Authen'catorLeakageThroughBackupChannelsonAndroid
GuangdongBai
Na'onalUniversityofSingapore
Webservicesareincreasinglydeliveredthroughmobileapps…
2
SocialNetworking
OnlineBanking EmailService
Can’twesimplyusemobilebrowsers?
3
V.S.
ü Fulluseofdevice/APIsü Lessprogramminglimita'onü Runningfaster
ü CrossplaQormsü Reusablebrowserfunc'onality(JSengine,…)ü Developedfaster
Can’twesimplyusemobilebrowsers?
4
…the(mobile)browserhasbecomeasingleapplica'onswimminginaseaofapps.--FlurryInsights
Therefore,mobileappsplaythesameroleaswebbrowsers
5
HTTP/1.1200Set-Cookie:cookie1=87654321;domain=.idp.com----------------------------------------<bodyonload=foo()><script>vardomain="hfp://www.sp.com/login";varauthToken="3fa09d24a3ce";varuEmail="[email protected]";varidpSign="2oOs5u29erIas…“;func'onfoo(){varmessage=uEmail+"&"+authToken+"&"+idpSign;window.postMessage(domain,message);}</script></body>
GETHTTP/1.1
WebServer App
②Contentrendering
①Communica'on
protocols
However,thisisanon-trivialtask…
6
WebServer App
②Contentrendering
①Communica'on
protocols
• Codeinjec'onafacks– Havebeenextensivelystudied[CCS’13,CCS’14,ESORICS’15]
• Securityofcommunica'onprotocols– Novelafacksurface– NovelTrustedCompu'ngBase(TCB)
Focusofthistalk:webauthen'ca'onprotocolsonAndroid • Implementa'onofwebauthen'ca'onschemesonAndroid
– Authen'ca'onprocess– Howauthen'ca'oncreden'als(authen'cators)aremanaged
• Backupchannel:anewafacksurfaceagainstwebauthen'ca'ononAndroidplaQorm– Whybackupisadangerousfunc'onalityonAndroid– Howtoabusebackupchannels
• Casestudiesandmi'ga'ons
7
Sec'on1.WebAuthen'ca'ononAndroid
Webauthen'ca'on:safeguardtowebaccounts
• WebAuthen'ca'on– Aprocessbyservertoconfirmwhetheranen'ty(client)iswhoitdeclared – Oneofthemostlyusedwebfunc'onali'es
9
HowAndroidappsimplementwebauthen'ca'on?
• Ourinves'ga'on– Goal:tolearnapproachescontemporaryappsusetoimplementtheir
authen'ca'onschemes
– Focus:howauthen'catorsaremanaged
– Methodology:wehavemanuallyanalyzedtop-ranked100appsonGooglePlay(byreverseengineeringandtrafficanalysis)
10
Resultsummary
11Figuresource:hfp://geektechreviews.com/wp-content/uploads/2015/07/Top-10-Free-Android-Apps-Must-Have.jpg
TOP100
66withauthen'ca'on
schemes
34withoutauthen'ca'on
schemes
Standaloneappse.g.,newsbrowsers,mapsandvideoplayers
– Basicauthen'ca'on(40)– SingleSign-on(40)– AndroidAccountManager(16)
Webauthen'ca'onscheme#1:Basicauthen'ca'on • Basicauthen'ca'onstandsfortradi'onalauthen'ca'onschemes
onthebasisof– Knowledge(e.g.,apasswordandsecurityques'ons)
• 34outof40appsusepassword-basedschemes
– Ownership(e.g.,ahardwaretokenandamobilephone)• 6outof40appsuseSMS-basedone'mepasswordschemes
– Inherence(e.g.,fingerprintandre'nalpafern)• Noneisfound• Fingerprintconfiden'alityatBlackHatUS2015byDr.WeiTao
12
Generalprocessofbasicauthen'ca'onondesktopbrowsers
13
WebServer
UID/PWD
• Authen'cator– Anauthen'ca'oncreden'alindica'ngclient’sloginsession– E.g.,cookies,sessionID,OAuthTokenandOAuthCode
ü Sameoriginpolicy(SOP)ü Contentsecuritypolicy(CSP)ü Cookieprotec'onü …
WebBrowser
Generalprocessofbasicauthen'ca'ononAndroidapps
14
WebServer
UID/PWD RestAPI
Webview
ContentProvider
SharedPreference
AndroidApp
InternalStorage /data/data/appname
Webauthen'ca'onscheme#2:SingleSign-on
• SingleSign-On(SSO)– Akerberos-likesinglecreden'al
authen'ca'onscheme
– BrowserID(Mozilla)– FacebookConnect
• 250+Millionusers,2,000,000websites– OpenID
• onebillionusers,50,000websites– …
15
Threepar'esinSSO
16
User
Iden'tyProvider(IDP)
RelyingParty(RP)
e.g.,
e.g., Token
SSOinAndroid • RelyingParty(RP)
– Applica'on• Iden'typrovider(IDP)
– SSOServiceisreleasedinformofSDK– E.g.,FacebookConnect,TwiferID
17
Aconcreteprocess:Facebookconnect
18
Legend Secretcookies
OAuthAccesstoken
FacebookServer
RPapp
FacebookSDK
Android
/app/app/RP
Android
IDPapp
RPapp
FacebookSDK
/app/app/IDP /app/app/RP
Webauthen'ca'onscheme#3:AndroidAccountManager
19hfp://blog.udinic.com/2013/04/24/write-your-own-android-authen'cator/
• AccountManager– AnAndroidservicewhichprovidesadelegated
authen'ca'onserviceandcentralizedaccount/authen'catorcontrol
– Pros• Simplifiestheprocessforthedeveloper
– Byimplemen'ngsomeinterface
• Canhandlemul'pletokentypesforasingleaccount
• Automa'callybackgroundupdate(SyncAdapters)
BriefinghowAccountManagerworks • Developerneedsonlyto…
– TocreateanAccountAuthen)cator• Addaccounts,accounttypes,authtoken
– TocreateanAc'vity• Throughwhichusersentercreden'als
• Accountmanagerwill…– Manageauthen'cators
• Locatedinaccount.dbin/data/system/users/0
– Updateauthen'catorsonbackground
20
Securityofauthen'ca'onschemes • Securityofprotocolsinthreelayers
– Design-levelsecurity:designandlogicflaws• Anotoriousexample:flawsinNeedham-Schroederprotocol• Protocolverifica'on:theoremproving(Proverif),modelchecking(PAT)
– Implementa'on-levelsecurity• Implementa'onerrors/bugsinthecode• E.g.,GooglelDflaw:notallmessagesarecoveredinsignature(IEEES&P’12)Guessableauthen'cators(NDSS’13)
– Infrastructure-levelsecurity• Exploitsintheso|warestack(e.g.,OS,filesystem)thattheprotocolsrelyupon• Apreviousstudy:passwordleakagethroughcompromisedADB(ClaudXiaoonHITCON’14)
21
Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid
22
UID/PWD RestAPI
Webview
ContentProvider
SharedPreference
AndroidApp
InternalStorage /data/data/appname
BasicAuthen'ca'on
Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid
23
SingleSign-on
Legend Secretcookies
OAuthAccesstoken
FacebookServer
RPapp
FacebookSDK
Android
/app/app/RP
Android
IDPapp
RPapp
FacebookSDK
/app/app/IDP /app/app/RP
Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid
24
SingleSign-on
BasicAuthen'ca'on
AccountManager
/app/app/appname
Theownerapp’sproprietarydirectory
Systemdirectory /data/system/users/0
Isola'onMechanisminAndroid
25
Sandbox Sandbox
/data/data/appname
✓✗
Uname/password
Whatifthesandboxisbypassed?
Backupfunc'onalityhastoviolatesandboxmechanism
26
Backupapp
Sandbox Sandbox
✓✗✓
Sec'on2.BackuponAndroid
TwowaystoimplementbackuponAndroid • Root-basedbackup
– Rootthedeviceandgrantrootprivilegetothebackupapps
• ADB-basedbackup
28
Backupapp
Sandbox Sandbox
✓✓
Weconsideronlytobackupanapp’sdatalocatedinitsproprietaryfolder,insteadoftheuser’sdatacanbeaccessedthroughAPIslikecontactsandSMSmessages
ADB-basedbackup • ADB(AndroidDebugBridge)
– ADBisaversa'lecommandlinetoolthatletsuserscommunicatewithanemulatorinstanceorconnectedAndroid-powereddevice.
– Runningonsystem(orsignature)levelprivilege• Root>system>user
• HowdoesADB-basedbackupwork?(doweneed“addbackup”every'me?)
29
System level Android
proxy
1. adbshell2. app_processproxy User level
Backup app
HowdoesanADBproxyconductbackup?
30
bu1backupappname>backupdata.ab
bu0restore<backupdata.ab
backup
restore
ANDROIDBACKUP11noneorAES-256
Reference:hfp://nelenkov.blogspot.sg/2012/06/unpacking-android-backups.html
magicformatversion
compressionflag
encryp'onalgo
compressedusingdeflatealgorithm
data
Howbackupcanbeathreattoauthen'ca'on?
31
BackupAppVic'mApp
Globallyreadablestorage
ADBProxy
MaliciousApp
Channel#1:BackupdataLeakage
Channel#2:BackupcapabilityLeakage
Asummaryofleakagethroughtheexis'ngbackupapps
Category Apps Installs Publiclyaccessible?
Backupdataencrypted?
Compromisedinterfaces?
Leakagepossible?
Root-based
MyBackup 1,000,000-5,000,000 SDcard ✗ -- ✓
Ul'mateBackup
500,000-1,000,000 SDcard ✗ -- ✓
EaseBackup 100,000-500,000 SDcard ✗ -- ✓
TitaniumBackup
10,000,000-50,000,000 SDcard ✗ -- ✓
ADB-based Helium 1,000,000-5,000,000 SDcard ✗ ✓ ✓
32
AnalyzinganADB-basedBackupApp • Helium
– Oneofthebestappsin2013(www.gizmap.com/best-android-apps-2013/30238)– Developer:ClockworkMod
• DeveloperofCyanogenModAndroidOS• Hasreleased19appsonGooglePlay,15millioninstalls
• OuranalysisontheADB-basedappisenlightenedbyScreenMilker[NDSS’14]
33
InternalsofHelium(obtainedbyreverseengineering)
34
ShellRunner ShellProxyService am startservice ①
③
/data/data/helium Local Socket Server
②
Android Helium
Legend control
flow
flow data
settings.db
InternalsofHelium(obtainedbyreverseengineering)
35
ShellRunner ShellProxyService am startservice ①
③
/data/data/helium Local Socket Server
②
LocalBackup Main
Activity ⑴
⑵ ⑶ ⑷
SD Card
Android Helium
Legend control
flow
flow data
settings.db
InternalsofHelium(obtainedbyreverseengineering)
36
ShellRunner ShellProxyService am startservice ①
③
/data/data/helium Local Socket Server
②
WebBackup
LocalBackup Main
HTTPServer
Activity
Asyn
⑴
⑵ ⑶ ⑷
SD Card
(i) (ii) (iii)
(iv)
Android Helium
Legend control
flow
flow data
settings.db
AccessControlProtocolintheADBProxy
37
ADBProxy
LocalSocketServer HeliumMainapp
CodeofADBproxy
CodeofbroadcastPassword()
Alogicflaw
38
ADBProxy
LocalSocketServer HeliumMainapp
CodeofADBproxy
CodeofbroadcastPassword()
HowhandleSocket()works?
39
handleSocket(){try{
while(true){r=getRequest();if(checkOTP(r)) serve(r);else throwexcep'on;}
catch{ //notterminate}}
Alogicflaw
40
ADBProxy
LocalSocketServer HeliumMainapp
CodeofADBproxy
CodeofbroadcastPassword()
Afack#1:Exploitthelogicflaw
41
ShellRunner ShellProxyService
AuthSniffer User
uninstall start
mHelium
Monitor uninstall events Attacker
Monitor install events Trick user to install mHelium
install
start
Helium uninstalled
Wrong token
• Disadvantageoftheafacker– Heliumneedstobeuninstalled– Afackerneedstoinstallan
malwarewiththesamenameasHelium
• Advantageoftheafacker– OnceobtainingtheOTP,the
afackerisabletobackupthevic'mappatany'me(ac'veafack)
– OnceobtainingtheOTP,theafackerisabletoconductotherhigh-privilegedac'ons(seehfp://developer.android.com/tools/help/adb.html)
Afack#2:InvoketheWebinterface
42
HTTPServeronport5000
URL Method HTTPBody DescripKon
hfp://IP:5000/api/package GET NULL Fetchthelistofinstalledapps
hfp://IP:5000/api/backup.zip POST Nameoftheapptobackup
Backup
hfp://IP:5000/api/restore.zip
POST Backupdata Restore
Afack#2:InvoketheWebinterface
43
HTTPServeronport5000
• Disadvantageoftheafacker– TheHTTPserverisclosedbydefaultandonlyopenwhenweb
backupisused(semi-ac'veafack)– NeedsINTERNETpermission
• Advantageoftheafacker– Canbackuptargetvic'm– EasiertoimplementthanAfack#1
Afack#3:Accessbackupdataonexternalstorage
44
• Disadvantageoftheafacker– Cannotchosetargetvic'm(passiveafack)
• Advantageoftheafacker– Easytoimplement
Sec'on3.ImpactandCasestudies
ExtentoftheADBbackup • Theappswon’tbebackupbyADBproxywhen
– UsingAndroidAccountManagerforauthen'ca'on– Android:allowBackupisfalse
• IfadeveloperdoesnotspecifyitinAndroidManifest.xml,itistruebydefault!!– Ourstudyrevealsthatonly~10%appsspecifyitfalse.
46
Howmanyappsaresubjecttotheseafacks? • DataSetI
– Topranked100apps• DataSetII
– Randomlychosen10CategoriesofappsfromGoolgePlay– Top10appsfromeachcategory
47Helium
Device 1 Device 2 Web Server
?
Attacker PC
①
Proxy ②
③ ④ ⑤
⑥
Victim App
Howmanyappsaresubjecttotheseafacks?
48
W/OAuthen'ca'on,
83
Infected,80 AccountManager,23
W/OBackup,14
Notinfected,
37
Casestudy#1:FacebookApp
49
POSThfps://b-api.facebook.com/method/auth.loginHTTP/1.1...User-Agent:[FBAN/FB4A;FBAV/9.0.0.26.28;FBBV/2403143;FBDM/email=alice.tester%40gmail.com&password=pwd&sig=452aca050cdce967a699e969076962f0&...
HTTP/1.1200OK...Content-Type:applica'on/json{"session_key":"5.71T...411696","access_token":"CAAAAUaZA...XW8ZD","session_cookies":[{"name":"c_user","value":“100003708411696","expires":"Thu,28May201510:11:48GMT","domain":".facebook.com"},{“name":"xs","value":"201:71TTJlPmwZwjXQ:2:1401271908:10025","expires":"Thu,28May201510:11:48GMT","domain":".facebook.com"},...]...}
Iden'fyingauthen'cators
50
access_token Creden'alsinsubsequentrequests,e.g.,pos'nganewpost
c_user Creden'alsindica'ngtheuser’sloginstate xs
prefs_db
/data/data/com.facebook.katana
Casestudy#2:FacebookSingleSign-on
51
user id/pwd
rpApp Facebook Server
c_user, xs verification
OAuth token
Facebook SDK
? user_info&OAuth token user_info
①
②
③
④
c_user, xs OAuth token
Authen'ca'on
Authoriza'on
• Authoriza'on:theusercancontrolwhatinforma'oncanbeaccessedbytherpApp.
Authen'catorsbelongingtotwoorigins?
52
FacebookServer
RPapp
FacebookSDK
Android
/app/app/RP
c_user
xs
OAuthtoken
facebook.com
rp.com
• Facebookcompletelydelegatesthesecrecyofitscreden'alstoRPapp?!
Usingc_userandxstologintouser’saccountandcompletelyviolateauthoriza'on…
53
Facebook’sopinion
54
FacebookSecurity
Butcouldn'tamaliciousapplica)onwithaWebViewalsostealusernamesandpasswordsasthey'resubmiKed?Oncetheuserisenteringtheircreden)alsoutsideofatrustedbrowser,there'sveryliKlethatwecandofromourendtoprotectthem.That'swhyit'ssoimportantthatmarketplaceslikeGooglePlayandApple'sAppStoretakestepstoprotectusersfrommaliciousapplica)ons.
Sec'on4.Mi'ga'on
Sugges'onstobackupappdevelopers • BuildsecureADB-basedBackup
– Preventbackupprivilegefromexposure• VerifiedAccesscontroloftheADBproxy• Secrecyofbackupdata
– Followtheprincipleofleastprivilege• Exposeonlybackup/restorefunc'onality
– ManagelifecycleofADBproxy• ADBproxyneveroutlivesthemainapp
56
Sugges'onstowebappdevelopers • Protectauthen'cators
– Disableandroid:allowBackupifnotnecessary– Avoidstoringpassword– Shortenauthen'catorlife'me
• Avoidimplementa'onownauthen'catormanagement– UseAndroidAccountManager
57
SummaryandTake-away • Thedilemma
– Backupfunc'onalityv.s.Confiden'ality– Pushtheboundaryorbreakthesandbox?
• ScreenMilker[NDSS’14]
• Authen'ca'on– Awarenessofinfrastructure-levelafacks
58
References • [CCS’13]Wang,Rui,etal."UnauthorizedorigincrossingonmobileplaQorms:Threatsand
mi'ga'on."• [CCS’14]Jin,Xing,etal."Codeinjec'onafacksonHTML5-basedmobileapps:Characteriza'on,
detec'onandmi'ga'on."• [ESORICS’15]Hassanshahi,Behnaz,etal."Web-to-Applica'onInjec'onAfacksonAndroid:
Characteriza'onandDetec'on."• [IEEES&P’12]Wang,Rui,etal."Signingmeontoyouraccountsthroughfacebookandgoogle:A
traffic-guidedsecuritystudyofcommerciallydeployedsingle-sign-onwebservices.“• [NDSS’13]Bai,Guangdong,etal.“AUTHSCAN:Automa'cExtrac'onofWebAuthen'ca'on
ProtocolsfromImplementa'ons.”• [NDSS’14]Lin,Chia-Chi,etal."Screenmilker:Howtomilkyourandroidscreenforsecrets."
59
Top Related