Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deep Dive into Android Static Analysis and Exploitation

Deep Dive into Android Static Analysis and Exploitation

Presented by Gaurang Bhatnagar ar Optiv SourceZeroCon 2021.

2c7c8ec3812745075d60750a28b2273b?s=128

Gaurang Bhatnagar

July 18, 2021
Tweet

Transcript

  1. DEEP DIVE INTO ANDROID STATIC ANALYSIS AND EXPLOITATION Gaurang Bhatnagar

  2. 2 ABOUT THE RESEARCH Case Studies from Popular Applications Mainly

    focused on Custom URI Schemes and Webview Exploitation Performed Code Review on Popular Applications (100+) Found interesting Scenarios and Misconfigurations
  3. PROJECT - INSECURESHOP

  4. 4 PROJECT - INSECURESHOP • Vulnerable Android app built in

    Kotlin • Real-World Vulnerabilities • Based on my research on URI Scheme and WebView Exploitation • Replicates Vulnerabilities disclosed by Well-Known Mobile Researchers
  5. DEEPLINKS

  6. WHAT ARE DEEPLINKS? 6 • Deeplink are specific URIs which

    sends users directly into a specific point in the app, rather than opening an external website • Helps users to navigate between web and mobile apps
  7. DEEPLINK COMPONENTS

  8. TRIGGERING DEEPLINKS IN ANDROID

  9. TRIGGERING DEEPLINKS IN IOS

  10. FINDING SCHEMES AND AUTHORITY AndroidManifest.xml

  11. FINDING PATHS AND QUERY PARAMETERS Defined paths within a specific

    class
  12. FINDING PATHS AND QUERY PARAMETERS Defined paths within a specific

    class
  13. JOINING THE PIECES TOGETHER

  14. LOADING ARBITRARY URLS IN WEBVIEW

  15. DEEPLINK ABUSE IMPACT XSS: Possible if setJavaScriptEnabled(true) is set in

    Webview. Theft of Auth tokens: May result in account takeover if authentication tokens are passed to websites that are opened in webview. Phishing: Possible If you can load any arbitrary URL in Webview. Load Local files in webview: Possible if setAllowFileAccess(true) is set in Webview. DOS: Possible if a malformed deeplink can be used to crash the application.
  16. THEFT OF AUTH TOKENS

  17. INSECURE HOST VALIDATION

  18. INSECURE HOST VALIDATION

  19. CVE-2017-13274 • There was a problem in android.net.Uri and java.net.URI

    parsers. These parsers don't recognize backslashes in authority part Payload: http://attacker.com\\\\@legitimate.com/smth • CVE-2017-13274 - Fixed for API level 28 and above
  20. INSECURE SCHEME VALIDATION

  21. 21 OAUTH ATTACK VECTOR – REDIRECT URI Developers often fail

    to validate Redirect URI parameter, thus allowing attackers to steal access tokens. A lack of scheme validation may also lead to leak of access tokens. Redirect URLs are a critical part of the OAuth flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL.
  22. CREATING AN APP WITH A CUSTOM SCHEME AndroidManifest.xml MainActivity.java

  23. SYMLINK ATTACK

  24. REMOTE THEFT OF SESSION COOKIES There are following Pre-Requisites: •

    If you can load any arbitrary URL in Webview • If setJavaScriptEnabled(true) is set in Webview [Disabled by default] • If setAllowFileAccess(true) is set in Webview [Enabled by default]
  25. REMOTE THEFT OF SESSION COOKIES Malicious app sends an intent

    with url which loads attacker provided html file in webview. http://attackerdomain.com/symlink/set_cookies.html
  26. (JavaScript payload which sends current document contents to attacker-controlled domain)

    Base64 decoded set_cookies.html
  27. The attacker domain and cookie gets stored in the database

    file ‘app_webview/Cookies’.
  28. The Malicious app creates a symlink with .html extention (symlink.html)

    to force webview parse database file as a HTML file. ln -s /data/data/com.target/app_webview/Cookies /data/data/com.hack/symlink.html
  29. When symlink.html file is loaded in webview, JavaScript payload is

    triggered which sends data to the attacker domain.
  30. None
  31. REMOTE THEFT OF ALL FILES There are following Pre-Requisites: •

    If you can load any arbitrary URL in Webview • If target app can read data from External storage <uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/> • If setAllowUniversalAccessFromFileURLs(true) is set in Webview [Disabled by default]
  32. None
  33. None
  34. EXPLOITING IPC COMPONENTS

  35. 35 ACCESS TO PROTECTED COMPONENTS As researched by OVERSECURED, It

    was found that more than 80% of apps contain this vulnerability. DEVELOPERS often create proxy components (activities, broadcast receivers and services) that take an embedded Intent and pass it to dangerous methods like startActivity(...), sendBroadcast(...), etc.
  36. None
  37. EXPORTED ACTIVITY

  38. VULNERABLE CODE

  39. CODE IN A MALICIOUS APP

  40. EXPLOITING IMPLICIT INTENTS

  41. 41 EXPLICIT VS IMPLICIT INTENT EXPLICIT IMPLICIT Explicitly specify the

    name of the component to be invoked by activity and we use explicit intents to start a component in our own app. Does not specify any name of the component to start. Instead, it declares an action to perform and allows a component from other apps to handle it. INTENT
  42. IMPLICIT INTENT Intent Explicit Implicit Implicit intent used to send

    a broadcast Implicit intent used to launch an activity
  43. INTENT INTERCEPTION (BROADCAST) Intent Explicit Implicit AndroidManifest.xml

  44. INTENT INTERCEPTION (BROADCAST) Intent Explicit Implicit EvilReceiver.java

  45. 45 INTENT INTERCEPTION (BROADCAST) • Since Android Oreo, implicit broadcast

    receivers won’t work when registered in the AndroidManifest.xml. • To use Implicit Receivers in your application, you need to define them programmatically in your code, using registerReceiver().
  46. INTENT INTERCEPTION (BROADCAST) – OREO AND ABOVE Intent Explicit Implicit

    MainActivity.java
  47. INTENT INTERCEPTION (BROADCAST) – OREO AND ABOVE Intent Explicit Implicit

    EvilReceiver.java
  48. DEMO TIME

  49. SUMMARIZING DEMO Intent Explicit Exploited Broadcast Receiver Loaded untrusted URL

    in webview Access to Content Provider with android:grantUriPermissions=“true”
  50. SUMMARIZING DEMO (CONTINUED…) Intent Explicit Insecure use of File Paths

    in FileProvider Code Execution by Overwriting Native Library Ability to read and overwrite internal app files Yet to implement in InsecureShop…
  51. SUMMARIZING DEMO (CONTINUED…) Intent Explicit placed Malicious HTML file in

    sdcard Data exfiltrated to remote domain Malicious HTML file is called via file:// scheme Webview used “setAllowUniversalAccessFromFileURLs=true”
  52. MITM FLAWS

  53. LACK OF SSL VALIDATION Android apps are often coded in

    such a way that it ignores any kind of SSL warning and proceeds with an attacker provided certificate. This makes an app vulnerable to MITM attacks.
  54. 54

  55. 55 COMMON QUESTIONS • How are you going to exploit

    this in a real scenario? • How are you going to issue an attacker provided certificate to the Android user and capture the traffic originating from their device?
  56. USING BURP’S INVISIBLE PROXY

  57. USING IPTABLES TO FORWARD TRAFFIC TO BURP

  58. HARDCODED API KEYS AND SECRET

  59. HARDCODED API KEYS AND SECRET KeyHacks shows ways in which

    particular API keys found on a Bug Bounty Program can be used, to check if they are valid.
  60. NUCLEI TEMPLATES

  61. NUCLEI TEMPLATES Releasing 40+ nuclei templates to aid mobile security

    assessments.
  62. TAKEAWAYS

  63. 63 TAKEAWAYS Most of the time developers don’t add scheme

    and host validation check or either they don’t implement that correctly. Loading arbitrary URL in webview may give you authentication tokens. Also, try to exfiltrate data from local sandbox to the remote domain (depending on the webview properties enabled). Note, Google has fixed the Symlink attack as part of the system webview update. So symlink attack won’t work on latest android devices or devices with the updated system webview. IPC components can introduce many vulnerabilities if not properly configured
  64. 64 TAKEAWAYS Expand your attack surface to non-exported components. Developers

    often pass sensitive data via Implicit intents which can be intercepted by other apps on the device MITM vulnerabilities are too common in android apps. Developers often override SSL error which makes app vulnerable to MITM attack (eg. Unsafe implementation of onReceivedSslError ). Hardcoding API keys and secrets in mobile app is common. You must understand the purpose of hardcoding these keys, check the API docs and see if the keys are supposed to be public or private
  65. 65 OPTIV RESOURCES • InsecureShop App (https://github.com/optiv/Insecureshop) • Nuclei Templates

    (https://github.com/optiv/mobile-nuclei-templates) • Optiv Source Zero Blog (https://www.optiv.com/insights/source-zero)
  66. 66 ADDITIONAL RESOURCES • https://github.com/streaak/keyhacks • https://hackerone.com/reports/431002 • https://blog.oversecured.com/Interception-of-Android-implicit-intents •

    https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all- cookies-from-all-sites-and-more • https://blog.mzfr.me/posts/2020-11-07-exported-activities/ • https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce- 240266e78105