p/android­apktool/ (http://code.google.com/p/android­apktool/) Decodes apks Nice wrapper for smali/baksmali In theory should allow for some nice debugging.. JD­GUI http://java.decompiler.free.fr/?q=jdgui (http://java.decompiler.free.fr/?q=jdgui) dex2jar first not compilable source, sometimes misleading, good for general idea

  21. ABOUT ANDROID Runs within a Dalvik application virtual machine

  22. DALVIK Register based machine Optimized for low memory environments Runs dex files Deduped Dalvik instruction set instead of standard JVM Smali bytecode

  24. SMALI class public final Lcd; super Ljava/lang/Object; # static fields .field public static final a:Lcd; .method constructor init ()V .locals 2 const/4 v1, 0x0 const/4 v0, 0x0 invoke-direct {p0, v1, v0, v1}, Lcd;- init (Laa;ILjava/lang/String;)V return-void .end method

  25. DECIPHERING SMALI Register based machine Parameters are stored in p0...pX Local registers v0...vY where Last X local registers are identical to paramer registers Registers store 32­bit values 64­bit values (J, long, and D, double primitives) are stored in 2 registers

  26. PRIMITIVES V void ­ can only be used for return types Z boolean B byte S short C char I int

  27. J long (64 bits) F float D double (64 bits) L objects. You'll see in the form of “Lpackage/name/ObjectName”

  28. FUNCTION DECLARATIONS method private static a ( Lorg/apache/http/client/methods/HttpRequestBase; Laa; J Ljava/lang/String; Ljava/lang/String; )Ljava/lang/String;

  29. FUNCTION DECLARATIONS method private static a #name and type ( Lorg/apache/http/client/methods/HttpRequestBase; #p0 Laa; #p1 J #p2 + #p3 Ljava/lang/String; #p4 Ljava/lang/String; #p5 )Ljava/lang/String; #return type

  30. OPCODES move­result vx return­object vx invoke­direct parameters , methodtocall invoke­static parameters , methodtocall …

  31. Many more, great reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html (http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)

  33. BACK TO TARGETED CODE const-string p1, "OAuth realm=\"%s\", oauth_version=\"%s\", oauth_nonce=\"%s\", oauth_timestamp=\"%s\", oauth_signature=\"%s\", oauth_consumer_key=\"%s\", oauth_signature_method=\"%s\"" new-array p3, p3, [Ljava/lang/Object; … const/4 p2, 0x4 aput-object p0, p3, p2 const/4 p0, 0x5 aput-object p4, p3, p0 … invoke-static {p1, p3}, Ljava/lang/String;- >format(Ljava/lang/String; [Ljava/lang/Object;)Ljava/lang/String; move-result-object p0

  35. BACK TO TARGETED CODE const-string p1, "OAuth realm=\"%s\", oauth_version=\"%s\", oauth_nonce=\"%s\", oauth_timestamp=\"%s\", oauth_signature=\"%s\", oauth_consumer_key=\"%s\", oauth_signature_method=\"%s\"" new-array p3, p3, [Ljava/lang/Object; #create array … const/4 p2, 0x4 aput-object p0, p3, p2 #filling array const/4 p0, 0x5 aput-object p4, p3, p0 … invoke-static {p1, p3}, Ljava/lang/String;- >format(Ljava/lang/String; [Ljava/lang/Object;)Ljava/lang/String; #filling in string move-result-object p0

  36. invoke-static {p0, p5, v0}, Lcd;-> a( Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String; move-result-object p0

  37. invoke-virtual {v0, v1}, Ljava/lang/String;- >getBytes(Ljava/lang/String;)[B move-result-object v0 new-instance v1, Ljavax/crypto/spec/SecretKeySpec; const-string v2, "HmacSHA1" invoke-direct {v1, v0, v2}, Ljavax/crypto/spec/SecretKeySpec;-><init> ([BLjava/lang/String;)V invoke-static {v0}, Ljavax/crypto/Mac;- >getInstance(Ljava/lang/String;)Ljavax/crypto/Mac; ... invoke-virtual {v0, v1}, Ljavax/crypto/Mac;- >init(Ljava/security/Key;)V const-string v1, "UTF8" invoke-virtual {p0, v1}, Ljava/lang/String;- >getBytes(Ljava/lang/String;)[B move-result-object v1 invoke-virtual {v0, v1}, Ljavax/crypto/Mac;-

  38. >doFinal([B)[B move-result-object v0

  39. AND FROM JD­GUI private static String a(String paramString1, String paramString2, String paramString3) { if (paramString3 == null); while (true) { try { str1 = ""; SecretKeySpec localSecretKeySpec = new SecretKeySpec((ch.a(paramString2) + "&" + ch.a(str1)).getBytes("UTF8"), "HmacSHA1"); Mac localMac = Mac.getInstance("HmacSHA1"); localMac.init(localSecretKeySpec); String str3 = ch.a(new String(cc.a(localMac.doFinal(paramString1.getBytes("UTF8"))),

  40. "UTF8")); str2 = str3; return str2; } catch (InvalidKeyException localInvalidKeyException) { str2 = ""; continue; } catch (NoSuchAlgorithmException localNoSuchAlgorithmException) { str2 = ""; continue; } catch (UnsupportedEncodingException localUnsupportedEncodingException) { String str2 = ""; continue; } String str1 = paramString3;

  41. } }

  42. LOOK SIMILAR?

  43. AGAIN, DUMB THING FIRST Printf debugging const-string v2, "SECRETKEY , v0" invoke-static {v2, v0}, Landroid/util/Log;- >d(Ljava/lang/String;Ljava/lang/String;)I invoke-virtual {v0, v1}, Ljava/lang/String;- >getBytes(Ljava/lang/String;)[B move-result-object v0 new-instance v1, Ljavax/crypto/spec/SecretKeySpec; const-string v2, "HmacSHA1" invoke-direct {v1, v0, v2}, Ljavax/crypto/spec/SecretKeySpec;- init ([BLjava/lang/String;)V

  44. Rebuild the apk and run it $ apktool b twacebook.apk twacebook_new.apk

  45. EXAMING THE LOGS $ adb shell $ adb logcat … "SECRETKEY , v0 - I7PW5lgEkgMrqPOdxIj1o6llAbFdXHhVjFnvUsg1g"

  46. SUCESS?

  47. ERROR, INVALID SIGNATURE Sadness → Confusion → Realization Twacebook devs have been especially sneaky, passing the returned signatured to another method Custom hash/encoding? No clue but its ugly

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

CS 528 Mobile and Ubiquitous Computing Lecture 6a: Other Android UbiComp Components, Tech Talk, Final Project Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for Mobile/ubicomp? Speaking to Android

887 views • 50 slides
Android For Game Developoers Ove verview Limited APIs Window Management Input

Android For Game Developoers Ove verview Limited APIs Window Management Input

Android For Game Developoers Ove verview Limited APIs Window Management Input File I/O Audio Graphics Define a e an n Android A App pplication Activities Services Content providers Intents

305 views • 9 slides
Android APIs 2.0, 2.1 &amp; 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010

Android APIs 2.0, 2.1 &amp; 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010

Android APIs 2.0, 2.1 &amp; 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010 Outline Bluetooth Quick Contacts Multitouch Live Wallpaper External Storage Cloud-to-device service Data backup JIT &amp;

749 views • 34 slides
Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications

Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications

Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, Sooel Son School of Computing, Graduate School of Information Security 1 Limitations of Web

1.03k views • 57 slides
Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar SAPM Spring 2012: Scripted Components 1 Scripted Components: Problem (Cf. Reuse-Oriented Development; Sommerville 2004 Chapter 4, 18) A

495 views • 21 slides
Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar SEOC2 Spring 2005: Scripted Components 1 Scripted Components: Problem (Cf. Reuse-Oriented Development; Sommerville 2004 Chapter 4, 18) A

419 views • 19 slides
APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system

APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system

ANDROID AND ANDROID APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system What is android? History Android Market Why Android Design philosophy System Architecture Features

802 views • 40 slides
The medium to enable AllJoyn applications to communicate via published APIs

The medium to enable AllJoyn applications to communicate via published APIs

Any questions please contact winhectpe@microsoft.com The medium to enable AllJoyn applications to communicate via published APIs Communication is via messages that map directly to APIs in high-level programming languages Based on

588 views • 30 slides
CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and Cool Location Aware Apps Emmanuel Agu Google Places Place: physical space that has a name (e.g. local businesses, points of interest,

690 views • 24 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger,

SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger,

S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018,

723 views • 17 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * ,

Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * ,

Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * , Kristopher K. Micinski * , Jeffrey A. Vaughan # , Ari Fogel + , Nikhilesh Reddy + , Jeffrey S. Foster * , and Todd Millstein + . * University of Maryland,

536 views • 26 slides
How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas

How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas

Java's SSLSocket: How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas &lt;lukas@rt-solutions.de&gt; About the Speaker IT Consultant at rt-solutions.de (ITSec, Smartphone Payment) Open Source developer

905 views • 32 slides
Validating a technique for post-hoc estimation of a listener's focus in music structure analysis

Validating a technique for post-hoc estimation of a listener's focus in music structure analysis

Validating a technique for post-hoc estimation of a listener's focus in music structure analysis Jordan B. L. Smith National Institute of Advanced Industrial Science and Technology (AIST), Japan Elaine Chew Queen Mary University of London

442 views • 30 slides
My ste tep p by ste tep p system stem th that t generates new client enquiries and

My ste tep p by ste tep p system stem th that t generates new client enquiries and

My ste tep p by ste tep p system stem th that t generates new client enquiries and without expensive advertising or having to sell or cold calling HOW TO ASK QUESTIONS HOW TO ASK QUESTIONS HOW TO ASK QUESTIONS HOW TO ASK

1.44k views • 78 slides
Issues Jonathan Flintoft, Baker &amp; McKenzie Rebecca Bedford, Minter Ellison 1 Introduction

Issues Jonathan Flintoft, Baker &amp; McKenzie Rebecca Bedford, Minter Ellison 1 Introduction

Social Media and Advertising Issues Jonathan Flintoft, Baker &amp; McKenzie Rebecca Bedford, Minter Ellison 1 Introduction 1. Contractual issues Addressing social media advertising in the franchise agreement Impact of permitting

843 views • 39 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 &gt; L2 ) network at network at security

1.07k views • 67 slides
[Baba] Brinkman, a burly Canadian from Vancouver, is a latter-day wandering minstrel, a

[Baba] Brinkman, a burly Canadian from Vancouver, is a latter-day wandering minstrel, a

Ten years from now our students should ... Ethan Bolker 1 National Numeracy Network New York October 13, 2012 Sample problems from Common Sense Mathematics ( http://www.cs.umb.edu/eb/qrbook/ qrbook.pdf . Course home page:

191 views • 8 slides
del.icio.us Analysis What is del.icio.us? social bookmarking web service a user can

del.icio.us Analysis What is del.icio.us? social bookmarking web service a user can

del.icio.us Analysis What is del.icio.us? social bookmarking web service a user can store his links share his links discover new links How does it work? Install del.icio.us buttons into your browser Whenever you find

528 views • 27 slides
Fake News and FactChecking Workshop Peter Gallert Goethe Institut Windhoek 24 January 2020

Fake News and FactChecking Workshop Peter Gallert Goethe Institut Windhoek 24 January 2020

Fake News and FactChecking Workshop Peter Gallert Goethe Institut Windhoek 24 January 2020 Peter Gallert (Goethe) Fake News and FactChecking 24 January 2020 1 / 30 Workshop Outline Participants Introduction 1 Topic Introduction

971 views • 51 slides
Defining Category Management? The strategic management of product groups through trade

Defining Category Management? The strategic management of product groups through trade

Defining Category Management? The strategic management of product groups through trade partnerships which aims to maximise sales and profit by satisfying consumer and shopper needs. Institute of Grocery Distribution ~IGD Category management is

409 views • 9 slides

More recommend