SLIDE 1
SLIDE 2 Chris John Riley | 26.11.2013 | 2 Mobile Fail ::: Cracking open “secure” Android Containers
@ChrisJohnRiley > whoami
- IT Security Analyst / Security Consultant
- Raiffeisen Informatik GmbH
- R-IT CERT Team
- Regular conference speaker
- DEF CON | Bsides | Hashdays | SecZone…
- blog http://blog.c22.cc
- Abject Failure (See Life for reference)
SLIDE 3 Chris John Riley | 26.11.2013 | 3 Mobile Fail ::: Cracking open “secure” Android Containers
THE WISEST MAN, IS
HE WHO KNOWS, THAT HE KNOWS NOTHING
SOCRATES: APOLOGY, 21D
SLIDE 4
SLIDE 5 Chris John Riley | 26.11.2013 | 5 Mobile Fail ::: Cracking open “secure” Android Containers
Why Scenario How Closer Look Making it easy Review
SLIDE 6 Chris John Riley | 26.11.2013 | 6 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 7 Chris John Riley | 26.11.2013 | 7 Mobile Fail ::: Cracking open “secure” Android Containers
WHY
?
SLIDE 8
SLIDE 9 Chris John Riley | 26.11.2013 | 9 Mobile Fail ::: Cracking open “secure” Android Containers
too much information
01100100 01100101 01110010 01110000 01100100 01100101 01110010 01110000 01111001 01100100 01100101 01110010 01110000 01101001 01100101 01110011 01110100
SLIDE 10
SLIDE 11
SLIDE 12 Chris John Riley | 26.11.2013 | 12 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 13 Chris John Riley | 26.11.2013 | 13 Mobile Fail ::: Cracking open “secure” Android Containers
Containers
- Multiple uses
- Pa$$w0rd databases
- Corporate mail containers
- Secure notes / files
- ...
SLIDE 14
SLIDE 15 Chris John Riley | 26.11.2013 | 15 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 16 Chris John Riley | 26.11.2013 | 16 Mobile Fail ::: Cracking open “secure” Android Containers
but…
SLIDE 17 Chris John Riley | 26.11.2013 | 17 Mobile Fail ::: Cracking open “secure” Android Containers
The device is insecure
SLIDE 18 Chris John Riley | 26.11.2013 | 18 Mobile Fail ::: Cracking open “secure” Android Containers
...or worse
SLIDE 19 Chris John Riley | 26.11.2013 | 19 Mobile Fail ::: Cracking open “secure” Android Containers
BYOD
*
*
Bring Your Own Disease
SLIDE 20
SLIDE 21 Chris John Riley | 26.11.2013 | 21 Mobile Fail ::: Cracking open “secure” Android Containers
Solution?
SLIDE 22 Chris John Riley | 26.11.2013 | 22 Mobile Fail ::: Cracking open “secure” Android Containers
Move the security closer to the data!
SLIDE 23 Chris John Riley | 26.11.2013 | 23 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 24 Chris John Riley | 26.11.2013 | 24 Mobile Fail ::: Cracking open “secure” Android Containers
but…
SLIDE 25 Chris John Riley | 26.11.2013 | 25 Mobile Fail ::: Cracking open “secure” Android Containers
… I lost my phone!
SLIDE 26 Chris John Riley | 26.11.2013 | 26 Mobile Fail ::: Cracking open “secure” Android Containers
314 mobile phones 'stolen in London every day'
- ffenders traced three
- r four times out of 10
Source: UK Metropolitan Police 01/2013
SLIDE 27 Chris John Riley | 26.11.2013 | 27 Mobile Fail ::: Cracking open “secure” Android Containers
state of security
Device
SLIDE 28 Chris John Riley | 26.11.2013 | 28 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 29
SLIDE 30 Chris John Riley | 26.11.2013 | 30 Mobile Fail ::: Cracking open “secure” Android Containers
KEEP CALM
SLIDE 31 Chris John Riley | 26.11.2013 | 31 Mobile Fail ::: Cracking open “secure” Android Containers
secure containers will save us
SLIDE 32 Chris John Riley | 26.11.2013 | 32 Mobile Fail ::: Cracking open “secure” Android Containers
… or not
SLIDE 33 Chris John Riley | 26.11.2013 | 33 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 34 Chris John Riley | 26.11.2013 | 34 Mobile Fail ::: Cracking open “secure” Android Containers
Sc nario
.
SLIDE 35 Chris John Riley | 26.11.2013 | 35 Mobile Fail ::: Cracking open “secure” Android Containers
Scenario
- Given physical access to a device
- What security do “secure” containers provide
- temporary access (< 3 minutes)
- permanent access
SLIDE 36
SLIDE 37 Chris John Riley | 26.11.2013 | 38 Mobile Fail ::: Cracking open “secure” Android Containers
but…
SLIDE 38 Chris John Riley | 26.11.2013 | 39 Mobile Fail ::: Cracking open “secure” Android Containers
remember
SLIDE 39 Chris John Riley | 26.11.2013 | 40 Mobile Fail ::: Cracking open “secure” Android Containers
secure containers will SAVE us
SLIDE 40 Chris John Riley | 26.11.2013 | 41 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 41 Chris John Riley | 26.11.2013 | 42 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 42 Chris John Riley | 26.11.2013 | 43 Mobile Fail ::: Cracking open “secure” Android Containers
G ALS
SLIDE 43 Chris John Riley | 26.11.2013 | 44 Mobile Fail ::: Cracking open “secure” Android Containers
TL;DR
SLIDE 44 Chris John Riley | 26.11.2013 | 45 Mobile Fail ::: Cracking open “secure” Android Containers
pwn secure containers
SLIDE 45 Chris John Riley | 26.11.2013 | 46 Mobile Fail ::: Cracking open “secure” Android Containers
G AL
MY NOT
SLIDE 46 Chris John Riley | 26.11.2013 | 47 Mobile Fail ::: Cracking open “secure” Android Containers
bypass device PIN
1234
SLIDE 47 Chris John Riley | 26.11.2013 | 48 Mobile Fail ::: Cracking open “secure” Android Containers
r00t the device
SLIDE 48 Chris John Riley | 26.11.2013 | 49 Mobile Fail ::: Cracking open “secure” Android Containers
do anything resembling…
SLIDE 49 Chris John Riley | 26.11.2013 | 50 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 50 Chris John Riley | 26.11.2013 | 51 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 51 Chris John Riley | 26.11.2013 | 52 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 52 Chris John Riley | 26.11.2013 | 53 Mobile Fail ::: Cracking open “secure” Android Containers
HOW
?
O
SLIDE 53 Chris John Riley | 26.11.2013 | 54 Mobile Fail ::: Cracking open “secure” Android Containers
keep it simple
SLIDE 54 Chris John Riley | 26.11.2013 | 55 Mobile Fail ::: Cracking open “secure” Android Containers
Android Debug Bridge
SLIDE 55 Chris John Riley | 26.11.2013 | 56 Mobile Fail ::: Cracking open “secure” Android Containers
ADB – Android Debug Bridge
- Requires USB Debugging Enabled
- Doesn't require ROOTed device
- Root grants further access / makes things trivial
http://developer.android.com/tools/help/adb.htm
SLIDE 56 Chris John Riley | 26.11.2013 | 57 Mobile Fail ::: Cracking open “secure” Android Containers
adb functions
SLIDE 57 Chris John Riley | 26.11.2013 | 58 Mobile Fail ::: Cracking open “secure” Android Containers
ADB – Android Debug Bridge
- Allows application side-loading
- [un]install applications over adb
- Doesn’t require device to be active
- Can be PIN locked (for some functions)
- New security implemented in 4.3
http://developer.android.com/tools/help/adb.htm
SLIDE 58 Chris John Riley | 26.11.2013 | 59 Mobile Fail ::: Cracking open “secure” Android Containers
ADB – Android Debug Bridge
- adb backup
- Backup Android device over adb (ICS onwards)
- -system → system data
- -apk → application apk
- Can backup specific application data individually
adb backup com.android.app -f backup.ab
http://developer.android.com/tools/help/adb.htm
SLIDE 59 Chris John Riley | 26.11.2013 | 60 Mobile Fail ::: Cracking open “secure” Android Containers
- adb restore
- Restore Android backup over adb
- Restore specific application data individually
- with or without application (apk)
adb restore backup.ab
ADB – Android Debug Bridge
http://developer.android.com/tools/help/adb.htm
SLIDE 60 Chris John Riley | 26.11.2013 | 61 Mobile Fail ::: Cracking open “secure” Android Containers
adb pull /sdcard/secret.txt secret.txt
ADB – Android Debug Bridge
- adb pull / push
- Copy data to / from device over adb
- Limited access for non-root users
- no access to application config without root
- Works on locked devices (PIN Protected)
http://developer.android.com/tools/help/adb.htm
SLIDE 61 Chris John Riley | 26.11.2013 | 62 Mobile Fail ::: Cracking open “secure” Android Containers
ADB – Android Debug Bridge
- adb shell
- Shell access on device
- Send keys / taps
- Limited for non-root users
- Works on locked devices (PIN Protected)
http://developer.android.com/tools/help/adb.htm
adb shell
SLIDE 62 Chris John Riley | 26.11.2013 | 63 Mobile Fail ::: Cracking open “secure” Android Containers
Supporting Tools
- openssl
- w/ zlib support
- star
- tar tool w/ added functionality we need
SLIDE 63 Chris John Riley | 26.11.2013 | 64 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 64 Chris John Riley | 26.11.2013 | 65 Mobile Fail ::: Cracking open “secure” Android Containers
Closer look
SLIDE 65 Chris John Riley | 26.11.2013 | 66 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 66 Chris John Riley | 26.11.2013 | 67 Mobile Fail ::: Cracking open “secure” Android Containers
lastpass
SLIDE 67
SLIDE 68 Chris John Riley | 26.11.2013 | 69 Mobile Fail ::: Cracking open “secure” Android Containers
lastpass
- Personal solution (w/ enterprise option)
- Uses online sync
- Can be secured with a PIN
- Can wipe data after 5 false logons
- Restricts screenshots
https://lastpass.com/android
SLIDE 69 Chris John Riley | 26.11.2013 | 70 Mobile Fail ::: Cracking open “secure” Android Containers
Can store lastpass.com password
- So users don't need to type it EVERY time
- Reduces security
- Makes it usable!
SLIDE 70 Chris John Riley | 26.11.2013 | 71 Mobile Fail ::: Cracking open “secure” Android Containers
Why store the PW?
SLIDE 71 Chris John Riley | 26.11.2013 | 72 Mobile Fail ::: Cracking open “secure” Android Containers
_mySecur3L@sTp@$$p@$$w0rd1sDAb0mb&&&:
- Easy to remember
- Impossible to type!
SLIDE 72 Chris John Riley | 26.11.2013 | 73 Mobile Fail ::: Cracking open “secure” Android Containers
It's though
OK
SLIDE 73 Chris John Riley | 26.11.2013 | 74 Mobile Fail ::: Cracking open “secure” Android Containers
You can enable a PIN!
SLIDE 74 Chris John Riley | 26.11.2013 | 75 Mobile Fail ::: Cracking open “secure” Android Containers
PIN Security
- Limited to 4 digits!
- “auto-Wipe” data
- after 5 false logons
SLIDE 75 Chris John Riley | 26.11.2013 | 76 Mobile Fail ::: Cracking open “secure” Android Containers
PIN == SECURE!
SLIDE 76
SLIDE 77 Chris John Riley | 26.11.2013 | 78 Mobile Fail ::: Cracking open “secure” Android Containers
AndroidManifest.xml
SLIDE 78 Chris John Riley | 26.11.2013 | 79 Mobile Fail ::: Cracking open “secure” Android Containers
<application android:allowBackup=“true”>
AndroidManifest.xml
SLIDE 79 Chris John Riley | 26.11.2013 | 80 Mobile Fail ::: Cracking open “secure” Android Containers
Default: true
SLIDE 80 Chris John Riley | 26.11.2013 | 81 Mobile Fail ::: Cracking open “secure” Android Containers
adb backup com.lastpass.lpandroid –f lp.ab
SLIDE 81 Chris John Riley | 26.11.2013 | 82 Mobile Fail ::: Cracking open “secure” Android Containers
What good is an .ab file?
SLIDE 82 Chris John Riley | 26.11.2013 | 83 Mobile Fail ::: Cracking open “secure” Android Containers
Android Backup (.ab)
- zlib compressed (kinda)
- skip header (24 bytes)
- pipe to openssl w/zlib support
dd if=dropbox.ab bs=24 skip=1 | openssl zlib -d > dropbox.tar
SLIDE 83
SLIDE 84 Chris John Riley | 26.11.2013 | 86 Mobile Fail ::: Cracking open “secure” Android Containers
LPandroid.xml
- lastpass.com username
- laspass.com password (encoded)
- PIN (encoded)
- Settings
- ...
SLIDE 85 Chris John Riley | 26.11.2013 | 87 Mobile Fail ::: Cracking open “secure” Android Containers
<string name="reprompt_tries"> </string>
SLIDE 86 Chris John Riley | 26.11.2013 | 88 Mobile Fail ::: Cracking open “secure” Android Containers
That looks interesting!
SLIDE 87 Chris John Riley | 26.11.2013 | 89 Mobile Fail ::: Cracking open “secure” Android Containers
( )
THEORY
SLIDE 88 Chris John Riley | 26.11.2013 | 90 Mobile Fail ::: Cracking open “secure” Android Containers
if reprompt_tries < 5: prompt_for_pin() else drop_the_DBass() end
SLIDE 89 Chris John Riley | 26.11.2013 | 91 Mobile Fail ::: Cracking open “secure” Android Containers
Theory
- reprompt_tries as iterator
- increases till it reaches 5
- Sounds reasonable
- edit the XML and restore it
- Let's set “reprompt_tries” to -9999 then ;)
SLIDE 90 Chris John Riley | 26.11.2013 | 92 Mobile Fail ::: Cracking open “secure” Android Containers
Proposed Attack
- Backup app data
- Edit XML
- set “reprompt_tries” to -9999
- Repackage
- Restore
SLIDE 91 Chris John Riley | 26.11.2013 | 93 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 92 Chris John Riley | 26.11.2013 | 94 Mobile Fail ::: Cracking open “secure” Android Containers
0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 | openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/LPandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab
SLIDE 93 Chris John Riley | 26.11.2013 | 95 Mobile Fail ::: Cracking open “secure” Android Containers
Not the easiest process...
SLIDE 94 Chris John Riley | 26.11.2013 | 96 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 95 Chris John Riley | 26.11.2013 | 97 Mobile Fail ::: Cracking open “secure” Android Containers
counter++
SLIDE 96 Chris John Riley | 26.11.2013 | 98 Mobile Fail ::: Cracking open “secure” Android Containers
good news…
SLIDE 97 Chris John Riley | 26.11.2013 | 99 Mobile Fail ::: Cracking open “secure” Android Containers
We get tries
10,000
SLIDE 98 Chris John Riley | 26.11.2013 | 100 Mobile Fail ::: Cracking open “secure” Android Containers
bad news…
SLIDE 99 Chris John Riley | 26.11.2013 | 101 Mobile Fail ::: Cracking open “secure” Android Containers
We get tries
10,000
SLIDE 100 Chris John Riley | 26.11.2013 | 102 Mobile Fail ::: Cracking open “secure” Android Containers
Let’s make it easier
SLIDE 101 Chris John Riley | 26.11.2013 | 103 Mobile Fail ::: Cracking open “secure” Android Containers
No PIN > PIN
SLIDE 102 Chris John Riley | 26.11.2013 | 104 Mobile Fail ::: Cracking open “secure” Android Containers
<string name="passwordrepromptonactivate">0</string> <string name="pincodeforreprompt"></string> <string name="requirepin">0</string>
SLIDE 103 Chris John Riley | 26.11.2013 | 105 Mobile Fail ::: Cracking open “secure” Android Containers
PROFIT!
SLIDE 104 Chris John Riley | 26.11.2013 | 106 Mobile Fail ::: Cracking open “secure” Android Containers
Easier Attack
- Backup app data
- Edit XML
- remove PIN
- Repackage
- Restore
- WIN!
SLIDE 105 Chris John Riley | 26.11.2013 | 107 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 106 Chris John Riley | 26.11.2013 | 108 Mobile Fail ::: Cracking open “secure” Android Containers
for points...
SLIDE 107 Chris John Riley | 26.11.2013 | 109 Mobile Fail ::: Cracking open “secure” Android Containers
Persistence
SLIDE 108 Chris John Riley | 26.11.2013 | 110 Mobile Fail ::: Cracking open “secure” Android Containers
Persistence
- Backup LastPass from device A
- Edit backup to remove PIN
- Rebuild backup
- Restore backup to device B
- Close & restart to re-sync changes from device A
- Profit?
SLIDE 109 Chris John Riley | 26.11.2013 | 111 Mobile Fail ::: Cracking open “secure” Android Containers
...but I RESET my password!
SLIDE 110 Chris John Riley | 26.11.2013 | 112 Mobile Fail ::: Cracking open “secure” Android Containers
PROFIT
++
SLIDE 111 Chris John Riley | 26.11.2013 | 113 Mobile Fail ::: Cracking open “secure” Android Containers
...
SLIDE 112 Chris John Riley | 26.11.2013 | 114 Mobile Fail ::: Cracking open “secure” Android Containers
GOOD
for enterprise
SLIDE 113 Chris John Riley | 26.11.2013 | 115 Mobile Fail ::: Cracking open “secure” Android Containers
GOOD
- Enterprise email solution
- Email | Contacts | intranet Browser | …
- Secured with a PIN or password
- enterprise policy
- Wipes data/device after 10 false logons
https://www.good.com
SLIDE 114 Chris John Riley | 26.11.2013 | 116 Mobile Fail ::: Cracking open “secure” Android Containers
- Adv. security features
- Double encryption
- SSL Tunnel + Encrypted contents
- Full MDM solution
- Password Policies
- …
- r00t detection
- emulator detection
- advanced detection
https://www.good.com
SLIDE 115 Chris John Riley | 26.11.2013 | 117 Mobile Fail ::: Cracking open “secure” Android Containers
Lost device (BYOD)
- Can an attacker prevent secure wipe
- Can an attacker access cached data
SLIDE 116 Chris John Riley | 26.11.2013 | 118 Mobile Fail ::: Cracking open “secure” Android Containers
PROBLEM
SLIDE 117 Chris John Riley | 26.11.2013 | 119 Mobile Fail ::: Cracking open “secure” Android Containers
unlike LastPass
SLIDE 118 Chris John Riley | 26.11.2013 | 120 Mobile Fail ::: Cracking open “secure” Android Containers
preferences are
encrypted
SLIDE 119 Chris John Riley | 26.11.2013 | 121 Mobile Fail ::: Cracking open “secure” Android Containers
PROBLEM
SLIDE 120 Chris John Riley | 26.11.2013 | 122 Mobile Fail ::: Cracking open “secure” Android Containers
…after 10 false logons
auto-wipe
SLIDE 121 Chris John Riley | 26.11.2013 | 123 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 122 Chris John Riley | 26.11.2013 | 124 Mobile Fail ::: Cracking open “secure” Android Containers
Disable PIN
SLIDE 123 Chris John Riley | 26.11.2013 | 125 Mobile Fail ::: Cracking open “secure” Android Containers
auto-wipe counter
SLIDE 124 Chris John Riley | 26.11.2013 | 126 Mobile Fail ::: Cracking open “secure” Android Containers
brute-force
SLIDE 125 Chris John Riley | 26.11.2013 | 127 Mobile Fail ::: Cracking open “secure” Android Containers
but…
SLIDE 126 Chris John Riley | 26.11.2013 | 128 Mobile Fail ::: Cracking open “secure” Android Containers
<application android:allowBackup=“true”>
AndroidManifest.xml
SLIDE 127
SLIDE 128 Chris John Riley | 26.11.2013 | 130 Mobile Fail ::: Cracking open “secure” Android Containers
THEORY
SLIDE 129 Chris John Riley | 26.11.2013 | 131 Mobile Fail ::: Cracking open “secure” Android Containers
Theory
- Auto-wipe counter
- Stored IN app data somewhere
SLIDE 130 Chris John Riley | 26.11.2013 | 132 Mobile Fail ::: Cracking open “secure” Android Containers
THEORY
SLIDE 131 Chris John Riley | 26.11.2013 | 133 Mobile Fail ::: Cracking open “secure” Android Containers
adb restore
SLIDE 132 Chris John Riley | 26.11.2013 | 134 Mobile Fail ::: Cracking open “secure” Android Containers
auto-wipe
counter
SLIDE 133 Chris John Riley | 26.11.2013 | 135 Mobile Fail ::: Cracking open “secure” Android Containers
#facepalm
SLIDE 134 Chris John Riley | 26.11.2013 | 136 Mobile Fail ::: Cracking open “secure” Android Containers
brute-force
SLIDE 135 Chris John Riley | 26.11.2013 | 137 Mobile Fail ::: Cracking open “secure” Android Containers
Naïve Attack
- Backup app data
- until good.unlock?
- Try 9 PINS
- Restore app data
SLIDE 136 Chris John Riley | 26.11.2013 | 138 Mobile Fail ::: Cracking open “secure” Android Containers
PROBLEM
SLIDE 137 Chris John Riley | 26.11.2013 | 139 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 138 Chris John Riley | 26.11.2013 | 140 Mobile Fail ::: Cracking open “secure” Android Containers
Naïve Attack timing
* 18.75 ppm ~ 50% keyspace
- 4 digit PIN
- est. 4.5 hours*
- 6 digit PIN
- est. 18.5 days*
- 8 digit PIN
- est. 5 years*
SLIDE 139 Chris John Riley | 26.11.2013 | 141 Mobile Fail ::: Cracking open “secure” Android Containers
Naïve Attack timing
- 4 lower alphanum
- est. 31 days*
- 6 lower alphanum
- est. 3 years*
- 8 lower alphanum
- est. 110 years*
* 18.75 ppm ~ 50% keyspace
SLIDE 140 Chris John Riley | 26.11.2013 | 142 Mobile Fail ::: Cracking open “secure” Android Containers
Naïve Attack timing
- 4 mixed alphanum
- est. 1 year*
- 6 mixed alphanum
- est. 46.5 years*
- 8 mixed alphanum
- est. 2880 years*
* 18.75 ppm ~ 50% keyspace
SLIDE 141 Chris John Riley | 26.11.2013 | 143 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 142 Chris John Riley | 26.11.2013 | 144 Mobile Fail ::: Cracking open “secure” Android Containers
Device
CONTAINER
SLIDE 143 Chris John Riley | 26.11.2013 | 145 Mobile Fail ::: Cracking open “secure” Android Containers
Device
CONTAINER
SLIDE 144 Chris John Riley | 26.11.2013 | 146 Mobile Fail ::: Cracking open “secure” Android Containers
Device
CONTAINER
SLIDE 145 Chris John Riley | 26.11.2013 | 147 Mobile Fail ::: Cracking open “secure” Android Containers
#facepalm #facepalm
SLIDE 146 Chris John Riley | 26.11.2013 | 148 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 147
SLIDE 148
SLIDE 149 Chris John Riley | 26.11.2013 | 151 Mobile Fail ::: Cracking open “secure” Android Containers
- Adv. Attack
- Automate PIN + restore
- adb shell input text
- adb shell input keyevent
- adb shell input tap
SLIDE 150 Chris John Riley | 26.11.2013 | 152 Mobile Fail ::: Cracking open “secure” Android Containers
Minimize keyspace
- Password Rules
- No sequenced numbers (e.g. 4567)
- No duplicate numbers (e.g. 1111)
- Result
- Reduced keyspace
SLIDE 151 Chris John Riley | 26.11.2013 | 153 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 152 Chris John Riley | 26.11.2013 | 154 Mobile Fail ::: Cracking open “secure” Android Containers
PROFIT!
SLIDE 153 Chris John Riley | 26.11.2013 | 155 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 154 Chris John Riley | 26.11.2013 | 156 Mobile Fail ::: Cracking open “secure” Android Containers
Making it easy
SLIDE 155 Chris John Riley | 26.11.2013 | 157 Mobile Fail ::: Cracking open “secure” Android Containers
methodology
- Common methodology
- Backup (adb)
- Extract
- Examine
- Edit
- Repack
- Restore (adb)
← here be dragons ← bypass all the things
SLIDE 156 Chris John Riley | 26.11.2013 | 158 Mobile Fail ::: Cracking open “secure” Android Containers
remember this process?
SLIDE 157 Chris John Riley | 26.11.2013 | 159 Mobile Fail ::: Cracking open “secure” Android Containers
0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 | openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/LPandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab
SLIDE 158 Chris John Riley | 26.11.2013 | 160 Mobile Fail ::: Cracking open “secure” Android Containers
Say that 10 times fast!
SLIDE 159
SLIDE 160 Chris John Riley | 26.11.2013 | 162 Mobile Fail ::: Cracking open “secure” Android Containers
automation
SLIDE 161 Chris John Riley | 26.11.2013 | 163 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 162 Chris John Riley | 26.11.2013 | 164 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 163 Chris John Riley | 26.11.2013 | 165 Mobile Fail ::: Cracking open “secure” Android Containers
ab_unpacker.py
https://github.com/ChrisJohnRiley/Random_Code
SLIDE 164 Chris John Riley | 26.11.2013 | 166 Mobile Fail ::: Cracking open “secure” Android Containers
ab_packer.py
https://github.com/ChrisJohnRiley/Random_Code
SLIDE 165 Chris John Riley | 26.11.2013 | 167 Mobile Fail ::: Cracking open “secure” Android Containers
Makes
0wning
things
SLIDE 166 Chris John Riley | 26.11.2013 | 168 Mobile Fail ::: Cracking open “secure” Android Containers
200 / quicker 1000 / funner
SLIDE 167 Chris John Riley | 26.11.2013 | 169 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 168
SLIDE 169
SLIDE 170 Chris John Riley | 26.11.2013 | 172 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 171 Chris John Riley | 26.11.2013 | 173 Mobile Fail ::: Cracking open “secure” Android Containers
RE
VIEW
SLIDE 172 Chris John Riley | 26.11.2013 | 174 Mobile Fail ::: Cracking open “secure” Android Containers
“secure”containers
!=
SECURE containers
SLIDE 173 Chris John Riley | 26.11.2013 | 175 Mobile Fail ::: Cracking open “secure” Android Containers
Physical access
SLIDE 174
SLIDE 175 Chris John Riley | 26.11.2013 | 177 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 176 Chris John Riley | 26.11.2013 | 178 Mobile Fail ::: Cracking open “secure” Android Containers
IT IT
SLIDE 177 Chris John Riley | 26.11.2013 | 179 Mobile Fail ::: Cracking open “secure” Android Containers
Developers
SLIDE 178 Chris John Riley | 26.11.2013 | 180 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 179 Chris John Riley | 26.11.2013 | 181 Mobile Fail ::: Cracking open “secure” Android Containers
android.allowBackup
http://developer.android.com/guide/topics/data/backup.html
SLIDE 180 Chris John Riley | 26.11.2013 | 182 Mobile Fail ::: Cracking open “secure” Android Containers
Some devs GET it!
SLIDE 181 Chris John Riley | 26.11.2013 | 183 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 182 Chris John Riley | 26.11.2013 | 184 Mobile Fail ::: Cracking open “secure” Android Containers
pref files
SLIDE 183 Chris John Riley | 26.11.2013 | 185 Mobile Fail ::: Cracking open “secure” Android Containers
Securing Apps
- Preference files are NOT secret
- Encrypt preference data
- ONLY store encrypted passwords
- No XOR / base64 please
- Don’t TRUST the config
- HMAC | Sign | Encrypt
SLIDE 184 Chris John Riley | 26.11.2013 | 186 Mobile Fail ::: Cracking open “secure” Android Containers
android backup
SLIDE 185 Chris John Riley | 26.11.2013 | 187 Mobile Fail ::: Cracking open “secure” Android Containers
Securing Apps
- Disallow Android Backup
- if you don’t absolutely need it!
<application android:allowBackup=“false”>
SLIDE 186 Chris John Riley | 26.11.2013 | 188 Mobile Fail ::: Cracking open “secure” Android Containers
extra security
SLIDE 187 Chris John Riley | 26.11.2013 | 189 Mobile Fail ::: Cracking open “secure” Android Containers
Extra Security
- USB Debugging
- Disable app when activated
- Root makes these hack easier still
- edit/read preference files on device itself
- ROOT detection is too basic
- easy to fool
SLIDE 188 Chris John Riley | 26.11.2013 | 190 Mobile Fail ::: Cracking open “secure” Android Containers
users
end
SLIDE 189 Chris John Riley | 26.11.2013 | 191 Mobile Fail ::: Cracking open “secure” Android Containers
Users
- Encrypt your device
- Encrypts ADB backups
- Need to enter same passcode on backup screen
- Disable USB Debugging
- protects against adb pull/push attacks
- Don’t loose your phone ;)
SLIDE 190 Chris John Riley | 26.11.2013 | 192 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 191 Chris John Riley | 26.11.2013 | 193 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 192 Chris John Riley | 26.11.2013 | 194 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 193 Chris John Riley | 26.11.2013 | 195 Mobile Fail ::: Cracking open “secure” Android Containers
Question time
SLIDE 194 Chris John Riley | 26.11.2013 | 196 Mobile Fail ::: Cracking open “secure” Android Containers
SLIDE 195 Chris John Riley | 26.11.2013 | 197 Mobile Fail ::: Cracking open “secure” Android Containers
Thank you for your attention! Vielen Dank für Ihre Aufmerksamkeit!
Raiffeisen Informatik GmbH Lilienbrunngasse 7-9 A-1020 Wien T +43 1/99 3 99 - 0 F +43 1/99 3 99 - 1100 E info@r-it.at www.raiffeiseninformatik.at
