Watch you lookin’ at? Good • Permissions model well implemented • App removal • Logging •...

Labs.mwrinfosecurity.com | © MWR Labs 1

Labs.mwrinfosecurity.com | © MWR Labs

Watch you lookin’ at?

27 Feb 2015

A look at the security of Android Wear


Who are we?

Jahmel Harris

Owen Evans

Security Researchers and Consultants – MWR InfoSecurity


Part one:

- Brief overview of wear security / minor findings

- Application deployment & execution

- Notification fun

Part two:

- Overview of Android wear internals

- Future research


Let’s begin…

The Good

• Permissions model well implemented

• App removal

• Logging

• Same as regular android… mostly

The Bad…

• No lock screen

• BTLE – broken [1]

• No message level encryption

• Easy to crash the device

• Undermine company policies

(BYOD / MDM)

[1] Mike Ryan, iSecPartners, BlackHat 2013:

https://www.isecpartners.com/media/105670/bluetooth_smart_good_bad_ugly_fix-mikeryan-blackhat_2013.pdf


Application deployment

Packaging

• No ‘wear appstore’

• Wear applications have mobile

counterpart

• Wear applications packaged within

mobile applications

• No user notifications! – Silent

deployment

Android_app.apk - AndroidManifest.xml - Classes.dex - /META-INF/ - /res/ - Resources.arsc

android_wear_micro_apk.apk - AndroidManifest.xml - Classes.dex - /META-INF/ - /res/ - Resources.arsc


Improving on silent deployment

Hiding the app from the menu

• Remove the following from AndroidManifest.xml:

– <category android:name="android.intent.category.LAUNCHER" />

Executing some code

• Since Android 3.1 – Apps installed in ‘stopped’ state.

• Auto-starting code – Historically, code started by registering broadcast receivers

• We’ve been working on a way to bypass this… but


Quick Recap

So…

Bring it together:

• Smuggled a wearable application onto a users device inside a normal .apk

• (Without them knowing!)

• Hidden the application by removing the manifest entry

• Automatic code execution

• Demo?


Using wear to facilitate attacks

Notifications

Some other stuff

• Notifications are a primary function of android wear

• Written in basically the same way as normal

• What does a wear notification look like?


Spoofing a notification

What does wear have to offer?

• Images

• Interactivity / additional layer of trust

• Demands / Actions

What can we do to spoof?

• Set Title / message to look the same

• Icons can be obtained from legitimate applications .apk


Building our spoofed notification

The Intent:

The Notification: // build notification object Notification notification = new NotificationCompat.Builder(this) .setSmallIcon(R.drawable.some.icon) .setContentTitle(someTitle) .setContentText(someBody) .addAction(R.drawable.some.other.icon, "Update Payment Details", demandPendingIntent) .build();

Intent demandIntent = new Intent(Intent.ACTION_VIEW); demandIntent.setData(Uri.parse(someURL)); PendingIntent demandPendingIntent = PendingIntent.getActivity(this, 0, demandIntent, 0);


So lets compare our notifications…

Real: Fake:


Quick recap

So…

Bring it together:

• (Having silently deployed an .apk, hidden it and started code execution…)

• Build a notification, using icons retrieved from legitimate app, setting text to

something convincing

• Add a demand / action screen for the wearable notification

• Link the action to something interesting (URI.parse intent)

• Open our malicious link in the browser on the phone

• Demo?


Brief Summary

We’ve looked at:

• Brief overview of android wear – quick security points

• How applications are installed (silently)

• Launching code

• Using wear for phishing attacks

And now over to Jahmel…


Android Wear internals


WearableListenerService


GoogleAPI

GoogleAPI

/path

/path


ClockworkHomeGoogle

Settings Media Controls Incoming Calls


WearableService


Exploring Wear


Our goal:

Send a message to ANY app on the

wearable.


• Bind to WearableListenerService

• Bind to WearableService

• Send data over Bluetooth


MusicWearListenerService


OnPeerDisconnected()

Event: Peer Disconnected



onMessageReceived

onPeerConnected

onDataChanged

onPeerDisconnected

class MusicWearListenerService extends WearableDataListenerService

class WearableDataListenerService extends WearableListenerService


Malware Google Play Service


BindToService()

{

Intent intent = new Intent();

intent.setClassName("com.google.android.music","com.g

oogle.android.music.MusicWearListenerService");

this.bindService(intent,connection,Context.BIND_AUTO_

CREATE);

}


private ServiceConnection connection = new

ServiceConnection()

{

public void onServiceConnected(ComponentName

className, Binder service )

{

Log.d(TAG, "onServiceConnected:

"+className.getClassName);

}


…..


public final IBinder onBind(Intent paramIntent)

{

if

("com.google.android.gms.wearable.BIND_LISTENER".equals(paramInt

ent.getAction()))

return this.Qv;

return null;

}

WearableListenerService.java


BindToService()

{





CREATE);

}


BindToService()

{




intent.setAction("com.google.android.gms.wearable.BIN

D_LISTENER");


CREATE);

}


BindToService()

{


intent.setClassName("com.google.android.music","com.go

ogle.android.music.MusicWearListenerService");

intent.setAction("com.google.android.gms.wearable.BIND

_LISTENER");

this.bindService(intent,connection,Context.BIND_AUTO_C

REATE);

}


???


public final IBinder onBind(Intent paramIntent)

{

if

("com.google.android.gms.wearable.BIND_LISTENER".equals(paramInt

ent.getAction()))

return this.Qv;

return null;

}

private IBinder Qv;

this.Qv = new a(null);

WearableListenerService.java

private class a extends ae.a

{

public void a(final ai paramai){}

public void a(final al paramal){}

public void aa(final DataHolder

paramDataHolder){}

public void b(final al paramal){}

}


public void a(final ai paramai) {

if (Log.isLoggable("WearableLS", 3))

Log.d("WearableLS", "onMessageReceived: " + paramah);

…

}

public void a(final al paramal) {


Log.d("WearableLS", "onPeerConnected: “

…

}


public void aa(final DataHolder paramDataHolder) {


Log.d("WearableLS", "onDataItemChanged: "

…

}

public void b(final al paramal) {


Log.d("WearableLS", "onPeerDisconnected: "

…

}



onMessageReceived

onPeerConnected

onDataChanged

onPeerDisconnected



a(final ai paramai)

a(final al paramal)

aa(final DataHolder paramDataHolder)

b(final al paramal)


public void onServiceConnected(ComponentName className, Binder

service )

{

Log.d(TAG, "onServiceConnected: "+className.getClassName);

ae my_ae = ae.a.bY(service);

my_ae.aa(null);

}

IWearableListenerService.Stub.asInterface(service);


W/Binder ( 962): Caught a RuntimeException from the

binder stub implementation.

W/Binder ( 962): java.lang.SecurityException: Caller is not

GooglePlayServices


private void rl()

throws SecurityException

{

int i = Binder.getCallingUid();

if (i == this.Pj)

return;

if ((GooglePlayServicesUtil.b(getPackageManager(), "com.google.android.gms")) && (bh(i)))

{

this.Pj = i;

return;

}

throw new SecurityException("Caller is not GooglePlayServices");

}


.method static synthetic b(Lcom/google/android/gms/wearable/WearableListenerService;)V

.locals 0

.annotation system Ldalvik/annotation/Throws;

value = {

Ljava/lang/SecurityException;

}

.end annotation

invoke-direct {p0}, Lcom/google/android/gms/wearable/WearableListenerService;->rl()V

return-void

.end method


public void aa(final DataHolder paramDataHolder) {


Log.d("WearableLS", "onDataItemChanged: " +

WearableListenerService.a(WearableListenerService.this) + ": " +

paramDataHolder);

WearableListenerService.b(WearableListenerService.this);

…

}


MusicWearListenerService

WearableService

WearableService Google API


WearableService


my_jt.e(my_js,1,"com.google.android.music");


W/AppOps ( 1077): Bad call: specified package

com.google.android.music under uid 10203 but it is really 10082

E/AndroidRuntime(13094): FATAL EXCEPTION: main

E/AndroidRuntime(13094): Process:

com.example.harrisj.servicetest, PID: 13094

E/AndroidRuntime(13094): java.lang.SecurityException: Unknown

calling package name 'com.google.android.music'.


WearableService


BluetoothSocket

OutputStream

BluetoothSocket

InputStream


[package name] wear://nodeid/path data

[signature_of_package]


INTRODUCING…

…….


Data

Modified

Data


com.app.app1

/path

aa:bb:cc:dd

com.app.app1

/path

aa:bb:cc:dd

com.zzz.app2

/path

11:22:33:44


com.app.app1 wear://nodeid/path data aa:bb:cc:dd


com.app.app1

/path

aa:bb:cc:dd

com.app.app1

/path

aa:bb:cc:dd

com.zzz.app2

/path

11:22:33:44


com.zzz.app2 wear://nodeid/path data aa:bb:cc:dd


W/WearableService( 629): ensureBindStarted: app does

not match record's app key:

AppKey[com.app.app1,aabbccdd] !=

AppKey[com.zzz.app2,11223344]


com.app.app1

/path

aa:bb:cc:dd

com.app.app1

/path

aa:bb:cc:dd

com.zzz.app2

/path

11:22:33:44


com.zzz.app2 wear://nodeid/path data 11:22:33:44


com.app.app1

/path

aa:bb:cc:dd

com.app.app1

/path

aa:bb:cc:dd

com.zzz.app2

/path

11:22:33:44


Demo


Still more research to do. On other wearables, on other

attack vectors.

Need root access to use this tool. Can be good for

assessing wearable applications.

We can’t trust data being sent to/from device.

Watch you lookin’ at? Good • Permissions model well implemented • App removal • Logging •...

Documents

Transcript of Watch you lookin’ at? Good • Permissions model well implemented • App removal • Logging •...