Download as PDF, PPTX
Uploaded bySam Bowne
8 Android Implementation Issues (Part 1)
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
More Related Content
Similar to 8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
- 1. CNIT 128 Hacking MobileDevices 8. Identifying and Exploiting Android Implementation Issues Part 1 Updated 10-24-22
- 2. Topics • Part 1 •Reviewing Pre-installed Applications • Exploiting Devices • Start through "Explanation of Privilege Levels" (up to p. 375)
- 3. Topics • Part 2 •Exploiting Devices • "Practical Physical Attacks" (p. 376) through • "Man-in-the-Middle Exploits" (up to p. 401)
- 4. Topics • Part 3 •Exploiting Devices • "Injecting Exploits for JavaScript Interfaces" (p. 401) and following • Infiltrating User Data
- 5.
- 6. Root Access • Eachinstalled app has its own attack surface • But when you exploit an app, you get access with the privileges of that app • Not root access • But you can often exfiltrate user data without root access
- 7.
- 8. INSTALL PACKAGES • Exploitingan app with this permission allows an attacker to install a Trojan app • Permission level signature|system • Defined by the android package
- 9. Drozer on anEmulator • Real devices have many more apps with this dangerous permission
- 10. Apps Running asSystem • On an emulator • Many more on a real device (66 in book)
- 11.
- 12. Techniques • Trick userinto installing a malicious app • Server-side: exploit a listening port • Client-side: open a malicious document
- 13. Browsers and Document Readers •Frequently vulnerable • Complex parsers written in native code • Fuzzers can fund vulnerabilities • Samsung has Polaris Viewer for PDFs by default • No PDF reader on my emulator
- 14. BROWSEABLE Activities • Allowsusers to open content inside an installed app rather than the browser • App stores installed on the device use this functionality • To open links that point to apps
- 15. Example • Manifest froma rogue Drozer agent • Opening a link starting with pwn:// will open this activity • But can't be used in an iframe anymore <activity android:name="com.mwr.dz.PwnActivity"> <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="pwn" /> </intent-filter> </activity>
- 16. Two Methods • Viapwn:// URI or "web intent" <a href="pwn://me">Start drozer<a> <a href="intent://me/#Intent;scheme=pwn;end"> Start Drozer</a>
- 17. Many apps use BROWSABLE filterson my emulator
- 18. Custom Update Mechanisms • Appsoften write their own update mechanisms • Rather than using the Play Store • This requires the INSTALL_PACKAGES permission • Code may be vulnerable • May check for a new file over HTTP or broken HTTPS
- 19. Remote Loading ofCode • Link Ch 8b
- 20. Remote Loading ofCode • Apps can load new code at runtime • Using the Java Reflection API • With the DexClassLoader class • May load code over the network, or from a local location that can be overwritten by other applications • May cause code injection vulnerabilities
- 21. WebViews • Recipe fordisaster • Using a WebView • Defining a JavaScript interface • Loading from a cleartext source or having SSL bypass code • Targeting API versions prior to 17 or using an Android version earlier than 4.2 • May allow JavaScript code injection
- 23.
- 24. Listening Services • Androidis unlikely to have listening ports • My Genymotion has a few
- 25. Messaging Applications • Examples,may be vulnerable • Short Message Service (SMS) • Multimedia Messaging Service (MMS) • Commercial Mobile Alert System (CMAS) • Email clients • Chat clients
- 26. Finding Local Vulnerabilities •Manual process • Download all installed apps • Convert them to readable source code • Use grep to search for vulnerabilities • Or use Drozer's scanner modules
- 27. Drozer's SQLi Scanner •Doesn't find the Sieve SQL injection
- 28.
- 29. Remote and LocalExploits • Remote exploit • Gives attacker a foothold on the device • Such as software exploits, MITM attacks, or malware • Local exploit • Requires a foothold on the device already • Local privilege escalation
- 30.
- 31. • Performs ARPpoisoning, DNS spoofing, etc. • We're using local proxy settings • You need ettercap to perform real MITM attacks on a LAN Ettercap
- 32. Burp • Can inspectand modify traffic • Sends fake TLS certificates • Burp can be added as a "trusted CA"
- 34. Drozer • Infrastructure Mode •Runs a Drozer server, as a C&C server • Make "rogue agents" which are like malware • Custom-built to phone home to the Drozer server • Much like Metasploit
- 35.
- 36. Non-System App without Context •Ex: a shell from a Web browser • Attacker has privileges of the compromised app • Can navigate filesystem under the app's user account • Cannot use Java libraries • Cannot install packages, or read SMS, etc.
- 37. Non-System App with Context •Attacker takes over app's execution flow and can load arbitrary classes • Attacker can retrieve app Context • Can do anything the app can do
- 38. Installed Package • Canrequest arbitrary permissions • Can be granted them, depending on protection level
- 39. ADB Shell Access •Can install apps • Can interact with apps as a developer
- 40. System User Access •Running as system user, can • Install apps • Change device configuration • Access data from any app's private directory
- 41. Root User Access •Ultimate power, can • Install apps • Read and write RAM • Manipulate any aspect of the device