Post on 23-May-2020
BypassingAndroidPasswordManagerApps
WithoutRoot
StephanHuber,SiegfriedRasthofer,StevenArzt
Fraunhofer SIT
2
Stephan
• MobileSecurityResearcheratFraunhoferSIT
• Enjoys teachingstudentsinAndroid(app)hacking
• Twitter:@teamsik
Siegfried
• Headof SecureSoftwareEngineeringatFraunhoferSIT
• Founder of CodeInspect
• Web:www.rasthofer.info
• Twitter:@teamsik
Acknowledgements• BenediktHiemenz• DanielHitzel• DanielMagin• JosephVarghese• JulienHachenberger• MaxKolhagen• MichaelTröger• PhilippRoskosch• WittmannAndreas
3
4
Wish
5
aim=e1Ioci Ohyoh>wae0 kei7Gae$si bei3coo<Li ooB,iu9AhN Phei0IeHa' uhu;j5ohTiPhi,Phu3di Moo0ooz"oh we(u,t0Zas quucoo<d2I Pae?gh<ie3 loh;Bah4ei Wa[el~oh9iooh!ee7Aik AX1aeSh>ai eGah+K5iuM yae$V4leex ohjiu_Hei6 fee'Cho5Oo jahK3Ad+aioH)eewaec0 KiG&ee4ahy ujohj%ie1J wae,Gei6mu uSh=i2ahng ainai]Le2i Ieb~o5fohFohN\ah1gae Dooch\ei7i ich]a're1U aiToh5cee= eiZ2thaip; ni"W3oom?i oi(Sh7vie)gu}i8Tohco il@ah@ve9U cie"tae8Eo Au&S3aigae eir0ieHo)c ohch/ah6Ii Bie*t9xie"ukieTh6fu[ ie*vieZai9 ohwu(v0eeY ua&ghi7aeR em?ohG?oi3 phu$L^ah4p ieX&i2sheiaiZie%l7Oo ood8Pe<emo faiGh[ie0i OPho9sie>n phie9Ib(ie beiMei[r7a Nagh(aid0UAhTee:tah5 oY"a5pheib ohthe1Na.e eria9Ahn>u eid8Ohso!o Uv4ia6Gu`o Aeli1li$i&Toth^ai8ph Euso6eu$ja vie8Ieh?ai leec4aeZ/o Eele+ph2na yai=b!a5Oo Wefoh&m4ohVo-oX9ka0v ei9eenuN<a Eit}ae4ohF heRie.J6Bo OoZ-ue9mai zait8coo]N yoh9Oopoh$xoh%C:ahk6 Zi]opu4eiB eGh>ih2oPh noo7Ish'ie Uaz6she|Zu oo0aiP*ee2 coh=Puo1Veroo9Kee-th ra@c3Ce7sh mabi6Malo[ auw1Eu\kie eiVoo,Kuu5 aiW\oo5phu Oos_abir7U
Reality
6
Note
Password-Manager
Password-Recycling
BrowserPassword-Manager
7
App GooglePlay Downloads
Keeper 10– 50 mKeepsafe 10– 50m1Password 1 – 5mDashlane 1– 5mLastpass 1– 5mAvast 0.5– 1mMyPasswords 0.5– 1mF-Secure 100– 500 kPasswordManger 50 – 100k
SecurityRequirements
8
Confidentiality
AvailabilityIntegrity
9
• Premiumfeaturesforfree• Resettingmasterpasswordwithease• BreakingC.I.A• Lostdevicescenario• Mitm attacks• Viathirdpartyapp
10
Internet
App
AccountManager(master password)
File(master password)
PW-ManagerApp
user1:pw1user2:pw2
...
Database
PC
“No-root scenario“
11
Premiumupgradefor free !
Get Profor Free
12
public abstract class BasePreferenceActivity extends AppCompatPreferenceActivity {
protected static boolean a = false;
protected void onCreate(Bundle bundle) {boolean z = false;super.onCreate(bundle);…if (getIntent().getIntExtra("com.xy.mo.apps.pwmgr.EXTRA_SUFCXNUQVRF", 0) == 2) {
z = true;}a = z;
}
PremiumFlag
adb shell am start -n com.xy.mo.apps.pwmgr/.settings.DatabaseSettings --eicom.xy.mo.apps.pwmgr.EXTRA_SUFCXNUQVRF 2
checkIntent value
Before and AfterIntent
Before Intent: AfterIntent:
13
14
Logic Flaw
Logic DesignFlaw
15
Forgot Password VerificationCode
YESCorrect ?
SecurityQuestion
YES
ResetMasterPassword
Correct ?
YES
USER
Attacker has (physical)device Access.
read emailsondevice ?
Logic DesignFlaw
• Manifest:
• StartActivity:
16
<activity android:theme="@*android:style/Theme.NoDisplay" android:label="@afk/app_name" android:name="com.xyz.android_apps.noname.DeepLinkActivity"><intent-filter>
<action android:name="android.intent.action.VIEW" /><category android:name="android.intent.category.DEFAULT" /><category android:name="android.intent.category.BROWSABLE" /><data android:scheme="https" android:host="xyz.com" android:pathPattern="/.*st.*" />
</intent-filter></activity>
adb shell am start -n com.xyz.android_apps.noname/.DeepLinkActivity
Logic DesignFlaw• “ForgetPassword“function
17
Logic DesignFlaw• Fire intent,start DeepLinkActivity
18
Logic DesignFlaw• Settings->“RESETSECURITYQUESTION“
19
Attacker Flow
20
ChangeSecurityQuestion
ResetMasterPassword
EnterVerification CodeAnswer Sec.QuestionAttacker has (physical)device Access
ATTACKER
StartSettingsForgot Password VerificationCode
YES
get code fromemails ondevice
SideEffects
• Changesecurityquestionwithoutauthentication
• Insert newdataintothedatabase->synchronization (nocodeL)
• Turnofautodestroyfunction->bruteforcing
21
22
Get MasterSecret
MasterSecret
Extraction process
• ADB-backup• Mitm attack
• Browserfile access
• Residue attack
Decryption process
• Plaintext• Customcrypto
• Hardcoded symmetric keys
• Customobfuscation
23
1 2
MasterSecret
Extraction process
• Mitm attack
Decryption process
• Customcrypto
24
1 2
UserAuthentication
25
username:password
success
HTTP+CustomCrypto
26
AuthenticationProcess
http – POST- request
seed =time[ms]
key =random(seed)
enc_data =AES(key,auth_data)
seed =time[ms]
key =random(seed)
dec_data =AES(key,auth_data)
Body:
Header:
enc_data encrypted payload
?
27
AuthenticationProcess
http - POST
seed =time[ms]
key =random(seed)
enc_data =AES(key,auth_data)
seed =time[ms]
key =random(seed)
dec_data =AES(key,auth_data)
seed =time[ms]– x[ms]
key =random(seed)
dec_data =AES(key,auth_data)
BestPractices:SecureCommunication
• Android,correctssl*
• Stronger,SSL(Pinning)• Android7supportspinning(securityconfigurationfile)• Uselibrarywithpinningsupport,e.g.OkHttp library(takecareofversion)
28
URL url = new URL("https://example.org");URLConnection urlConnection = url.openConnection();InputStream in = urlConnection.getInputStream();…
*https://developer.android.com/training/articles/security-ssl.html
MasterSecret
Extraction process
• Browserfile access
29
1
30
md5(“pinCodeValue“)
base64(encr(key,PASS))
file:///data/data/package.name/shared_prefs/passwd_pref.xml
MasterSecret
Extraction process
• Residue attack
31
1
32
THE ACCOUNTMANAGER
THE WHAT ?
AndroidAccountManger
• „Thisclassprovidesaccesstoacentralizedregistryfortheuser‘sonlineaccounts…“• SQLITEDatabaseforstoringtokensortemp.Credentials• APIprovidesaccessforApplication
33
/data/system/users/0 # ls -l accounts.db-rw-rw---- system system 241664 2017-04-03 10:58 accounts.db
“Withthisinmind,youshouldn'tpasstheuser'sactualpasswordtoAccountManager.addAccountExplicitly(). Instead,youshouldstoreacryptographicallysecuretokenthatwouldbeoflimitedusetoanattacker.
Ifyourusercredentialsareprotectingsomethingvaluable,youshouldcarefullyconsiderdoingsomethingsimilar.”
https://developer.android.com/training/id-auth/custom_auth.html
Quotegoogledeveloper(AccountManager)
34
DEMO TIME !
35
DEMOTIME!
36
AccountManager
ID email type token
accounts.db
37
AccountManager
ID email type token
com.accountemail@mail.comsecret
TargetApp
account type
accounts.db
38
AccountManager
ID email type token
1 email@mail.com com.account secret
com.accountemail@mail.comsecret
TargetApp
account type
installation
accounts.db
UID=123
39
AccountManager
ID email type token
1 email@mail.com com.account secret
com.accountmail1@ma1.comstuff
Attacker App
account type
installation
accounts.db
UID=456
40
AccountManager
ID email type token
1 email@mail.com com.account secret accounts.db
UID=456
COLLISION!
UID:123 ¹ UID:456
41
AccountManager
ID email type token
1 email@mail.com com.account secret accounts.db
UID=456
COLLISION!
UID:123 ¹ UID:456
uninstall target app com.account
42
AccountManager
ID email type token
1 email@mail.com com.account secret accounts.db
Notremoved,there is anapp with matching account type
com.account
43
AccountManager
ID email type token
1 email@mail.com com.account secret accounts.db
Attacker app can now access the secret !com.account
MasterSecret
Decryption process
• Hardcoded symmetric keys
• Customobfuscation
44
2
Crypto – Doit right
45
“Acryptosystemshouldbesecureevenifeverythingaboutthesystem,exceptthekey,ispublicknowledge.”*
*JOURNALDESSCIENCESMILITAIRES.Janvier1883.LACRYPTOGRAPHIEMILITAIRE.
Kerckhoffs's principle
Correct encryption
46
master secret(password)
cipher-textkeyderivation function(e.g.PBKDF2)
AES
encryption ordecryption
Lsdh3jia32er4oer3owe2daerw23
BadCrypto
47
master secret(password=mp)
AES
encryption/decryption(enc(mp,d))
Lsdh3jia32er4oer3owe2daerw23
static key =s
AES
store enc(s,mp)
mp=mp
cipher-text[0…0]- padding
data d
Hard-coded keys
48
String = staticinvoke f.b("ydPCPFnpqfPuuBYPzhfGXD38gtUPN2yj", $String);
public abstract class LPCommon {//first part of the keyprotected static String aA = "ldT52Fjsnjdn4390";//second part of the keyprotected static String aB = "89y23489h989fFFF";
AES-Key=ydPCPFnpqfPuuBYPzhfGXD38gtUPN2yj
AES-Key=ldT52Fjsnjdn4390 89y23489h989fFFF;
Broken KeyObfuscation
49
master secret(password=mp)
AES
random key
self-implemented random
enc(kr,mp) obf(kr)
obfuscatorencryption
kr
sizeof(kr)=9
955
Broken KeyObfuscation
50
obf(kr)
kr
Abc2Abc2Abc2
Randomencryption key Obfuscated key
obf(kr)parts kr parts
Abc kr[0]+kr[1]
2 kr[2]
Abc kr[3]+kr[4]
2 kr[5]
Abc kr[6]+kr[7]
2 kr[8]
sizeof(kr)=9 sizeof(obf(kr))=12
Scheme:
kr[0]+kr[1]=kr[3]+kr[4]=kr [6]+kr[7]
and:kr[2]=kr[5]=kr[8]
Broken KeyObfuscation
51
obf(kr)parts kr parts
Abc kr[0]+kr[1]
2 kr[2]
Abc kr[3]+kr[4]
2 kr[5]
Abc kr[6]+kr[7]
2 kr[8]
„Bruteforcing“
- simple„rainbow“tables- 3character mapping- 1character mapping
obf(kr)parts Keykr[n]+kr[n+1]
ISF !!ISN !#QUF AA… …Abc kl
… …enp zz
obf(kr)=Abc2Abc2Abc2kr =kl$kl$kl$
Recommendations(1/2)
• UseAndroidKeyStore
• Keyderivation(e.g.PBKDF2(API),Conceal(OpenSource,bcrypt,…)
• Nostatickeys
• Use AES/CBC orAES/GCM
52
Recommendations (2/2)
• Disable backupflag(appssupportbackendsynchronization->implicitbackup)
• Ifthereisamasterpassstoragefunction,donotstoreitinplaintext
• Donotstorethemasterpassinthelocalappfolder,thisisnotaprotectedarea
53
54
Keeper Lastp 1Pass MyPass Avast F-Sec Keeps. PwMgr Mirsoft Dash
Master/PIN X X X X X X X XHardcodedKey X X X X
SandboxBypass X X X X X
Sidechannel X X X X XSubdomain X X X X X XData leakage X X XPartialencryption X
Brokensync. X
www.sit4.me/pw-manager
55
THIS IS THE END
MY FRIEND
56
57
StephanHuber
Email:stephan.huber@sit.fraunhofer.de
SiegfriedRasthofer
Email:siegfried.rasthofer@sit.fraunhofer.de
Twitter:@teamsikWebsite:www.team-sik.org