Upload File

bypassing the android permission model georgia weidman founder and ceo, bulb security llc

  • Home
  • Documents
  • Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
40
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Upload: amy-bridges

Post on 24-Dec-2015

217 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Bypassing the Android Permission Model

Georgia WeidmanFounder and CEO, Bulb Security LLC

Page 2: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Is the permission model working? Are users making good decisions?

Page 3: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Most Popular Android App

Page 4: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo

App abusing permissions

Page 5: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo explained

Permissions: Read IMEI Read Contacts Send SMS

We exploited every one of these

Page 6: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Rooting Android

Page 7: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Rooting Android for Evil(DroidDream)

Page 8: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

DroidDream Permissions

INTERNET

READ_PHONE_STATE

CHANGE_WIFI_STATE

ACCESS_WIFI_STATE

Page 9: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

DroidDream

Page 10: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

DroidDream

Page 11: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

DroidDream Rooting

Exploid

CVE-2010-Easy (RageAgainsttheCage)

Page 12: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Rooting Android

Page 13: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

DroidDream Root Payload

Permission model no longer applies installed packages All personal data Send to C&C

Page 14: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Rooting Android for Evil(DroidDream)

Page 15: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Rooting Android

Page 16: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Mitigation

Users update their phones That means they need the updates pushed out

That means you third party platforms!!

Page 17: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
Page 18: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
Page 19: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Android Storage

Sdcard VFAT

With apps Only visible to app (default) World readable

Page 20: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo

Exploiting bad storage practices

Page 21: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo Explained

Stores sensitive data on the sdcard Sdcard is VFAT Everything is world readable

Page 22: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo Explained

Discovers how the data is stored Accesses it Sends it to an attacker

Page 23: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Code Examples

Vulnerable Code

Malicious Code

Page 24: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

BadSaveFile

Page 25: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

BadSendFile

Page 26: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Wait? How do we get source code?

Winzip/7zip etc.

dex2jar

jd-gui

Whitepaper with more info: http://cdn01.exploit-db.com/wp-content/themes/exploit/docs/17717.pdf

Page 27: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
Page 28: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
Page 29: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC
Page 30: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Nonsensical Code

while (true)

{

if (i < 0);

String str;

while (true)

{

return;

try

{

Page 31: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Mitigation

Store information securely Not on sdcard

Not in source code

Not world readable

Page 32: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Android Interfaces

Call other programs

Don't reinvent the wheel

Take a picture

Twitter from photo app

Page 33: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo

Exploiting open interface with SMS functionality

Page 34: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo Explained

When it is called it sends an SMS Caller can set the number and message Sadly this is considered useful!

Page 35: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Demo Explained

Calls the SMSBroadcastr Sends number and message Sends an SMS

Page 36: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Code Examples

Vulnerable Code

Malicious Code

Page 37: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

SMSBroadcastr

Page 38: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

SMSIntent

Page 39: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Mitigations

Don't have dangerous functionality available in interfaces

Require user interaction (click ok)

Require-permission tag in manifest for interface

Page 40: Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC

Contact

Georgia Weidman

georgiaweidman.com bulbsecurity.com

[email protected]

@georgiaweidman


Bypassing firewalls

CODE2040 - Laura Weidman Powers, Co-Founder & CEO @OpenAccessPHL September 2014

Bypassing Intrusion Detection Systems

Dan Weidman BP- Bitumen BU December 7, 2006

Bypassing Virtual Machin...Orkstation Unibia

Bypassing McAfee‘s Application Whitelisting for …...• Application Whitelisting • Overview - McAfee Application Control • Bypassing Application Whitelisting • Basic Code

Technical Bulletin 118-Bypassing De-aeration Program on ... Bypassing De-Aeration... · TB -118 Technical Bulletin 118-Bypassing De-aeration Program on Rinnai Boilers The purpose

Libre internet bypassing internet censorship

Calibration and Bypassing Hardware

Bypassing Network Access Control Systems

Conceptualizing Socialization of Graduate Students of ...weidman/2016-ConceptSocGradStudColor.pdf · Conceptualizing Socialization of Graduate Students of Color: Revisiting the Weidman-Twale-Stein

Bypassing the Will 2005

Bypassing the Roadblocks

Bypassing the Android Permission Model - Hack In The Box ... - Ge… · Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC. Is the permission

Bypassing Web App Firewalls

Bypassing the Conscious Mind

Introducing the Smartphone Pentesting Framework Georgia Weidman Bulb Security LLC Approved for Public Release, Distribution Unlimited

Bypassing Waf

Curriculum Vitae JOHN C. WEIDMAN Emeritus …weidman/CV-Weidman-Current.pdfCurriculum Vitae JOHN C. WEIDMAN Emeritus Professor of Higher and International Development Education University

Weidman, Carla Sue; Weidman, John C. The Woman Professor

Bypassing Web Application Firewalls - DeepSec · Bypassing Web Application Firewalls ... BYPASSING A WAF –WHY? •Number of deployed Web Application Firewalls (WAFs) is increasing

Bypassing the Android Permission Model

Free Will Skepticism and Bypassing

What is Spiritual Bypassing

Digital Learning in Afterschool Carly Weidman, PBS Learning Media

Waf Bypassing by Rafaybaloch

Bypassing Av

Aldrich Kugelrohr – “Bulb-to-Bulb” Vacuum Distillation

Wp Bypassing Captchas

Bypassing NAC v2.0 - Black Hat

Bypassing Web Application Firewalls

Web Application Firewall Bypassing - OWASP · BYPASSING METHODS AND TECHNIQUES (II) BYPASSING PARAMETER VERIFICATION •PHP removes whitespaces from parameter names or transforms

Recycling and bypassing operation

Sonet 130 by William Shakespeare Evan Miller and Jake Weidman

Gowdiak Bypassing Firewalls