Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

1.531 Aufrufe

Veröffentlicht am

CanSecWest2016

Veröffentlicht in: Internet
  • Als Erste(r) kommentieren

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

  1. 1. Having fun with secure messengers and Android Wear (and Android Auto) Artem Chaykin Positive Technologies CanSecWest’16
  2. 2. Who I am? •  Russian hacker / Putin’s agent •  Mobile application security team lead •  SCADA Strangelove Team •  RDot.Org team member
  3. 3. Android IPC basics •  Private memory for each process •  Data is passed through kernel module – Binder •  Intent-based
  4. 4. Intents •  Intent is an object •  App1 can send intents to exported components of App2 Intent Package name Component name Ac0on Data
  5. 5. Android IPC basics Binder App 1 App N App 2
  6. 6. Android IPC basics App1 Binder IAc/vityManager
  7. 7. Android IPC basics App1 Binder IAc/vityManager App2
  8. 8. Example 0x1: MobiDM
  9. 9. Example 0x1: MobiDM
  10. 10. Example 0x1: MobiDM
  11. 11. PendingIntent Intent Iden/ty Permissions •  getActivity() •  getService() •  getBroadcast()
  12. 12. PendingIntent App1
  13. 13. PendingIntent App1 App2 pIntent
  14. 14. PendingIntent App1 App2 pIntent
  15. 15. PendingIntent App1 App2 pIntent
  16. 16. PendingIntent •  AlarmManager •  NotificationManager •  Identity confirmation
  17. 17. Example 0x2 – PendingIntent hijacking •  3rd party push services •  Identity confirmation Victims:
  18. 18. Example 0x2 – Victim:
  19. 19. Example 0x2 – Victim: •  Exploit:
  20. 20. Android Wear & Android Auto •  Remote Input class is based on PendingIntent
  21. 21. Android Wear & Android Auto •  Remote Input class is based on PendingIntent
  22. 22. Android Wear & Android Auto
  23. 23. Android Wear & Android Auto
  24. 24. Android Wear & Android Auto Voice reply
  25. 25. Example 0x3: Spam Victim: •  Bug:
  26. 26. Example 0x3: Spam Victim: •  Bug:
  27. 27. Example 0x3: Spam Victim: •  Exploit:
  28. 28. Example 0x3: Spam Victim: •  Result:
  29. 29. Example 0x3: Spam •  Victims:
  30. 30. Example 0x3: Intercepting Victim: •  Bug:
  31. 31. Example 0x3: Intercepting Victim: •  Exploit:
  32. 32. Example 0x3: Intercepting •  Android Auto victims: •  Android Wear victims:
  33. 33. Detecting with Xposed module
  34. 34. Fixes Still no thanks •  Signal – emailed Moxie – fixed same day – got “thanks” •  Telegram – emailed security@ - partial fix after ~ 45 days -
  35. 35. Microsoft
  36. 36. Microsoft
  37. 37. Fin! Questions?

×