CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android...
Transcript of CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android...
![Page 1: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/1.jpg)
CNIT 128 Hacking Mobile Devices
6. Analyzing Android ApplicationsPart 2
![Page 2: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/2.jpg)
Topics• Part 1
• Creating Your First Android Environment
• Understanding Android Applications
• Part 2
• Understanding the Security Model: p 205-222
• Part 3
• Understanding the Security Model: p 222ff
• Reverse-Engineering Applications
![Page 3: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/3.jpg)
Topics in Part 2
• Code Signing
• Understanding Permissions
• Application Sandbox
• Filesystem Encryption
![Page 4: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/4.jpg)
The Security Model
• No app should be able to access another app's data without authorization
• Open and extensible environment
• Android must know who created an app
• At least to know whether Google made it or not
![Page 5: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/5.jpg)
Code Signing
![Page 6: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/6.jpg)
Digital Certificates
• Public-key cryptography
• Private key held only by app developer
• Generate key with keytool
• Sign app with jarsigner
• Signature in META-INF directory
![Page 7: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/7.jpg)
Unpacking the Bank of America App
![Page 8: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/8.jpg)
The Certificate in META-INF
![Page 9: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/9.jpg)
![Page 10: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/10.jpg)
![Page 11: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/11.jpg)
MD5 Collisions
• Link Ch 6a
![Page 12: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/12.jpg)
Collision Attack Unlikely
• Link Ch 6d
![Page 13: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/13.jpg)
Certificate Validation
• Android does not verify the certificate in any way
• Certificates don't need to come from a trusted Certificate Authority
• Most are self-signed
• Certificate checked only when app is installed
![Page 14: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/14.jpg)
Certificate Validity Period
• Google recommends a valid period of 25 years or longer
• So you can update your app
![Page 15: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/15.jpg)
Signing Vulnerabilities
• Master Key
• "Extra" Field Length
• "Name" Field Length
![Page 16: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/16.jpg)
Master Key
• Found in 2013 by BlueBox Security
• If two files are in the APK archive with the same filenames
• Only the first file's hash is checked
• But the second file is actually deployed to the device
• Arbitrary code execution possible
![Page 17: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/17.jpg)
"Extra" Field Length
• Length field is a 16-bit value
• Java treats it as signed
• Can overflow and become negative
• Allows injection of altered files that pass signature verification
![Page 18: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/18.jpg)
"Name" Field Length
• Length not checked by the Java verification code
• Allows code injection into the filename
• While passing signature validation
![Page 19: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/19.jpg)
Understanding Permissions
![Page 20: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/20.jpg)
The Android Permission Model
• Permissions shown at install time
![Page 21: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/21.jpg)
AndroidManifest.xml
![Page 22: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/22.jpg)
Permission Protection Levels
• An app can define a new permission
• When it does, a protection level is assigned to it
• Skype defines this permission
<permission android:name="com.skype.raider.permission.C2D_MESSAGE" android:protectionLevel="signature"/>
![Page 23: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/23.jpg)
Permission Protection Levels
![Page 24: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/24.jpg)
Permission Protection Levels
![Page 25: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/25.jpg)
Permission Protection Levels
• system
• Part ot the Android system image
• Or app installed in some folders on the /system partition
• development
• Permissions applied at runtime
• Uncommon, poorly documented
![Page 26: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/26.jpg)
"Signature" Protection
• Recommended for apps that don't intend to share data or functionality with apps from other developers
• No other apps can access your app's components
![Page 27: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/27.jpg)
Malicious Apps
• Can just ask for permissions and hope the user allows it (social engineering)
• Or include a kernel exploit to gain root, such as Gingerbreak
![Page 28: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/28.jpg)
Application Sandbox
![Page 29: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/29.jpg)
Data Folder Permissions
• Each app runs as its own user
• Unless it requests to run as sharedUserId and has the same signature as another app
• Some apps allow world-execute, like Schwab
![Page 30: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/30.jpg)
Sandbox Limitations
• Not a separate virtual machine for each app
• Only Linux user and group permissions
![Page 31: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/31.jpg)
Filesystem Encryption
![Page 32: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/32.jpg)
"Full Disk Encryption"
• Prevents data theft from a stolen device
• Available since Android v. 3.0
• Not enabled by default in versions prior to 5.0
• Encrypts with AES-CBC, a strong algorithm
• FDE is going away, replaced by file-based encryption (link Ch 6
![Page 33: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/33.jpg)
Android Versions
• Elcomsoft estimated that 13% of Android devices were encrypted in 2017
• Links Ch 6f, 6g
![Page 34: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/34.jpg)
Encryption Limitations
• SD card not encrypted
• Only protects data at rest
• If attacker can execute code on the device, encryption does nothing
![Page 35: CNIT 128 Hacking Mobile Devices - samsclass.info · Hacking Mobile Devices 6. Analyzing Android Applications Part 2. Topics • Part 1 • Creating Your First Android Environment](https://reader034.fdocuments.us/reader034/viewer/2022051321/5ff80e0549356d0ab44df73f/html5/thumbnails/35.jpg)