password managers
play

Password Managers Stephan Huber, Siegfried Rasthofer, Steven Arzt - PowerPoint PPT Presentation

Sep 19, 2023 •272 likes •785 views

Extracting All Your Secrets: Vulnerabilities in Android Password Managers Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT Stephan Siegfried Mobile Security Researcher at Malware and Vulnerability Fraunhofer SIT

  1. Extracting All Your Secrets: Vulnerabilities in Android Password Managers Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT

  2. Stephan Siegfried • • Mobile Security Researcher at Malware and Vulnerability Fraunhofer SIT Researcher at Fraunhofer SIT • Founder of CodeInspect • Enjoys teaching students in • Web: www.rasthofer.info Android (app) hacking • Twitter: @teamsik • Twitter: @teamsik 2

  3. Acknowledgements • Benedikt Hiemenz • Daniel Hitzel • Daniel Magin • Joseph Varghese • Julien Hachenberger • Max Kolhagen • Michael Tröger • Philipp Roskosch • Wittmann Andreas 3

  4. 90 Accounts * *https://thycotic.com

  5. Public Key Crypto Biometric Pictures ... Notebook Password Manager

  6. Password Manager Source: https://www.getkeepsafe.com/about.html

  7. 7

  8. App GooglePlay Downloads Keeper 10 – 50 m Keepsafe 10 – 50 m 1Password 1 – 5 m Dashlane 1 – 5 m Lastpass 1 – 5 m Avast 0.5 – 1 m MyPasswords 0.5 – 1 m F-Secure 100 – 500 k PasswordManger 50 – 100 k 8

  9. Secure Synchronization Confidential Password Storage Autofill Password Manager Comfort Feature (PIN login) Custom Browser 9

  10. Internet App PW-Manager App PC user1:pw1 File user2:pw2 ... (master password) Database Account Manager (master password) 10

  11. “ No-root scenario “ Internet App PW-Manager App PC user1:pw1 File user2:pw2 ... (master password) Database Account Manager (master password) 11

  12. Internet App PW-Manager App PC user1:pw1 File user2:pw2 ... (master password) Database Account Manager (master password) 12

  13. Manual Filling Automatically Filling 13

  14. Manual Filling Password Manager http://twitter.com/login user **** user1 **** Clipboard user2 **** user3 **** 14

  15. Manual Filling - Attack Receiver Apps user:pass Password Manager user:pass clipboard „sniffer“ - app (no permissions required) 15

  16. Automatically Filling Password Manager user user1 **** ? user1 **** **** user2 **** user3 **** 16

  17. Accessibility Services “An accessibility service is an application that provides user interface enhancements to assist users with disabilities, or who may temporarily be unable to fully interact with a device. For example, users who are driving, taking care of a young child or attending a very loud party might need additional or alternative interface feedback.“ Source: https://developer.android.com 17

  18. Automatically Filling Password Manager ? user **** Twitter-App user1 **** (com.twitter.android) user2 **** user3 **** 18

  19. Automatically Filling Password Manager Twitter-App (com.twitter.android) 19

  20. Automatically Filling - Attack com.twitter .twitterleak reverse prefix com.twitter matches find field textPassword inject credentials 20

  21. DEMO TIME ! DEMO 21

  22. PW-Manager App PC user1:pw1 File user2:pw2 ... (master password) Database 22

  23. Use Backup Function backup com.fsecure.key adb adb * tar – xvf mybackup.tar cat KeyStorage.xml <string name="master_password"> secretpass </string> * https://github.com/nelenkov/android-backup-extractor 23

  24. PW-Manager App user1:pw1 File user2:pw2 ... (master password) Database 24

  25. API accessing browser elements PW Manager credentials 25

  26. API accessing browser elements Pw Manager credentials 26

  27. Password Manager Custom Browser http://twitter.com/login user **** autofill user1 user1 **** **** user2 **** user3 **** 27

  28. Password Manager Custom Browser http://twitter.com/login local app folder 28

  29. Details about the Browser • Browser is part of the app • Running in the same process , part of the sandbox • Based on WebView API • Supports file:// URI * *until Android 6 29

  30. NOT A COOKIE,CREDENTIALS ! 30

  31. fi file:/// ///data/d /data/p /package.name/shared_p _prefs/p /passwor ords_pref.xml md5 („ pincodeValue “) * base64(encr(key, PIN)) *obfuscated attribute values (for this example) 31

  32. 32

  33. Let‘s Look into the App Code public abstract class LPCommon { //first part of the key protected static String aA = "ldT52Fjsnjdn4390"; //second part of the key protected static String aB = "89y23489h989fFFF"; AES-Key: ldT52Fjsnjdn439089y23489h989fFFF 33

  34. PW-Manager App user1:pw1 File user2:pw2 ... (master password) Database Account Manager (master password) 34

  35. Android AccountManger • „This class provides access to a centralized registry for the user‘s online accounts …“ • SQLITE Database for storing tokens or temporary Credentials • API provides access for Application /data/system/users/0 # ls -l accounts.db -rw-rw---- system system 241664 2017-04-03 10:58 accounts.db 35

  36. “ With this in mind, you shouldn't pass the user's actual password to AccountManager.addAccountExplicitly(). Instead, you should store a cryptographically secure token that would be of limited use to an attacker. If your user credentials are protecting something valuable, you should carefully consider doing something similar.” Quote google developer (AccountManager) https://developer.android.com/training/id-auth/custom_auth.html 36

  37. DEMO TIME ! 37

  38. System AccountManager accounts.db 38

  39. Target App com.dashlane email:passwd System account type AccountManager accounts.db 39

  40. Target App com.dashlane email:passwd System account type AccountManager UID:123 accounts.db email:passwd 40

  41. Attacker App Target App * com.dashlane com.dashlane email:passwd mail1:pass1 System account type account type AccountManager UID:123 accounts.db email:passwd *https://thenounproject.com/term/grab/121228/ 41

  42. Attacker App Target App com.dashlane com.dashlane email:passwd mail1:pass1 System account type account type AccountManager COLLISION! UID:123 UID:456 accounts.db email:passwd 42

  43. Attacker App com.dashlane mail1:pass1 System account type AccountManager accounts.db email:passwd 43

  44. Attacker App Read Account Data com.dashlane email:passwd System account type AccountManager UID:456 accounts.db email:passwd 44

  45. Writing into AccountManager try { Account account = new Account ("teamsiksm3@gmx.de ", " com.dashlane "); AccountManager acmanager = AccountManager.get(getApplicationContext()); //requires permission android.permission.AUTHENTICATE_ACCOUNTS acmanager. addAccountExplicitly (account, „DUMMY", null); catch collision } catch ( Exception e) { Log.e(TAG, "Acc Exception " + e.getMessage()); } Reading form AccountManager try { AccountManager acmgr = AccountManager.get(getApplicationContext()); Account[] accounts = acmgr. getAccountsByType (" com.dashlane "); for (Account a : accounts) { String password = AccountManager.get(getApplicationContext()). getPassword ( a ); … } catch (Exception e) { e.printStackTrace(); } 45

  46. Further Fails • Custom crypto-algorithm • AES in ECB mode for database encryption • Delivered browser do not consider subdomains in form fields • Data leakage in browser • Custom transport security 46

  47. Improvements • Use Android KeyStore (since Android 6 AES key support) • Use key derivation function (e.g. API PBKDF2, FB conceal ) • NO hardcoded keys • Use AES/CBC or AES/GCM • Do not abuse AccountManager 47

  48. Keeper Lastp 1Pass MyPass Avast F-Sec Keeps. PwMgr MyPass Dash Master/PIN X X X X X X X X Hardcoded X X X X Key Sandbox X X X X X Bypass Side channel X X X X X Subdomain X X X X X X Data leakage X X X Partial X encryption Broken sync. X www.sit4.me/pw-manager 48

  49. Summary • We showed several non root attacks on Android password managers • Convenience functions weaken or destroy security • All findings were reported and fixed 49

  50. Stephan Huber Email: stephan.huber@sit.fraunhofer.de Dr. Siegfried Rasthofer Email: siegfried.rasthofer@sit.fraunhofer.de Twitter: @teamsik Website: www.team-sik.org 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University

Password Managers A way to cope with dozens of online accounts Felix Morsbach Uppsala University Sweden CryptoParty #9 presentation of 23rd January 2020 What is the problem? How can one solve it? What actually (not) to do? Making it (more)

346 views • 13 slides
A Usability Study and Critique of Two Password Managers Robert Biddle Presenter: Chi-Tsong Su

A Usability Study and Critique of Two Password Managers Robert Biddle Presenter: Chi-Tsong Su

A Usability Study and Critique of Two Password Managers Robert Biddle Presenter: Chi-Tsong Su A Mysterious Letter A man got a kick out of turning simple things into mysteries when composing a letter, though he was not good at all at writing.

417 views • 19 slides
Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani

Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani

Studying the Impact of Managers on Password Strength and Reuse Authors: Sanam Ghorbani Lyastani , Michael Schilling, Sascha Fahl, Sven Bugiel , Michael Backes CISPA, Saarland University, Saarland University, Leibniz

535 views • 31 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides
Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was created, CHANGE IT NOW! (It can be the same as your email password.) Day 3 Steps in compiling: (Optional preprocessing) Lexical analysis

483 views • 17 slides
Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

1.88k views • 85 slides
Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password management policies. ~ Trustwave Each year, over 125 millions hours of productivity are lost due to passwords management problematics. ~

950 views • 25 slides
1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides
PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory

PASSWORD STRENGTH ANALYSIS COPING MECHANISMS IN PASSWORD SELECTION Brian Curnett and Teri Flory Masters Students The Center for Education and Research in Information Assurance and Security CURRENT STATUS Problem Statement Stringent

286 views • 15 slides
A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks

A Large-scale Analysis of the Mnemonic Password Advice Johannes Kiesel , Benno Stein, Stefan Lucks Bauhaus-Universitt Weimar www.webis.de NDSS 2017, February 27 th 2017 Mnemonic Password Creation Password: Show password Random

684 views • 17 slides
Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is

Authentication Kypros Ioannou Professor: Elias Athanasopoulos Passwords (1/3) A password is weak authentication mechanism. Use Brute Force to find the password. We are using Hashing and Salt to protect the password. Passwords: Two factors

559 views • 51 slides
Creating Value Through Effective Account Management: Identifying and Developing Talent to Meet

Creating Value Through Effective Account Management: Identifying and Developing Talent to Meet

Creating Value Through Effective Account Management: Identifying and Developing Talent to Meet Customer Needs May 17, 2016 Learning Resources Available Strategies for Effective Account Management Plus, a NEW Account Management Application Tool

717 views • 14 slides
Introduction This training covers the internal control policies and procedures that property

Introduction This training covers the internal control policies and procedures that property

Policies &amp; 2017 INTERNAL CONTROLS TRAINING FOR PROPERTY Procedures Training MANAGEMENT Introduction This training covers the internal control policies and procedures that property managers must follow starting January 1, 2017. The

843 views • 38 slides
3 Advantages of Operating in the Cloud Exploring the software essentials that push profits &amp;

3 Advantages of Operating in the Cloud Exploring the software essentials that push profits &amp;

3 Advantages of Operating in the Cloud Exploring the software essentials that push profits &amp; productivity Presented by Angela Bloomer Sponsored by Todays Presenter ANGELA BLOOMER Director of Product Management, Construction Division

670 views • 56 slides
Simplify and Optimize Your Enterprise Enterprise Systems History 2 3 Decades of the same:

Simplify and Optimize Your Enterprise Enterprise Systems History 2 3 Decades of the same:

4/11/2011 Simplify and Optimize Your Enterprise Enterprise Systems History 2 3 Decades of the same: code and wait. Disparate Systems and platforms. Islands of systems, information, results. Differing versions of the truth.

592 views • 10 slides
Google Privacy &amp; Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy &amp; Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy &amp; Security interfaces Dominic Battr Robert Brauer Google Confidential and Proprietary Google Privacy Principles 1. Use information to provide our users with valuable products and services. 2. Develop products that

541 views • 13 slides
Topics and Tasks Presenters: Lauri Begley Associate Account Specialist (IBAMS) Jeff Hamilton

Topics and Tasks Presenters: Lauri Begley Associate Account Specialist (IBAMS) Jeff Hamilton

The Administrator Journey: Unpacking Key Topics and Tasks Presenters: Lauri Begley Associate Account Specialist (IBAMS) Jeff Hamilton Account Specialist (IBAMS) October 15, 2020 CPG Administrator Webinar Series The Administrator Journey

876 views • 51 slides
Open Office Hours 10/31/2019 Agenda Users, Privileges, Roles, and Profiles: Comparison of

Open Office Hours 10/31/2019 Agenda Users, Privileges, Roles, and Profiles: Comparison of

Open Office Hours 10/31/2019 Agenda Users, Privileges, Roles, and Profiles: Comparison of Voyager to Alma Streamlining the process of Alma Role Assignment Documentation for later review Phase 2 preparation VOYAGER Staff Login

591 views • 29 slides
AND SEARCHING Shared Library Services Platform Project Logan Rath Welcome &amp; Getting Started

AND SEARCHING Shared Library Services Platform Project Logan Rath Welcome &amp; Getting Started

FULFILLMENT: INTRO TO ALMA, USER MANAGEMENT, ROLES, AND SEARCHING Shared Library Services Platform Project Logan Rath Welcome &amp; Getting Started Welcome &amp; Getting Started Alma Overview &amp; Basic Searching Roles &amp; User

542 views • 22 slides

More recommend