Bypassing the Android Permission Model Georgia Weidman Founder and - - PowerPoint PPT Presentation

bypassing the android permission model
SMART_READER_LITE
LIVE PREVIEW

Bypassing the Android Permission Model Georgia Weidman Founder and - - PowerPoint PPT Presentation

Mar 05, 2023 368 likes •820 views

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the permission model working? Are users making good decisions? Most Popular Android App Demo App abusing permissions Demo explained Permissions:

slide-1
SLIDE 1

Bypassing the Android Permission Model

Georgia Weidman

Founder and CEO, Bulb Security LLC

slide-2
SLIDE 2

Is the permission model working? Are users making good decisions?

slide-3
SLIDE 3

Most Popular Android App

slide-4
SLIDE 4

Demo

App abusing permissions

slide-5
SLIDE 5

Demo explained

Permissions:

− Read IMEI − Read Contacts − Send SMS

We exploited every one of these

slide-6
SLIDE 6

Rooting Android

slide-7
SLIDE 7

Rooting Android for Evil (DroidDream)

slide-8
SLIDE 8

DroidDream Permissions

INTERNET READ_PHONE_STATE CHANGE_WIFI_STATE ACCESS_WIFI_STATE

slide-9
SLIDE 9

DroidDream

slide-10
SLIDE 10

DroidDream

slide-11
SLIDE 11

DroidDream Rooting

Exploid CVE-2010-Easy (RageAgainsttheCage)

slide-12
SLIDE 12

DroidDream Root Payload

 Permission model no longer applies

− installed packages − All personal data − Send to C&C

slide-13
SLIDE 13

Rooting Android

slide-14
SLIDE 14

Demo

Demo: Malicious post root payload

slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17
slide-18
SLIDE 18

How the Botnet Works

Bot Receives a Message Bot Decodes User Data Checks for Bot Key Performs Functionality

slide-19
SLIDE 19

Mitigation

 Users update their phones  That means they need the updates pushed out

 That means you third party platforms!!

slide-20
SLIDE 20
slide-21
SLIDE 21
slide-22
SLIDE 22

Android Storage

 Sdcard

 VFAT

 With apps

 Only visible to app (default)  World readable

slide-23
SLIDE 23

Demo

Exploiting bad storage practices

slide-24
SLIDE 24

Demo Explained

 Stores sensitive data on the sdcard  Sdcard is VFAT  Everything is world readable

slide-25
SLIDE 25

Demo Explained

 Discovers how the data is stored  Accesses it  Sends it to an attacker

slide-26
SLIDE 26

Code Examples

Vulnerable Code Malicious Code

slide-27
SLIDE 27

BadSaveFile

slide-28
SLIDE 28

BadSendFile

slide-29
SLIDE 29

Wait? How do we get source code?

Winzip/7zip etc. dex2jar jd-gui

Whitepaper with more info: http://cdn01.exploit-db.com/wp- content/themes/exploit/docs/17717.pdf

slide-30
SLIDE 30
slide-31
SLIDE 31
slide-32
SLIDE 32
slide-33
SLIDE 33

Nonsensical Code

while (true) { if (i < 0); String str; while (true) { return; try {

slide-34
SLIDE 34

Mitigation

 Store information securely

 Not on sdcard  Not in source code  Not world readable

slide-35
SLIDE 35

Android Interfaces

 Call other programs  Don't reinvent the wheel  Take a picture  Twitter from photo app

slide-36
SLIDE 36

Demo

Exploiting open interface with SMS functionality

slide-37
SLIDE 37

Demo Explained

 When it is called it sends an SMS  Caller can set the number and message  Sadly this is considered useful!

slide-38
SLIDE 38

Demo Explained

 Calls the SMSBroadcastr  Sends number and message  Sends an SMS

slide-39
SLIDE 39

Code Examples

Vulnerable Code Malicious Code

slide-40
SLIDE 40

SMSBroadcastr

slide-41
SLIDE 41

SMSIntent

slide-42
SLIDE 42

Mitigations

 Don't have dangerous functionality available in

interfaces

 Require user interaction (click ok)  Require-permission tag in manifest for interface

slide-43
SLIDE 43

Contact

Georgia Weidman georgiaweidman.com bulbsecurity.com georgia@bulbsecurity.com @georgiaweidman