bypassing android
play

Bypassing Android Password Manager Apps Without Root Stephan - PowerPoint PPT Presentation

Aug 24, 2023 •348 likes •948 views

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT 2 Stephan Siegfried Mobile Security Researcher at Head of Department Secure Fraunhofer SIT Software Engineering

  1. Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT

  2. 2

  3. Stephan Siegfried • • Mobile Security Researcher at Head of Department Secure Fraunhofer SIT Software Engineering at Fraunhofer SIT • Enjoys teaching students in • Founder of CodeInspect Android (app) hacking • Web: www.rasthofer.info • Twitter: @teamsik • Twitter: @teamsik 3

  4. Acknowledgements • Benedikt Hiemenz • Daniel Hitzel • Daniel Magin • Joseph Varghese • Julien Hachenberger • Max Kolhagen • Michael Tröger • Philipp Roskosch • Wittmann Andreas 4

  5. 5

  6. Wish aim=e1Ioci Ohyoh>wae0 kei7Gae$si bei3coo<Li ooB,iu9AhN Phei0IeHa' uhu;j5ohTi Phi,Phu3di Moo0ooz"oh we(u,t0Zas quucoo<d2I Pae?gh<ie3 loh;Bah4ei Wa[el~oh9i ooh!ee7Aik AX1aeSh>ai eGah+K5iuM yae$V4leex ohjiu_Hei6 fee'Cho5Oo jahK3Ad+ai oH)eewaec0 KiG&ee4ahy ujohj%ie1J wae,Gei6mu uSh=i2ahng ainai]Le2i Ieb~o5fohF ohN\ah1gae Dooch\ei7i ich]a're1U aiToh5cee= eiZ2thaip; ni"W3oom?i oi(Sh7vie) gu}i8Tohco il@ah@ve9U cie"tae8Eo Au&S3aigae eir0ieHo)c ohch/ah6Ii Bie*t9xie" ukieTh6fu[ ie*vieZai9 ohwu(v0eeY ua&ghi7aeR em?ohG?oi3 phu$L^ah4p ieX&i2shei aiZie%l7Oo ood8Pe<emo faiGh[ie0i OPho9sie>n phie9Ib(ie beiMei[r7a Nagh(aid0U AhTee:tah5 oY"a5pheib ohthe1Na.e eria9Ahn>u eid8Ohso!o Uv4ia6Gu`o Aeli1li$i& Toth^ai8ph Euso6eu$ja vie8Ieh?ai leec4aeZ/o Eele+ph2na yai=b!a5Oo Wefoh&m4oh Vo-oX9ka0v ei9eenuN<a Eit}ae4ohF heRie.J6Bo OoZ-ue9mai zait8coo]N yoh9Oopoh$ xoh%C:ahk6 Zi]opu4eiB eGh>ih2oPh noo7Ish'ie Uaz6she|Zu oo0aiP*ee2 coh=Puo1Ve roo9Kee-th ra@c3Ce7sh mabi6Malo[ auw1Eu\kie eiVoo,Kuu5 aiW\oo5phu Oos_abir7U 6

  7. Reality Password-Recycling Note Single Sign On Password-Manager 7

  8. App GooglePlay Downloads Keeper 10 – 50 m Keepsafe 10 – 50 m 1Password 1 – 5 m Dashlane 1 – 5 m Lastpass 1 – 5 m Avast 0.5 – 1 m MyPasswords 0.5 – 1 m F-Secure 100 – 500 k PasswordManger 50 – 100 k 26 Vulnerabilities 8

  9. • Premium features for free • Resetting master password with ease • Breaking C.I.A without ROOT • Lost device scenario • Mitm attack • Via third party app 9

  10. Premium upgrade for free ! 11

  11. 12

  12. Intent Communication (IPC) App 1 App 2 PC Android 13

  13. class DatabaseSettings { protected static boolean PAID = false; protected void onCreate(Bundle bundle) { … if (getIntent().getIntExtra("PAID-STATUS", 0) == 2){ PAID = true; } … } public void onActivityCreated(Bundle bundle) { … checkBoxForBackup.setEnabled( PAID ); … } } adb shell am start -n <package- name>/.DatabaseSettings – ei PAID-STATUS 2 PC Android 14

  14. Resetting Master Password 15

  15. Common Password Reset Process YES Verification Forgot Password Correct ? Code via Email YES USER Security Question Lost-Device Scenario Correct ? YES Reset Master Password 16

  16. Manifest: <activity android:theme="@*android:style/Theme.NoDisplay" android:label="@afk/app_name" android:name=" com.xyz.android_apps.noname.DeepLinkActivity "> <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="https" android:host="xyz.com" android:pathPattern="/.*st.*" /> </intent-filter> </activity> Start Activity: adb shell am start -n com.xyz.android_apps.noname/.Dee pLinkActivity 17

  17. 18

  18. Common Password Reset Process YES Verification Forgot Password Correct ? Code via Email YES USER Security Question Correct ? YES Reset Master Password 19

  19. Get Master Secret 26

  20. Master Secret 1 2 Extraction process Decryption process • ADB-backup • Plaintext • Mitm attack • Custom crypto • Browser file access • Hardcoded symmetric keys • Residue attack • Custom obfuscation 28

  21. Master Secret 1 2 Extraction process Decryption process • Mitm attack • Custom crypto 29

  22. User Authentication HTTP + Custom Crypto username:password success 30

  23. Authentication Process dec_data = AES(key, auth_data) key = random(seed) seed = time[ms] seed = time[ms] key = random(seed) ? enc_data = AES ( key , auth_data) http – POST - request Header: encrypted payload Body: enc_data 31

  24. Authentication Process dec_data = AES(key, auth_data) key = random(seed) dec_data = AES( key , auth_data) seed = time[ms] key = random(seed) seed = time[ms] key = random(seed) seed = time[ms] enc_data = AES(key, auth_data) http - POST 32

  25. Best Practices: Secure Communication • Android, correct SSL/TLS* URL url = new URL(" https:// example.org"); URLConnection urlConnection = url.openConnection(); InputStream in = urlConnection.getInputStream(); … • Stronger, SSL/TLS (Pinning) • Android 7 supports pinning (security configuration file) • Use library with pinning support, e.g. OkHttp library (take care of version) *https://developer.android.com/training/articles/security-ssl.html 33

  26. Master Secret 1 Extraction process • Browser file access 34

  27. API accessing browser elements Pw Manager credentials 35

  28. Inject 36

  29. password manager process file:///data/data/package.name/shared_prefs/passwd_pref.xml base64(encr(key, PASS)) 37

  30. Master Secret 1 Extraction process • Residue attack 38

  31. THE ACCOUNTMANAGER THE WHAT ? 39

  32. Android AccountManger • “This class provides access to a centralized registry for the user‘s online accounts …“ • SQLITE Database for storing tokens or temp. Credentials • API provides access for Application /data/system/users/0 # ls -l accounts.db -rw-rw---- system system 241664 2017-04-03 10:58 accounts.db 40

  33. “ With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly(). Instead, you should store a cryptographically secure token that would be of limited use to an attacker. If your user credentials are protecting something valuable, you should carefully consider doing something similar.” Quote google developer (AccountManager) https://developer.android.com/training/id-auth/custom_auth.html 41

  34. DEMO TIME ! DEMO TIME ! 42

  35. AccountManager ID email type token accounts.db 43

  36. Target App com.account account type email@mail.com secret AccountManager ID email type token accounts.db 44

  37. Target App installation com.account account type email@mail.com secret AccountManager UID = 123 ID email type token accounts.db 1 email@mail.com com.account secret 45

  38. Attacker App installation com.account account type mail1@ma1.com stuff AccountManager UID = 456 ID email type token accounts.db 1 email@mail.com com.account secret 46

  39. AccountManager COLLISION ! UID:123 � UID:456 UID = 456 ID email type token accounts.db 1 email@mail.com com.account secret 47

  40. uninstall target app com.account AccountManager COLLISION ! UID:123 � UID:456 UID = 456 ID email type token accounts.db 1 email@mail.com com.account secret 48

  41. com.account AccountManager Not removed, there is an app with matching account type ID email type token accounts.db 1 email@mail.com com.account secret 49

  42. com.account Attacker app can now access the secret ! AccountManager ID email type token accounts.db 1 email@mail.com com.account secret 50

  43. Master Secret 2 Decryption process • Hardcoded symmetric keys • Custom obfuscation 51

  44. Crypto – Do it right Kerckhoffs's principle “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” * *JOURNAL DES SCIENCES MILITAIRES. Janvier 1883. LA CRYPTOGRAPHIE MILITAIRE. 52

  45. Correct encryption Lsdh3ji a32er4o er3owe2 daerw23 master secret (password) cipher-text encryption or key derivation function decryption (e.g. PBKDF2) 53

  46. Bad Crypto static key = s data d Lsdh3ji mp mp = a32er4o + [0…0] er3owe2 daerw23 master password (mp) encryption/ decryption cipher-text (enc(mp, d)) store enc(s, mp) 54

  47. Hard-coded keys String = staticinvoke f.b("ydPCPFnpqfPuuBYPzhfGXD38gtUPN2yj", $String); AES-Key = ydPCPFnpqfPuuBYPzhfGXD38gtUPN2yj public abstract class LPCommon { //first part of the key protected static String aA = " ldT52Fjsnjdn4390 "; //second part of the key protected static String aB = " 89y23489h989fFFF "; AES-Key = ldT52Fjsnjdn4390 89y23489h989fFFF; 55

  48. Broken Key Obfuscation 55 self-implemented random 9 obfuscator random key encryption k_rand sizeof(k_rand)=9 master password (mp) obfuscated key enc( k_rand , mp) obf( k_rand ) = k_obf 56

  49. Break Obfuscation unknown obfuscated key deobfuscation random key k_rand k_obf ? master password Example: (password= mp) Abc2QNFeenpK break it enc( k_rand , mp) 57

  50. Key Obfuscation Analysis k_random parts k_obfuscated pos k_obf parts k[0] + k[1] [0-2] Abc k[2] 3 2 k[3] + k[4] [4-6] QNF independent k[5] 7 e k[6] + k[7] [8-11] enp k[8] 12 K reverse lookup table modified changes 58

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the permission model working? Are users making good decisions? Most Popular Android App Demo App abusing permissions Demo explained Permissions:

819 views • 43 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot; package=&quot;net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle Emmanuel Agu Android UI Design Example GeoQuiz App Reference: Android Nerd Ranch, pgs 1 32 App presents questions to test users knowledge

1k views • 96 slides
Services Android Services A Service is an application component that runs in the background, not

Services Android Services A Service is an application component that runs in the background, not

Lesson 22 Lesson 22 Android Android Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work

692 views • 26 slides
Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working install of Android Studio Make sure it works by running Hello, world App On emulator

666 views • 24 slides
Passenger-oriented railway disposition timetables in case of severe disruptions Yousef Maknoon

Passenger-oriented railway disposition timetables in case of severe disruptions Yousef Maknoon

Passenger-oriented railway disposition timetables in case of severe disruptions Yousef Maknoon Michel Bierlaire Stefan Binder STRC 2015, April 17th Outline Motivation Problem description Research question Assumptions Formal problem

371 views • 33 slides
March 8, 2019 Agenda GILTI-related Consolidated Issues FDII-related Issues

March 8, 2019 Agenda GILTI-related Consolidated Issues FDII-related Issues

Impact of TCJA on Corporations, Part II: Section 951A (GILTI), Section 250 (FDII), Section 59A (BEAT), and Section 965 (Transition Tax) Moderator Scott Levine, Jones Day Panelists Lawrence Axelrod, Morgan Lewis &amp; Bockius LLP Bryan

1.08k views • 94 slides
Numb3rs 11 2 10 3 GCD 9 4 8 5 7 6 The Skippy Clock 0 12 1 Has 13 hours on its dial!

Numb3rs 11 2 10 3 GCD 9 4 8 5 7 6 The Skippy Clock 0 12 1 Has 13 hours on its dial!

0 12 1 Numb3rs 11 2 10 3 GCD 9 4 8 5 7 6 The Skippy Clock 0 12 1 Has 13 hours on its dial! 11 2 Needle moves two hours at a time 10 3 Which all numbers will the needle 9 4 reach? 8 5 7 6 Reaches all of them!

420 views • 12 slides
Gaussian Processes for Active Sensor Management Alexander N. Dolia , University of Southampton

Gaussian Processes for Active Sensor Management Alexander N. Dolia , University of Southampton

OED for KRR, and the MVCE Gaussian Processes for Active Sensor Management Alexander N. Dolia , University of Southampton This poster is based on A.N.Dolia, C.J.Harris, J.Shawe-Taylor, D.M.Titterington, Kernel Ellipsoidal Trimming , submitted

160 views • 11 slides
USING REFERENCE ATTRIBUTE GRAMMAR-CONTROLLED REWRITING FOR ENERGY AUTO-TUNING Christoff Brger

USING REFERENCE ATTRIBUTE GRAMMAR-CONTROLLED REWRITING FOR ENERGY AUTO-TUNING Christoff Brger

, Models@Run.Time Workshop 2015 USING REFERENCE ATTRIBUTE GRAMMAR-CONTROLLED REWRITING FOR ENERGY AUTO-TUNING Christoff Brger Department of Computer Science, Lund University, Sweden Johannes Mey Software Technology Group, TU Dresden,

435 views • 31 slides
L EMMATA I r The wavefront propagation of strictly monotone polygonal chain C changes only when

L EMMATA I r The wavefront propagation of strictly monotone polygonal chain C changes only when

S TRAIGHT S KELETONS OF M ONOTONE P OLYGONS Therese Biedl Martin Held Stefan Huber Dominik Kaaser Peter Palfrader EuroCG 2014, Ein Gedi, Israel 1 S TRAIGHT S KELETONS r Aichholzer, Aurenhammer, Alberts, Grtner 1995 [2] . r Wavefront

720 views • 50 slides
U Berlin Institute of Technology Department Machine Learning Trends Canonical Temporal

U Berlin Institute of Technology Department Machine Learning Trends Canonical Temporal

Canonical Trend Analysis for Social Networks Felix Biemann, Jens-Michalis Papaioannou, Mikio Braun, Matthias L. Jugel, Klaus-Robert Mller, Andreas Harth U Berlin Institute of Technology Department Machine Learning Trends Canonical

1.22k views • 91 slides
Second-Kind Boundary Integral Equations for Electromagnetic Scattering at Composite Objects X.

Second-Kind Boundary Integral Equations for Electromagnetic Scattering at Composite Objects X.

Second-Kind Boundary Integral Equations for Electromagnetic Scattering at Composite Objects X. Claeys 2 , R. Hiptmair 1 , C. E. Spindler 1 1 Seminar for Applied Mathematics, ETH Zrich 2 UPMC Univ Paris 06, UMR 7598, Laboratoire Jacques-Louis

2.28k views • 179 slides

More recommend