exploratory android surgery
play

Exploratory Android Surgery Digging into droids. Jesse Burns Black - PowerPoint PPT Presentation

May 22, 2023 •243 likes •725 views

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

  1. Exploratory Android™ Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com

  2. Agenda  Android Security Model  Android’s new toys  Isolation basics  Device information sources  Exploring Droids  Tracking down a Secret Code with Manifest Explorer  Exploring what’s available with Package Play  Exploring what’s going on with Intent sniffing  Quick look at Intent Fuzzing  Conclusion  Hidden Packages, Root & proprietary bits  Common Problems 2

  3. Android Security Model Android’s new toys Isolation Basics Device Information Sources

  4. Android Security Model  Linux + Android’s Permission s  Application isolation – note editor can’t read email  Distinct UIDs and GIDs assigned on install 4

  5. Android Security Model  Rights expressed as Permission s & Linux groups! 5

  6. Android’s New User Mode Toys  Activities – Screens that do something, like the dialer  Services – background features, like the IM service  Broadcast Receivers – actionable notifications (startup!)  Content Providers – shared relational data  Instrumentations – rare, useful for testing All secured with Android Permissions like: “ android.permission.READ_CONTACTS ” or “ android.permission.BRICK ” See Manifest.permissions and AndroidManifests near you 6

  7. Android’s New Toys: Intents • Like hash tables, but with a little type / routing data • Routes via an Action String and a Data URI • Makes platform component replacement easy • Either implicitly or explicitly routed / targeted Intent { action=android.intent.action.MAIN categories={android.intent.category.LAUNCHER} flags=0x10200000 comp={au.com.phil/au.com.phil.Intro} } 7

  8. Android’s Attack Surfaces • Isolated applications is like having multi-user system • Single UI / Device  Secure sharing of UI & IO • Principal maps to code, not user (like browsers) • Appeals to user for all security decisions i.e. Dialer • Phishing style attack risks. • Linux, not Java, sandbox. Native code not a barrier. • Any java app can exec a shell, load JNI libraries, write and exec programs – without finding a bug. 8

  9. Android’s Attack Surfaces • System Services – Not a subclass of Service • Privileged: some native “ servicemanager ” • Some written in Java, run in the system_server • SystemManager.listServices() and getService() • Exposed to all, secured at the Binder interfaces 44 on a Annalee’s Cupcake1.5r3 T-Mobile G1: activity, activity.broadcasts, activity.providers, activity.senders, activity.services, alarm, appwidget, audio, battery, batteryinfo, bluetooth, bluetooth_a2dp, checkin, clipboard, connectivity, content, cpuinfo, devicestoragemonitor, hardware, input_method, iphonesubinfo, isms, location, media.audio_flinger, media.camera, media.player, meminfo, mount, netstat, notification, package, permission, phone, power, search, sensor, simphonebook, statusbar, SurfaceFlinger, telephony.registry, usagestats, wallpaper, wifi, window 9

  10. System Service Attack Surface  Some are trivial IClipboard.aidl – ClipboardService Or “clipboard” to getService()  CharSequence getClipboardText();  setClipboardText(CharSequence text);  boolean hasClipboardText(); 10

  11. System Service Attack Surface Some system services are complex, even with source: SurfaceFlinger Native Code (C++) no AIDL defining it or simple Stubs to call it with. WindowManagerService. performEnableScreen () 11

  12. Android’s New Kernel Mode Toys • Binder - /dev/binder • AIDL: Object Oriented, Fast IPC, C / C++ / Java • Atomic IPC – ids parties, moves Data, FDs & Binders • Similar to UNIX domain sockets • Ashmem – Anonymous shared memory • Shared memory that can be reclaimed (purged) by the system under low memory conditions. • Java support: android.os.MemoryFile 12

  13. New Android Toys 18 Android devices by 8 or 9 manufacturers in 2009? Images from High End Mobile Graphix blog. http://highendmobilegrafix.blogspot.com/ Bottom right image from Gizmodo http://www.gizmodo.com 13

  14. Understanding New Devices  What software is installed on my new phone?  Anything new, cool, or dangerous added by the manufacturer or new features for my apps to use?  How will updates work? Do they have something for deleting that copy of 1984(*) from my library.  Is the boot loader friendly?  Will I have root? What about someone else?  Which apps are system and which are data. * Even if Amazon or Ahmadinejad intend to update you, it shouldn’t be a surprise 14

  15. Exploratory Tools  Logcat or DDMS or the “READ_LOGS” permission!  Android SystemProperties - property_service  Linux  /proc  /sys (global device tree)  /sys/class/leds/lcd-backlight/brightness  dmesg i.e. calls to syslog / klogctl  syscall interface  File system o+r or groups we can join  APKs in /system/app 15

  16. Exploratory Tools  /data/system/packages.xml  Details of everything installed, who shares signatures, definitions of UIDs, and the location of the install APKs for you to pull off and examine.  /proc/binder – the binder transaction log, state, and stats  /proc/binder/proc/  File for each process using binder, and details of every binder in use – read binder.c  /dev/socket – like zygote and property_service  /system/etc/permissions/platform.xml 16

  17. Exploratory Tools  DUMP permission – adb shell or granted  dumpsys – dumps every system service ServiceManager.listServices() Example from “ activity.provider ” dump: Provider android.server.checkin … package=android process=system… uid=1000 clients=[ProcessRecord{4344fad0 1281:com.android.vending/10025}, ProcessRecord{433fd800 30419:com.google.process.gapps/10011}, ProcessRecord{43176210 100:com.android.phone/1001}, ProcessRecord{43474c68 31952:com.android.calendar/10006}, ProcessRecord{433e2398 30430:android.process.acore/10008}] 17

  18. Exploratory Tools  Android Manifest aka AndroidManifest.xml  Not only does the system have one, but every app  Defines exported attack surface including:  Activities, Services, Content Providers, Broadcast Receivers, and Instrumentations  SystemServices / those privileged System APIs  Primarily what my tools use  Package Manager - “package” service  Activity Manager – “activity”  Some non-services like Settings 18

  19. Looking at “Secret Codes” android.provider.Telephony (private @hide code) caught my eye with this: Grep also noticed SECRET_CODE_ACTION in: /packages/apps/Contacts - SpecialCharSequenceMgr.java /packages/app/VoiceDialer -VoiceDialerReceiver.java 19

  20. Looking at “Secret Codes” SpecialCharSequenceMgr.java (From contacts) 20

  21. Looking at “Secret Codes” VoiceDialer’s use of Secret Code – start at the Manifest: 21

  22. Exploring Droids Tracking down a Secret Code with Manifest Explorer Exploring what’s available with Package Play Exploring with Intent Sniffing Quick look at Intent Fuzzing

  23. Manifests and Manifest Explorer  Applications and System code has AndroidManifest  Defines permissions, and their use for the system  Defines attack surface  Critical starting point for understanding security  Stored in compressed XML (mobile  small) in .apk 23

  24. Manifests and Manifest Explorer 24

  25. Manifests and Manifest Explorer Start of Browser’s Manifest ( com.android.browser) 25

  26. Manifests and Manifest Explorer Manifest Explorer on Browser com.android.browser 26

  27. Manifests and Manifest Explorer “Contacts and myFaves storage” com.tmobile.myfaves 27

  28. What does this “secret code” do? Got some weird WAPPUSH SMS / PDU Selective logcat for ~ six seconds around entering the code: 03.792: INFO/MyFaves(26963): starting service with intent: Intent { comp={com.tmobile.myfaves/com.tmobile.myfaves.MyFavesService} (has extras) } 03.802: INFO/MyFaves(26963): handleMessage(4) 04.372: INFO/MyFaves(26963): sending msg: 16358279015013420001000000000000000000000000000000000000 000000000000000000000000 to 453 06.732: INFO/MyFaves(26963): SMSStatusReceiver.onReceive(extras: Bundle[{id=100}]; resultCode: - 1); action: sent 06.762: INFO/MyFaves(26963): starting service with intent: Intent { comp={com.tmobile.myfaves/com.tmobile.myfaves.MyFavesService} (has extras) } 06.762: INFO/MyFaves(26963): handleMessage(0) 06.832: INFO/ActivityManager(54): Stopping service: com.tmobile.myfaves/.MyFavesService 09.122: INFO/MyFaves(26963): queueInboundSMSMesssage: 05 09.152: INFO/MyFaves(26963): starting service with intent: Intent { comp={com.tmobile.myfaves/com.tmobile.myfaves.MyFavesService} (has extras) } 09.162: INFO/MyFaves(26963): handleMessage(6) 28

  29. Package Play  Shows you installed packages:  Easy way to start exported Activities  Shows defined and used permissions  Shows activities, services, receivers, providers and instrumentation, their export and permission status  Switches to Manifest Explorer or the Setting’s applications view of the application. 29

  30. Package Play 30

  31. Playing with “ FieldTest ” Lots of field tests in this FieldTest 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Minimally Invasive Surgery Small incision Low risk of infection Short recovery time

Minimally Invasive Surgery Small incision Low risk of infection Short recovery time

Elec 331 - Minimally Invasive Surgery Minimally Invasive Surgery Small incision Low risk of infection Short recovery time CO 2 Injected by needle Integrated into instrument Uses Exploratory surgery

446 views • 9 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle Emmanuel Agu Android UI Design Example GeoQuiz App Reference: Android Nerd Ranch, pgs 1 32 App presents questions to test users knowledge

1k views • 96 slides
Lichfield Street Surgery Sycamore House Surgery The Limes Surgery Saddlers Surgery . Relocation

Lichfield Street Surgery Sycamore House Surgery The Limes Surgery Saddlers Surgery . Relocation

Lichfield Street Surgery Sycamore House Surgery The Limes Surgery Saddlers Surgery . Relocation Engagement December 2017-January 2018 From and To Proposed site Our Present Sites Lichfield Street Surgery Sycamore House Surgery The Limes Surgery

899 views • 15 slides
An Exploratory Study of How Developers Exploratory Study Seek, Relate, and Collect Relevant

An Exploratory Study of How Developers Exploratory Study Seek, Relate, and Collect Relevant

Code Investigation Z ephyrin Soh Context and Paper An Exploratory Study of How Developers Exploratory Study Seek, Relate, and Collect Relevant Results Activities Information during Software Strategy Search Relate Maintenance Tasks

397 views • 23 slides
Services Android Services A Service is an application component that runs in the background, not

Services Android Services A Service is an application component that runs in the background, not

Lesson 22 Lesson 22 Android Android Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work

692 views • 26 slides
Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working install of Android Studio Make sure it works by running Hello, world App On emulator

666 views • 24 slides
Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES USING SELENIUM Outline 1. Modern Engineering Principles 2. Monitoring Approaches 3. Statistical Models 4. Selenium 5. Exploratory Principles 6.

618 views • 26 slides
CS3157: Advanced Programming Lecture #11 Apr 10 Shlomo Hershkop shlomo@cs.columbia.edu

CS3157: Advanced Programming Lecture #11 Apr 10 Shlomo Hershkop shlomo@cs.columbia.edu

CS3157: Advanced Programming Lecture #11 Apr 10 Shlomo Hershkop shlomo@cs.columbia.edu Outline CPP continued Language basics: identifiers, data types, operators, type conversions, branching and looping, program structure

357 views • 21 slides
What's new with Apache Tika? What's new with Apache Tika? What's New with Apache Tika? What's

What's new with Apache Tika? What's new with Apache Tika? What's New with Apache Tika? What's

What's new with Apache Tika? What's new with Apache Tika? What's New with Apache Tika? What's New with Apache Tika? Nick Burch @Gagravarr @Gagravarr Nick Burch @Gagravarr Nick Burch @Gagravarr Nick Burch CTO,

941 views • 65 slides
Agenda: Bob Burke of Natural Products Consulting Don Buder of Naturally Bay Area 3:05 pm How to

Agenda: Bob Burke of Natural Products Consulting Don Buder of Naturally Bay Area 3:05 pm How to

Todays Agenda 3:00 pm Welcome & Introduction Agenda: Bob Burke of Natural Products Consulting Don Buder of Naturally Bay Area 3:05 pm How to Not Run Out of Cash (40 min) Featuring: Gary Hirshberg of Hirshberg Entrepreneurship Institute

692 views • 67 slides
Web-scale Data Integra0on: You can only afford to Pay As

Web-scale Data Integra0on: You can only afford to Pay As

Web-scale Data Integra0on: You can only afford to Pay As You Go ---- Jayant Madhavan, Shawn R. Jeffery, Shirley Cohen, Xin

899 views • 73 slides
8 WAYS TO STAY CALM IN A CRISIS! www.bulletproofactor.com www.actonthis.tv #CORONAVIRUS THERE

8 WAYS TO STAY CALM IN A CRISIS! www.bulletproofactor.com www.actonthis.tv #CORONAVIRUS THERE

8 WAYS TO STAY CALM IN A CRISIS! www.bulletproofactor.com www.actonthis.tv #CORONAVIRUS THERE IS A LOT OF FEAR AND UNCERTAINTY IN SOCIETY RIGHT NOW - AND RIGHTLY SO. THE SPREAD OF COVID-19 HAS TAKEN US ALL DOWN A PATH WE NEVER COULD

316 views • 19 slides
Messages from last night - Developing good habits for team work, no woman is an island - Writing

Messages from last night - Developing good habits for team work, no woman is an island - Writing

Messages from last night - Developing good habits for team work, no woman is an island - Writing readable code with proper style - Javas popularity, Hazelcasts success relies on easy re-usability - A lot of practice (i.e. doing bonus

418 views • 16 slides
GASB Update Prepared by: Debbie Harper Brandon Young Ryan Domino June 30, 2019 Fiscal Year

GASB Update Prepared by: Debbie Harper Brandon Young Ryan Domino June 30, 2019 Fiscal Year

GASB Update Prepared by: Debbie Harper Brandon Young Ryan Domino June 30, 2019 Fiscal Year GASB 83: Certain Asset Retirement Obligations GASB 88: Certain Disclosures Related to Debt, including Direct Borrowings and Direct

761 views • 65 slides
CSI 201 - Introduction to double interest_rate = .059; Types such as double , char , bool ,

CSI 201 - Introduction to double interest_rate = .059; Types such as double , char , bool ,

Introduction Up to now, we've known a variable to be a named reference to a place in memory that stores one type of data value. CSI 201 - Introduction to double interest_rate = .059; Types such as double , char , bool , int , etc. are

408 views • 14 slides

More recommend