Authen’cator Leakage Through Backup Channels on Android
60
Authen’cator Leakage Through Backup Channels on Android Guangdong Bai Na’onal University of Singapore
Transcript of Authen’cator Leakage Through Backup Channels on Android
Authen'catorLeakageThroughBackupChannelsonAndroid
GuangdongBai
Na'onalUniversityofSingapore
Webservicesareincreasinglydeliveredthroughmobileapps…
2
SocialNetworking
OnlineBanking EmailService
Can’twesimplyusemobilebrowsers?
3
V.S.
ü Fulluseofdevice/APIsü Lessprogramminglimita'onü Runningfaster
ü CrossplaQormsü Reusablebrowserfunc'onality(JSengine,…)ü Developedfaster
Can’twesimplyusemobilebrowsers?
4
…the(mobile)browserhasbecomeasingleapplica'onswimminginaseaofapps.--FlurryInsights
Therefore,mobileappsplaythesameroleaswebbrowsers
5
HTTP/1.1200Set-Cookie:cookie1=87654321;domain=.idp.com----------------------------------------<bodyonload=foo()><script>vardomain="hfp://www.sp.com/login";varauthToken="3fa09d24a3ce";varuEmail="[email protected]";varidpSign="2oOs5u29erIas…“;func'onfoo(){varmessage=uEmail+"&"+authToken+"&"+idpSign;window.postMessage(domain,message);}</script></body>
GETHTTP/1.1
WebServer App
②Contentrendering
①Communica'on
protocols
However,thisisanon-trivialtask…
6
WebServer App
②Contentrendering
①Communica'on
protocols
• Codeinjec'onafacks– Havebeenextensivelystudied[CCS’13,CCS’14,ESORICS’15]
• Securityofcommunica'onprotocols– Novelafacksurface– NovelTrustedCompu'ngBase(TCB)
Focusofthistalk:webauthen'ca'onprotocolsonAndroid • Implementa'onofwebauthen'ca'onschemesonAndroid
– Authen'ca'onprocess– Howauthen'ca'oncreden'als(authen'cators)aremanaged
• Backupchannel:anewafacksurfaceagainstwebauthen'ca'ononAndroidplaQorm– Whybackupisadangerousfunc'onalityonAndroid– Howtoabusebackupchannels
• Casestudiesandmi'ga'ons
7
Sec'on1.WebAuthen'ca'ononAndroid
Webauthen'ca'on:safeguardtowebaccounts
• WebAuthen'ca'on– Aprocessbyservertoconfirmwhetheranen'ty(client)iswhoitdeclared – Oneofthemostlyusedwebfunc'onali'es
9
HowAndroidappsimplementwebauthen'ca'on?
• Ourinves'ga'on– Goal:tolearnapproachescontemporaryappsusetoimplementtheir
authen'ca'onschemes
– Focus:howauthen'catorsaremanaged
– Methodology:wehavemanuallyanalyzedtop-ranked100appsonGooglePlay(byreverseengineeringandtrafficanalysis)
10
Resultsummary
11Figuresource:hfp://geektechreviews.com/wp-content/uploads/2015/07/Top-10-Free-Android-Apps-Must-Have.jpg
TOP100
66withauthen'ca'on
schemes
34withoutauthen'ca'on
schemes
Standaloneappse.g.,newsbrowsers,mapsandvideoplayers
– Basicauthen'ca'on(40)– SingleSign-on(40)– AndroidAccountManager(16)
Webauthen'ca'onscheme#1:Basicauthen'ca'on • Basicauthen'ca'onstandsfortradi'onalauthen'ca'onschemes
onthebasisof– Knowledge(e.g.,apasswordandsecurityques'ons)
• 34outof40appsusepassword-basedschemes
– Ownership(e.g.,ahardwaretokenandamobilephone)• 6outof40appsuseSMS-basedone'mepasswordschemes
– Inherence(e.g.,fingerprintandre'nalpafern)• Noneisfound• Fingerprintconfiden'alityatBlackHatUS2015byDr.WeiTao
12
Generalprocessofbasicauthen'ca'onondesktopbrowsers
13
WebServer
UID/PWD
• Authen'cator– Anauthen'ca'oncreden'alindica'ngclient’sloginsession– E.g.,cookies,sessionID,OAuthTokenandOAuthCode
ü Sameoriginpolicy(SOP)ü Contentsecuritypolicy(CSP)ü Cookieprotec'onü …
WebBrowser
Generalprocessofbasicauthen'ca'ononAndroidapps
14
WebServer
UID/PWD RestAPI
Webview
ContentProvider
SharedPreference
AndroidApp
InternalStorage /data/data/appname
Webauthen'ca'onscheme#2:SingleSign-on
• SingleSign-On(SSO)– Akerberos-likesinglecreden'al
authen'ca'onscheme
– BrowserID(Mozilla)– FacebookConnect
• 250+Millionusers,2,000,000websites– OpenID
• onebillionusers,50,000websites– …
15
Threepar'esinSSO
16
User
Iden'tyProvider(IDP)
RelyingParty(RP)
e.g.,
e.g., Token
SSOinAndroid • RelyingParty(RP)
– Applica'on• Iden'typrovider(IDP)
– SSOServiceisreleasedinformofSDK– E.g.,FacebookConnect,TwiferID
17
Aconcreteprocess:Facebookconnect
18
Legend Secretcookies
OAuthAccesstoken
FacebookServer
RPapp
FacebookSDK
Android
/app/app/RP
Android
IDPapp
RPapp
FacebookSDK
/app/app/IDP /app/app/RP
Webauthen'ca'onscheme#3:AndroidAccountManager
19hfp://blog.udinic.com/2013/04/24/write-your-own-android-authen'cator/
• AccountManager– AnAndroidservicewhichprovidesadelegated
authen'ca'onserviceandcentralizedaccount/authen'catorcontrol
– Pros• Simplifiestheprocessforthedeveloper
– Byimplemen'ngsomeinterface
• Canhandlemul'pletokentypesforasingleaccount
• Automa'callybackgroundupdate(SyncAdapters)
BriefinghowAccountManagerworks • Developerneedsonlyto…
– TocreateanAccountAuthen)cator• Addaccounts,accounttypes,authtoken
– TocreateanAc'vity• Throughwhichusersentercreden'als
• Accountmanagerwill…– Manageauthen'cators
• Locatedinaccount.dbin/data/system/users/0
– Updateauthen'catorsonbackground
20
Securityofauthen'ca'onschemes • Securityofprotocolsinthreelayers
– Design-levelsecurity:designandlogicflaws• Anotoriousexample:flawsinNeedham-Schroederprotocol• Protocolverifica'on:theoremproving(Proverif),modelchecking(PAT)
– Implementa'on-levelsecurity• Implementa'onerrors/bugsinthecode• E.g.,GooglelDflaw:notallmessagesarecoveredinsignature(IEEES&P’12)Guessableauthen'cators(NDSS’13)
– Infrastructure-levelsecurity• Exploitsintheso|warestack(e.g.,OS,filesystem)thattheprotocolsrelyupon• Apreviousstudy:passwordleakagethroughcompromisedADB(ClaudXiaoonHITCON’14)
21
Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid
22
UID/PWD RestAPI
Webview
ContentProvider
SharedPreference
AndroidApp
InternalStorage /data/data/appname
BasicAuthen'ca'on
Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid
23
SingleSign-on
Legend Secretcookies
OAuthAccesstoken
FacebookServer
RPapp
FacebookSDK
Android
/app/app/RP
Android
IDPapp
RPapp
FacebookSDK
/app/app/IDP /app/app/RP
Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid
24
SingleSign-on
BasicAuthen'ca'on
AccountManager
/app/app/appname
Theownerapp’sproprietarydirectory
Systemdirectory /data/system/users/0
Isola'onMechanisminAndroid
25
Sandbox Sandbox
/data/data/appname
✓✗
Uname/password
Whatifthesandboxisbypassed?
Backupfunc'onalityhastoviolatesandboxmechanism
26
Backupapp
Sandbox Sandbox
✓✗✓
Sec'on2.BackuponAndroid
TwowaystoimplementbackuponAndroid • Root-basedbackup
– Rootthedeviceandgrantrootprivilegetothebackupapps
• ADB-basedbackup
28
Backupapp
Sandbox Sandbox
✓✓
Weconsideronlytobackupanapp’sdatalocatedinitsproprietaryfolder,insteadoftheuser’sdatacanbeaccessedthroughAPIslikecontactsandSMSmessages
ADB-basedbackup • ADB(AndroidDebugBridge)
– ADBisaversa'lecommandlinetoolthatletsuserscommunicatewithanemulatorinstanceorconnectedAndroid-powereddevice.
– Runningonsystem(orsignature)levelprivilege• Root>system>user
• HowdoesADB-basedbackupwork?(doweneed“addbackup”every'me?)
29
System level Android
proxy
1. adbshell2. app_processproxy User level
Backup app
HowdoesanADBproxyconductbackup?
30
bu1backupappname>backupdata.ab
bu0restore<backupdata.ab
backup
restore
ANDROIDBACKUP11noneorAES-256
Reference:hfp://nelenkov.blogspot.sg/2012/06/unpacking-android-backups.html
magicformatversion
compressionflag
encryp'onalgo
compressedusingdeflatealgorithm
data
Howbackupcanbeathreattoauthen'ca'on?
31
BackupAppVic'mApp
Globallyreadablestorage
ADBProxy
MaliciousApp
Channel#1:BackupdataLeakage
Channel#2:BackupcapabilityLeakage
Asummaryofleakagethroughtheexis'ngbackupapps
Category Apps Installs Publiclyaccessible?
Backupdataencrypted?
Compromisedinterfaces?
Leakagepossible?
Root-based
MyBackup 1,000,000-5,000,000 SDcard ✗ -- ✓
Ul'mateBackup
500,000-1,000,000 SDcard ✗ -- ✓
EaseBackup 100,000-500,000 SDcard ✗ -- ✓
TitaniumBackup
10,000,000-50,000,000 SDcard ✗ -- ✓
ADB-based Helium 1,000,000-5,000,000 SDcard ✗ ✓ ✓
32
AnalyzinganADB-basedBackupApp • Helium
– Oneofthebestappsin2013(www.gizmap.com/best-android-apps-2013/30238)– Developer:ClockworkMod
• DeveloperofCyanogenModAndroidOS• Hasreleased19appsonGooglePlay,15millioninstalls
• OuranalysisontheADB-basedappisenlightenedbyScreenMilker[NDSS’14]
33
InternalsofHelium(obtainedbyreverseengineering)
34
ShellRunner ShellProxyService am startservice ①
③
/data/data/helium Local Socket Server
②
Android Helium
Legend control
flow
flow data
settings.db
InternalsofHelium(obtainedbyreverseengineering)
35
ShellRunner ShellProxyService am startservice ①
③
/data/data/helium Local Socket Server
②
LocalBackup Main
Activity ⑴
⑵ ⑶ ⑷
SD Card
Android Helium
Legend control
flow
flow data
settings.db
InternalsofHelium(obtainedbyreverseengineering)
36
ShellRunner ShellProxyService am startservice ①
③
/data/data/helium Local Socket Server
②
WebBackup
LocalBackup Main
HTTPServer
Activity
Asyn
⑴
⑵ ⑶ ⑷
SD Card
(i) (ii) (iii)
(iv)
Android Helium
Legend control
flow
flow data
settings.db
AccessControlProtocolintheADBProxy
37
ADBProxy
LocalSocketServer HeliumMainapp
CodeofADBproxy
CodeofbroadcastPassword()
Alogicflaw
38
ADBProxy
LocalSocketServer HeliumMainapp
CodeofADBproxy
CodeofbroadcastPassword()
HowhandleSocket()works?
39
handleSocket(){try{
while(true){r=getRequest();if(checkOTP(r)) serve(r);else throwexcep'on;}
catch{ //notterminate}}
Alogicflaw
40
ADBProxy
LocalSocketServer HeliumMainapp
CodeofADBproxy
CodeofbroadcastPassword()
Afack#1:Exploitthelogicflaw
41
ShellRunner ShellProxyService
AuthSniffer User
uninstall start
mHelium
Monitor uninstall events Attacker
Monitor install events Trick user to install mHelium
install
start
Helium uninstalled
Wrong token
• Disadvantageoftheafacker– Heliumneedstobeuninstalled– Afackerneedstoinstallan
malwarewiththesamenameasHelium
• Advantageoftheafacker– OnceobtainingtheOTP,the
afackerisabletobackupthevic'mappatany'me(ac'veafack)
– OnceobtainingtheOTP,theafackerisabletoconductotherhigh-privilegedac'ons(seehfp://developer.android.com/tools/help/adb.html)
Afack#2:InvoketheWebinterface
42
HTTPServeronport5000
URL Method HTTPBody DescripKon
hfp://IP:5000/api/package GET NULL Fetchthelistofinstalledapps
hfp://IP:5000/api/backup.zip POST Nameoftheapptobackup
Backup
hfp://IP:5000/api/restore.zip
POST Backupdata Restore
Afack#2:InvoketheWebinterface
43
HTTPServeronport5000
• Disadvantageoftheafacker– TheHTTPserverisclosedbydefaultandonlyopenwhenweb
backupisused(semi-ac'veafack)– NeedsINTERNETpermission
• Advantageoftheafacker– Canbackuptargetvic'm– EasiertoimplementthanAfack#1
Afack#3:Accessbackupdataonexternalstorage
44
• Disadvantageoftheafacker– Cannotchosetargetvic'm(passiveafack)
• Advantageoftheafacker– Easytoimplement
Sec'on3.ImpactandCasestudies
ExtentoftheADBbackup • Theappswon’tbebackupbyADBproxywhen
– UsingAndroidAccountManagerforauthen'ca'on– Android:allowBackupisfalse
• IfadeveloperdoesnotspecifyitinAndroidManifest.xml,itistruebydefault!!– Ourstudyrevealsthatonly~10%appsspecifyitfalse.
46
Howmanyappsaresubjecttotheseafacks? • DataSetI
– Topranked100apps• DataSetII
– Randomlychosen10CategoriesofappsfromGoolgePlay– Top10appsfromeachcategory
47Helium
Device 1 Device 2 Web Server
?
Attacker PC
①
Proxy ②
③ ④ ⑤
⑥
Victim App
Howmanyappsaresubjecttotheseafacks?
48
W/OAuthen'ca'on,
83
Infected,80 AccountManager,23
W/OBackup,14
Notinfected,
37
Casestudy#1:FacebookApp
49
POSThfps://b-api.facebook.com/method/auth.loginHTTP/1.1...User-Agent:[FBAN/FB4A;FBAV/9.0.0.26.28;FBBV/2403143;FBDM/email=alice.tester%40gmail.com&password=pwd&sig=452aca050cdce967a699e969076962f0&...
HTTP/1.1200OK...Content-Type:applica'on/json{"session_key":"5.71T...411696","access_token":"CAAAAUaZA...XW8ZD","session_cookies":[{"name":"c_user","value":“100003708411696","expires":"Thu,28May201510:11:48GMT","domain":".facebook.com"},{“name":"xs","value":"201:71TTJlPmwZwjXQ:2:1401271908:10025","expires":"Thu,28May201510:11:48GMT","domain":".facebook.com"},...]...}
Iden'fyingauthen'cators
50
access_token Creden'alsinsubsequentrequests,e.g.,pos'nganewpost
c_user Creden'alsindica'ngtheuser’sloginstate xs
prefs_db
/data/data/com.facebook.katana
Casestudy#2:FacebookSingleSign-on
51
user id/pwd
rpApp Facebook Server
c_user, xs verification
OAuth token
Facebook SDK
? user_info&OAuth token user_info
①
②
③
④
c_user, xs OAuth token
Authen'ca'on
Authoriza'on
• Authoriza'on:theusercancontrolwhatinforma'oncanbeaccessedbytherpApp.
Authen'catorsbelongingtotwoorigins?
52
FacebookServer
RPapp
FacebookSDK
Android
/app/app/RP
c_user
xs
OAuthtoken
facebook.com
rp.com
• Facebookcompletelydelegatesthesecrecyofitscreden'alstoRPapp?!
Usingc_userandxstologintouser’saccountandcompletelyviolateauthoriza'on…
53
Facebook’sopinion
54
FacebookSecurity
Butcouldn'tamaliciousapplica)onwithaWebViewalsostealusernamesandpasswordsasthey'resubmiKed?Oncetheuserisenteringtheircreden)alsoutsideofatrustedbrowser,there'sveryliKlethatwecandofromourendtoprotectthem.That'swhyit'ssoimportantthatmarketplaceslikeGooglePlayandApple'sAppStoretakestepstoprotectusersfrommaliciousapplica)ons.
Sec'on4.Mi'ga'on
Sugges'onstobackupappdevelopers • BuildsecureADB-basedBackup
– Preventbackupprivilegefromexposure• VerifiedAccesscontroloftheADBproxy• Secrecyofbackupdata
– Followtheprincipleofleastprivilege• Exposeonlybackup/restorefunc'onality
– ManagelifecycleofADBproxy• ADBproxyneveroutlivesthemainapp
56
Sugges'onstowebappdevelopers • Protectauthen'cators
– Disableandroid:allowBackupifnotnecessary– Avoidstoringpassword– Shortenauthen'catorlife'me
• Avoidimplementa'onownauthen'catormanagement– UseAndroidAccountManager
57
SummaryandTake-away • Thedilemma
– Backupfunc'onalityv.s.Confiden'ality– Pushtheboundaryorbreakthesandbox?
• ScreenMilker[NDSS’14]
• Authen'ca'on– Awarenessofinfrastructure-levelafacks
58
References • [CCS’13]Wang,Rui,etal."UnauthorizedorigincrossingonmobileplaQorms:Threatsand
mi'ga'on."• [CCS’14]Jin,Xing,etal."Codeinjec'onafacksonHTML5-basedmobileapps:Characteriza'on,
detec'onandmi'ga'on."• [ESORICS’15]Hassanshahi,Behnaz,etal."Web-to-Applica'onInjec'onAfacksonAndroid:
Characteriza'onandDetec'on."• [IEEES&P’12]Wang,Rui,etal."Signingmeontoyouraccountsthroughfacebookandgoogle:A
traffic-guidedsecuritystudyofcommerciallydeployedsingle-sign-onwebservices.“• [NDSS’13]Bai,Guangdong,etal.“AUTHSCAN:Automa'cExtrac'onofWebAuthen'ca'on
ProtocolsfromImplementa'ons.”• [NDSS’14]Lin,Chia-Chi,etal."Screenmilker:Howtomilkyourandroidscreenforsecrets."
59
