Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

© 2014 IBM Corporation
IBM Security Systems
1
Pinpointing Vulnerabilities in Android
Applications: Like Finding a Needle
in a Haystack
Roee Hay, roeeh@il.ibm.com
IBM Application Security Research
Group Lead

2
Please note
IBM’s statements regarding its plans, directions, and intent are subject to change
or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general
product direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM
benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user’s job stream,
the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.

3
Agenda
 Mobile Vulnerabilities Primer
 Malicious Apps and the Android Security Model
 Mobile DAST Research Project: The Mobile Analyzer
 Case Study. The NY Times Cross-Application Scripting (XAS)

4
Mobile Vulnerabilities Primer

5
A Typical Mobile App
Client Back-end
App

6
The Mobile Vulnerabilities Space
New
Client-side
vulnerabilities:
?
Classic
Back-end
vulnerabilities:
SQL Injection
Code Execution
etc

7
Attack Vectors for Client-Side Vulnerabilities
Client Back-end
App

8
(1) Taking Over the Backend
Client Back-end
App
Attacker

9
(2) Man-in-the Middle (MiTM)
Client Back-end
App Attacker

10
(3) Malicious Apps
Client Back-end
Attacker
App

11
Malicious Apps

12
The Android Threat Model
 Apps in Android are sandboxed from each other:
 Each app package runs with a different Linux user-id so
by default resources created by one app cannot be
accessed by another app
 Apps are constrained:
 A-Very-Cool-Game cannot just send SMSs.
 Some constraints can be relaxed at deployment time by
using permissions.
 These features protect the integrity and confidentiality of:
 The Installed Apps.
 The Android system.
Browser Mail
SMSPhone
Contacts Search

13
Two Types of Malicious Apps
 (1) Attack the System
 Abuse system services for its own profit e.g.
 Premium SMSs and MMS
 GPS access
 System log access
 No vulnerability is required.
 Suspicious use of permissions!
Source: http://www.threattracksecurity.com/it-
blog/russian-language-facebook-android-app-
premium-sms-is-out-daily-service-fees-are-in/

14
Two Types of Malicious Apps
 (2) Attack other Apps
 Try to subvert the integrity and/or confidentiality of other applications
 Target applications must be vulnerable.
 No suspicious use of permissions!

15
Inter-Process-Communication in Android
 Apps want to be able to talk to each other:
 For feature reuse.
 This is achieved by Inter-Process Mechanisms, controlled
by special objects called Intents.
 Intents carry both the destination information and the
payload data.
 When an application component is willing to receive Intents
from external apps, it becomes exported and opens a hole
in the Android Sandbox!
Browser
Google
Play
Store
Phone

16
A Typical Attack by a Malicious App
 For a vulnerable app to be exploited, it must accept
external Intents, i.e. open the IPC channel in its manifest
file.
 The Malicious App initiates a malicious intent targeting the
vulnerable app.
 The Intent’s payload is specific to the vulnerability found in
the App
 e.g. an SQL Injection payload.
Vulnerable
App
Malicious
App
Malicious
Intent

17
The Mobile Analyzer

18
The Mobile Analyzer: Modus Operandi
 (1) Explore. Discover of the elements of the application that should be tested
 In Classic Web: This is done by crawling.
 Mobile Analyzer: We analyze the Android manifest file and dynamically learn of Intent
parameters.
 (2) Attack. Trigger the vulnerabilities
 In Classic Web : Done by sending HTTP requests with malicious data.
 Mobile Analyzer : We send Intents with malicious payloads using our security
knowledge.
 (3) Validate.
 In Classic Web: Done by looking at the HTTP responses (Black-box / DAST) or by
placing hooks on the target app (Glass-box / IAST).
 Mobile Analyzer: We mainly do it by placing hooks on the target mobile app (IAST).

19
The Mobile Analyzer: In Front of the Scenes
Uploads an APK
Our
Client

20
The Mobile Analyzer: In Front of the Scenes
Receives a Security Report
Our
Client

21
Debug Flag
enablement
Insecure
Pending
Intent
Memory
Corruptions
Client-side
SQL
Injection
UI Spoofing
Client-side
Denial-of-
Service
It Detects Many Issue Types!
Cross-
Application
Scripting
(XAS)
Android
Fragment
Injection
Insecure
File
Rights
Insecure
Class
Loading
Activity &
Service
Hijacking
Cross-Site
Scripting
via
Man-in-the-
Middle
Weak
Random
Number
Generators

22
Demo

23
Structure of the DoNothing App
Intent(data)
Log
(Native
code)
SQLite
DB
data
data
Exported activity Exported activity

24
The Developer’s Mistake
Intent(data)
data
data
Exported activity Exported activity
Log
(Native
code)
SQLite
DB

25
Case Study:
NYTimes
Cross-Application Scripting

26
Cross-Application Scripting (XAS)
 The Vulnerable app contains an embedded browser
(WebView)
 Due to bad input validation, The URL of the embedded
browser can be controlled by a malicious app with
problematic URI schemes, such as ‘javascript://’ or ‘file://’:
 WebView.loadURL(url)
 Injecting these schemes enables the attacker to execute JS
code in the context of the vulnerable app
 Subverts the Android’s sandboxing as it allows the attacker
to steal information pertaining to the vulnerable app
Vulnerable App
Malicious
App
Intent:
javascript://…

27
The NYTimes Vulnerability
protected void onCreate(Bundle bundle)
{
…
g.getSettings().setJavaScriptEnabled(true);
g.getSettings().setCacheMode(2);
g.getSettings().setSavePassword(false);
…
cookiemanager.removeAllCookie();
…
s = getIntent().getStringExtra("url");
if(TextUtils.isEmpty(s))
s = h.l().f();
if(getIntent().getBooleanExtra("hideTitle", false))
setTitle("");
g.loadUrl(s);
}
* Issue was fixed in August 2013 as per our responsible disclosure

28
Stealing the Session-ID
Client Back-end
NYT
NYTimes Session-ID

29
Client Back-end
NYT
NYTimes Session-ID
Attacker
Steals
Client
Session-ID

30
Client Back-end
NYT
Attacker
NYTimes Session-ID
Stolen
Client Session-ID

31
Goal & Impact
 The Attacker would like to leak some sensitive NYTimes files:
 The session identifier is found under NYTIMES_PREFS.xml.
 Impact: User impersonation.
root@android:/data/data/com.nytimes.android/shared_prefs # ls
NYTIMES_BLOGCATS.xml
NYTIMES_ENT.xml
NYTIMES_PREFS.xml
cSPrefs.xml
com.nytimes.android_preferences.xml
ny_times_widget.xml
uptAdsQueue.xml
uptEventsQueue.xml
root@android:/data/data/com.nytimes.android/shared_prefs # cat NYTIMES_PREFS.xml
...
<string name="NYT-S">
18CBbkG2ru6usGm4bmrmZvSlDZeHDEfrlQxsnMdUmY896gFXg1szP13uvJJp.6isWKzDs7ugEhp41N4bsEDh836YV.Ynx4rkFI
</string>
...

32
Exploitation: Abusing file:// URI schemes
 The javascript:// URI scheme cannot access files.
 We cause the embedded browser of NYTimes to load a globally readable file via the
file:// URI scheme.
 This file contains JS code that leaks NYTIMES_PREFS.xml
NYTimesMalicious app
AJAX
file://data/…/nyt/
NYTIMES_PREFS.xml
Malicious.html
<string name="NYT-S">
18CBbkG2ru6usGm4bmrmZvSlD
ZeHDEfrlQxsnMdUmY896gFXg1
szP13uvJJp.6isWKzDs7ugEhp
41N4bsEDh836YV.Ynx4rkFI
</string>
NYTIMES_PREFS.xml
Intent:
file://data/malicious/Malicious.html

33
Demo

34
Questions

35 © 2014 IBM Corporation
35
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

Ähnlich wie Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack (20)

Mehr von IBM Security

Mehr von IBM Security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

Hinweis der Redaktion