Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deep Dive into Android Static Analysis and Exploitation

Deep Dive into Android Static Analysis and Exploitation

Presented by Gaurang Bhatnagar ar Optiv SourceZeroCon 2021.

Gaurang Bhatnagar

July 18, 2021
Tweet

Other Decks in Research

Transcript

  1. DEEP DIVE INTO ANDROID STATIC
    ANALYSIS AND EXPLOITATION
    Gaurang Bhatnagar

    View full-size slide

  2. 2
    ABOUT THE RESEARCH
    Case Studies from
    Popular Applications
    Mainly focused on
    Custom URI Schemes and
    Webview Exploitation
    Performed Code
    Review on Popular
    Applications (100+)
    Found interesting
    Scenarios and
    Misconfigurations

    View full-size slide

  3. PROJECT - INSECURESHOP

    View full-size slide

  4. 4
    PROJECT - INSECURESHOP
    • Vulnerable Android app built in Kotlin
    • Real-World Vulnerabilities
    • Based on my research on URI Scheme
    and WebView Exploitation
    • Replicates Vulnerabilities disclosed
    by Well-Known Mobile Researchers

    View full-size slide

  5. WHAT ARE DEEPLINKS?
    6
    • Deeplink are specific URIs which sends users
    directly into a specific point in the app, rather
    than opening an external website
    • Helps users to navigate between web and
    mobile apps

    View full-size slide

  6. DEEPLINK COMPONENTS

    View full-size slide

  7. TRIGGERING DEEPLINKS IN ANDROID

    View full-size slide

  8. TRIGGERING DEEPLINKS IN IOS

    View full-size slide

  9. FINDING SCHEMES AND AUTHORITY
    AndroidManifest.xml

    View full-size slide

  10. FINDING PATHS AND QUERY PARAMETERS
    Defined paths within a specific class

    View full-size slide

  11. FINDING PATHS AND QUERY PARAMETERS
    Defined paths within a specific class

    View full-size slide

  12. JOINING THE PIECES TOGETHER

    View full-size slide

  13. LOADING ARBITRARY URLS IN WEBVIEW

    View full-size slide

  14. DEEPLINK ABUSE IMPACT
    XSS:
    Possible if
    setJavaScriptEnabled(true)
    is set in Webview.
    Theft of Auth tokens:
    May result in account takeover
    if authentication tokens are
    passed to websites that are
    opened in webview.
    Phishing:
    Possible If you can load any
    arbitrary URL in Webview.
    Load Local files in webview:
    Possible if setAllowFileAccess(true)
    is set in Webview.
    DOS:
    Possible if a malformed
    deeplink can be used to crash
    the application.

    View full-size slide

  15. THEFT OF AUTH TOKENS

    View full-size slide

  16. INSECURE HOST VALIDATION

    View full-size slide

  17. INSECURE HOST VALIDATION

    View full-size slide

  18. CVE-2017-13274
    • There was a problem in android.net.Uri and java.net.URI parsers.
    These parsers don't recognize backslashes in authority part
    Payload:
    http://attacker.com\\\\@legitimate.com/smth
    • CVE-2017-13274 - Fixed for API level 28 and above

    View full-size slide

  19. INSECURE SCHEME VALIDATION

    View full-size slide

  20. 21
    OAUTH ATTACK VECTOR – REDIRECT URI
    Developers often fail to validate Redirect URI parameter,
    thus allowing attackers to steal access tokens.
    A lack of scheme validation may also lead to leak
    of access tokens.
    Redirect URLs are a critical part of the OAuth flow. After
    a user successfully authorizes an application, the
    authorization server will redirect the user back to the
    application with either an authorization code or access
    token in the URL.

    View full-size slide

  21. CREATING AN APP WITH A CUSTOM SCHEME
    AndroidManifest.xml
    MainActivity.java

    View full-size slide

  22. SYMLINK ATTACK

    View full-size slide

  23. REMOTE THEFT OF SESSION COOKIES
    There are following Pre-Requisites:
    • If you can load any arbitrary URL in Webview
    • If setJavaScriptEnabled(true) is set in Webview [Disabled by default]
    • If setAllowFileAccess(true) is set in Webview [Enabled by default]

    View full-size slide

  24. REMOTE THEFT OF SESSION COOKIES
    Malicious app sends an intent with url which loads attacker provided html file in
    webview.
    http://attackerdomain.com/symlink/set_cookies.html

    View full-size slide

  25. (JavaScript payload which sends current document
    contents to attacker-controlled domain)
    Base64 decoded
    set_cookies.html

    View full-size slide

  26. The attacker domain and cookie gets stored in the database file
    ‘app_webview/Cookies’.

    View full-size slide

  27. The Malicious app creates a symlink with .html extention (symlink.html) to force
    webview parse database file as a HTML file.
    ln -s /data/data/com.target/app_webview/Cookies /data/data/com.hack/symlink.html

    View full-size slide

  28. When symlink.html file is loaded in webview, JavaScript payload is triggered which
    sends data to the attacker domain.

    View full-size slide

  29. REMOTE THEFT OF ALL FILES
    There are following Pre-Requisites:
    • If you can load any arbitrary URL in Webview
    • If target app can read data from External storage

    • If setAllowUniversalAccessFromFileURLs(true) is set in Webview [Disabled by default]

    View full-size slide

  30. EXPLOITING IPC COMPONENTS

    View full-size slide

  31. 35
    ACCESS TO PROTECTED COMPONENTS
    As researched by
    OVERSECURED,
    It was found that more than
    80%
    of apps
    contain this vulnerability.
    DEVELOPERS
    often create proxy components
    (activities, broadcast receivers and services)
    that take an embedded Intent and
    pass it to dangerous methods like
    startActivity(...),
    sendBroadcast(...), etc.

    View full-size slide

  32. EXPORTED ACTIVITY

    View full-size slide

  33. VULNERABLE CODE

    View full-size slide

  34. CODE IN A MALICIOUS APP

    View full-size slide

  35. EXPLOITING IMPLICIT INTENTS

    View full-size slide

  36. 41
    EXPLICIT VS IMPLICIT INTENT
    EXPLICIT IMPLICIT
    Explicitly specify the name of the
    component to be invoked by activity
    and we use explicit intents to start a
    component in our own app.
    Does not specify any name of the
    component to start. Instead, it declares
    an action to perform and allows a
    component from other apps to handle it.
    INTENT

    View full-size slide

  37. IMPLICIT INTENT
    Intent
    Explicit Implicit
    Implicit intent used to send a broadcast
    Implicit intent used to launch an activity

    View full-size slide

  38. INTENT INTERCEPTION (BROADCAST)
    Intent
    Explicit Implicit
    AndroidManifest.xml

    View full-size slide

  39. INTENT INTERCEPTION (BROADCAST)
    Intent
    Explicit Implicit
    EvilReceiver.java

    View full-size slide

  40. 45
    INTENT INTERCEPTION (BROADCAST)
    • Since Android Oreo, implicit broadcast receivers won’t work when
    registered in the AndroidManifest.xml.
    • To use Implicit Receivers in your application, you need to define them
    programmatically in your code, using registerReceiver().

    View full-size slide

  41. INTENT INTERCEPTION (BROADCAST) – OREO
    AND ABOVE
    Intent
    Explicit Implicit
    MainActivity.java

    View full-size slide

  42. INTENT INTERCEPTION (BROADCAST) – OREO
    AND ABOVE
    Intent
    Explicit Implicit
    EvilReceiver.java

    View full-size slide

  43. SUMMARIZING DEMO
    Intent
    Explicit
    Exploited Broadcast Receiver
    Loaded untrusted URL in webview
    Access to Content Provider with
    android:grantUriPermissions=“true”

    View full-size slide

  44. SUMMARIZING DEMO (CONTINUED…)
    Intent
    Explicit
    Insecure use of File Paths in FileProvider
    Code Execution by Overwriting Native
    Library
    Ability to read and overwrite internal app
    files
    Yet to implement in
    InsecureShop…

    View full-size slide

  45. SUMMARIZING DEMO (CONTINUED…)
    Intent
    Explicit
    placed Malicious HTML file in sdcard
    Data exfiltrated to remote domain
    Malicious HTML file is called via file:// scheme
    Webview used
    “setAllowUniversalAccessFromFileURLs=true”

    View full-size slide

  46. LACK OF SSL VALIDATION
    Android apps are often coded in such a way that it ignores any kind of SSL warning and
    proceeds with an attacker provided certificate. This makes an app vulnerable to MITM
    attacks.

    View full-size slide

  47. 55
    COMMON QUESTIONS
    • How are you going to exploit this in a real scenario?
    • How are you going to issue an attacker provided certificate to the Android
    user and capture the traffic originating from their device?

    View full-size slide

  48. USING BURP’S INVISIBLE PROXY

    View full-size slide

  49. USING IPTABLES TO FORWARD TRAFFIC TO BURP

    View full-size slide

  50. HARDCODED API KEYS AND SECRET

    View full-size slide

  51. HARDCODED API KEYS AND SECRET
    KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can
    be used, to check if they are valid.

    View full-size slide

  52. NUCLEI TEMPLATES

    View full-size slide

  53. NUCLEI TEMPLATES
    Releasing 40+ nuclei templates to aid mobile security assessments.

    View full-size slide

  54. 63
    TAKEAWAYS
    Most of the time developers don’t add scheme and host
    validation check or either they don’t implement that
    correctly.
    Loading arbitrary URL in webview may give you
    authentication tokens. Also, try to exfiltrate data from
    local sandbox to the remote domain (depending on the
    webview properties enabled). Note, Google has fixed the
    Symlink attack as part of the system webview update. So
    symlink attack won’t work on latest android devices or
    devices with the updated system webview.
    IPC components can introduce many vulnerabilities if
    not properly configured

    View full-size slide

  55. 64
    TAKEAWAYS
    Expand your attack surface to non-exported components.
    Developers often pass sensitive data via Implicit intents
    which can be intercepted by other apps on the device
    MITM vulnerabilities are too common in android apps.
    Developers often override SSL error which makes app
    vulnerable to MITM attack (eg. Unsafe implementation
    of onReceivedSslError ).
    Hardcoding API keys and secrets in mobile app is
    common. You must understand the purpose of
    hardcoding these keys, check the API docs and see if the
    keys are supposed to be public or private

    View full-size slide

  56. 65
    OPTIV RESOURCES
    • InsecureShop App (https://github.com/optiv/Insecureshop)
    • Nuclei Templates (https://github.com/optiv/mobile-nuclei-templates)
    • Optiv Source Zero Blog (https://www.optiv.com/insights/source-zero)

    View full-size slide

  57. 66
    ADDITIONAL RESOURCES
    • https://github.com/streaak/keyhacks
    • https://hackerone.com/reports/431002
    • https://blog.oversecured.com/Interception-of-Android-implicit-intents
    • https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all-
    cookies-from-all-sites-and-more
    • https://blog.mzfr.me/posts/2020-11-07-exported-activities/
    • https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce-
    240266e78105

    View full-size slide