Pre-installed Android application poisoning #appsecapac2014

Transcript

1. Pre-installed Android application poisoning 2013/03/20 Yoshitaka Kato

2. Whoami • Yoshitaka Kato/Ճ౻ ٛొ • ೔ຊHP ΤϯλʔϓϥΠζαʔϏεຊ෦ɹγχΞηΩϡϦςΟίϯαϧλϯτ • Hewlett-packard

   Japan, Senior Security Consultant, Enterprise Security Services ! • APJ஍ҬͰͷΠϯγσϯτϨεϙϯεαʔϏε΍ϖωτϨʔγϣϯςεταʔϏε Λ୲౰ɻ • In charge of Incident Response services and penetration testing services in APJ region. ! • ϓϥΠϕʔτͰ͸εϚϑΥΞϓϦΛ͍͍ͬͯ͡·͢ɻ • Smartphone application geek in personal life ! • CTF΋޷͖Ͱ͢ɻ/ CTF Player Preinstalled Android Application Poisoning 2

3. Agenda • ֓ཁ / Overview • ংষ / Prologue •

   ৽͍͠ϋοΩϯάख๏ͷ঺հ /Introduction of new hacking practice • Pre-Installed application poisoning 3 Preinstalled Android Application Poisoning

4. Overview • AndroidΞϓϦέʔγϣϯͷ৽͍͠վ͟Μख๏ͷ঺հ • New manipulation technic for builded Android

   application. • ͦͷख๏Λར༻ͨ͠ΞϓϦղੳख๏ɺ߈ܸख๏ (Application poisoning)ͷ঺հ • New analysis and attack technics using this technic.(Application poisoning) 4 Preinstalled Android Application Poisoning

5. ংষ/Prologue
   AndroidΞϓϦέʔγϣϯղੳ/վ͟Μͷݱঢ়
   The present common analysis/manipulation technics for builded Android

   application 5 Preinstalled Android Application Poisoning Prologue

6. ͳͥϋοΧʔ͸AndroidΞϓϦΛվ͟Μ͢Δͷ͔ʁ
   Why do we analyze/manipulate builded Android application? • ηΩϡϦςΟௐࠪͷͨΊ

   / For security research. • ࢖͍উख޲্ͷͨΊ / For improvement of usability. • ߈ܸͷͨΊʢ΢ΠϧεΞϓϦͷ࡞੒ʣ / For attacks. (e.g. Trojan) • ͦͷଞ / Other 6 Preinstalled Android Application Poisoning Prologue

7. APKϑΝΠϧͷೖख Obtaining .apk file ͜ͷաఔͰ࢖༻͢Δπʔϧ/necessary tools in these steps -

   apktool(smali, baksmali) - AXMLparser - ddx - dex2jar - jad,jd - keytool/jarsigner : ݱঢ়ͷAndroidΞϓϦվ͟Μεςοϓ The present common manipulation steps 7 Preinstalled Android Application Poisoning Prologue APKϑΝΠϧͷల։ Extracting .apk file σίϯύΠϧ De-compile վ͟Μ Manipulation apkϑΝΠϧʹύοΫ Pack in .apk file APKϑΝΠϧʹॺ໊ Sign to .apk file ΞϯΠϯετʔϧɺ Πϯετʔϧ uninstall, install

8. ͳͥվ͟Μʹ͸͜Μͳʹଟ͘ͷεςοϓ͕ඞཁͳͷ͔ʁ
   Why do we need to do such a so

   many steps? -apkϑΝΠϧͷߏ଄͸ͪΐͬͱෳࡶ -apk file structure is a bit complicated ࣮ߦόΠφϦɻվ͟Μ͢ΔͨΊʹsmaliͰల։͕ඞཁ /binary, it needs to be extract by smali for manipulation ѹॖ͞Ε͍ͯΔ/compressed ॺ໊͞Ε͍ͯΔ/signed Τϯίʔυ͞Ε͍ͯΔ/encoded 8 Preinstalled Android Application Poisoning Prologue

9. dexϑΝΠϧͱ͸? dex file? .dex file.... Compiled Android application code file.

   Android programs are compiled into .dex (Dalvik Executable) files, which are in turn zipped into a single .apk file on the device. .dex files can be created by automatically translating compiled applications written in the Java programming language. http://developer.android.com/guide/appendix/glossary.html http://www.scriptol.com/programming/dalvik.php 9 Preinstalled Android Application Poisoning Prologue

10. • ͱʹ͔͘εςοϓ͕ଟͯ͘໘౗͍͘͞ɻπʔϧ΋େਿɻ • Troublesome. so many steps, so many tools.

    • baksmali(smaliܗ͔ࣜΒdexϑΝΠϧ΁ͷม׵)͕Αࣦ͘ഊ͢Δ • baksmali(convert smali format to dex file) often fails. • ϓϦΠϯετʔϧΞϓϦ͸ΞϯΠϯετʔϧͰ͖ͳ͍ͷͰɺஔ͖׵͑Ͱ͖ͳ͍ • Pre-install applications can’t be replaced to manipulated apps because it’s not uninstallable. • ࠶ॺ໊ʹΑΓɺॺ໊͕มߋ͞Εͯ͠·͏ɻ • Original signature would be changed by re-sign. ݱঢ়ͷAndroidΞϓϦվ͟Μख๏ͷ՝୊
    Problems for the present common manipulation technic 10 Preinstalled Android Application Poisoning Prologue

11. • Android Manifest.xmlͰఆٛͰ͖ΔηΩϡϦςΟϨϕϧ • Security model which can be defined

    in AndroidManifest.xml • ॺ໊ʹΑΔηΩϡϦςΟϞσϧʹΑΓɺΞϓϦؒͷΞΫηεʢ࿈ܞʣ੍ݶΛߦ͏͜ͱ ͕Մೳɻ • This security model can restrict access(combination) between applications. • ॺ໊͕มߋ͞Εͯ͠·͏ͱΞϓϦؒͷΞΫηγϏϦςΟΛࣦ͍ɺͦͷػೳ͕ར༻Ͱ͖ ͳ͍έʔε͕͋Γ • If a signature would be changed, an application may lose accessibility to another application. ॺ໊ʹΑΔηΩϡϦςΟϞσϧ Security model by signature 11 Preinstalled Android Application Poisoning Prologue

12. • ͱʹ͔͘εςοϓ͕ଟͯ͘໘౗͍͘͞ɻπʔϧ΋େਿɻ • Troublesome. so many steps, so many tools.

    • baksmali(smaliܗ͔ࣜΒdexϑΝΠϧ΁ͷม׵)͕Αࣦ͘ഊ͢Δ • baksmali(convert smali format to dex file) often fails. • ϓϦΠϯετʔϧΞϓϦ͸ΞϯΠϯετʔϧͰ͖ͳ͍ͷͰɺஔ͖׵͑Ͱ͖ͳ͍ • Pre-install applications can’t be replaced to manipulated apps because it’s not uninstallable. • ࠶ॺ໊ʹΑΓɺॺ໊͕มߋ͞Εͯ͠·͏ɻ • Original signature would be changed by re-sign. ݱঢ়ͷAndroidΞϓϦվ͟Μख๏ͷ՝୊
    Problems for the present common manipulation technic 12 Preinstalled Android Application Poisoning Prologue

13. ৽͍͠ϋοΩϯάख๏ͷ঺հ
    Introduction of new hacking practice 13 Preinstalled Android Application

    Poisoning

14. ֓ཁ/Overview • ৽͍͠ख๏ʢগͳ͘ͱ΋WebͰ͸ݟͳ͍ʣ • New approach, I’ve never seen on

    web at least. • rootԽඞਢʂʂͰ΋ϋοΧʔʹ͸Կͷ໰୊΋ͳ͍ɺΑͶʁ • root must be needed!! But it doesn’t matter for hackers, don’t it? • Android୺຤্ͷ࣮ߦόΠφϦͷΩϟογϡʢ.odexʣΛ௚઀վ͟Μ͢Δख๏ • The technic it to manipulate cached binary(.odex) on Android directly. 14 Preinstalled Android Application Poisoning Practice

15. Odex? In short, an odex file is an optimized version

    of a classes.dex file that has optimizations that are device specific. http://code.google.com/p/smali/wiki/DeodexInstructions 15 Preinstalled Android Application Poisoning Practice dex install odex odex odex

16. Where is Odexʁ • /system/app/ or /data/dalvik-cache/ • γεςϜΞϓϦ͸લऀ·ͨ͸ޙऀʹɺϢʔβʔΞϓϦ͸ޙऀʹ͋Δ •

    system applications including preinstalled applications exist both, user application exit latter • ࠓճͷλʔήοτ͸ޙऀ / In this presentation, The target is latter place. 16 Preinstalled Android Application Poisoning Practice

17. .dexͷߏ଄
    .dex file format http://source.android.com/devices/tech/dalvik/dex-format.html odex͸एׯҟͳΔ͕ɺυΩϡϝ ϯτԽ͞Ε͍ͯͳ͍ͬΆ͍ʢ୭ ͔஌Βͳ͍ʁʣ odex file

    format is a bit different to dex format, and It might be not documented. (Does anybody know it ?) 17 Preinstalled Android Application Poisoning Practice

18. odexϑΝΠϧͷվ͟Μख๏
    odex manipulation technic • ࢖༻͢Δπʔϧ - dexdump͚ͩʂʂ • tool

    - dexdump only. • dexdump͸Android SDKʹؚ·ΕΔπʔϧ • dexdump is included in Android SDK. • objdumpΈ͍ͨͳπʔϧ • it’s like a objdump. 18 Practice Preinstalled Android Application Poisoning

19. dexdump 19 Preinstalled Android Application Poisoning Practice

20. dalvik-opcode http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html 20 Preinstalled Android Application Poisoning Practice

21. վ͟Μͷεςοϓ
    manipulation steps 1.odexΛऔಘ 1.obtaining odex file 2.dexdumpʹͯվ͟Μ 2.manipulation by

    dexdump 2-1.վ͟Μ͢ΔՕॴΛಛఆ 2-1.Identify the place for manipulation 2-2.վ͟ΜʢόΠφϦύονϯάʣ 2-2.Manipulation.(binary patching) 2-3.νΣοΫαϜΛ࠶ܭࢉ (*optional) 2-3.Re-calculate checksum ! 3.Android ্ͷϑΝΠϧʹ্ॻ͖ίϐʔʢΠϯετʔϧͰ͸ͳ ͘ʣ 3.Overwrite copy to Android. 4.࠶ىಈ/reboot 21 Preinstalled Android Application Poisoning Practice

22. Checksum • dex΍odexϑΝΠϧͷϔομʔʹ͸νΣοΫαϜ͕͋Δʢ༻్ෆ໌ɺAdler-32ʣ • dex/odex file has its checksum in

    header.(usage unknown, Adler-32) ! ! ! ! • dexdump͕νΣοΫαϜΛ࠶ܭࢉͯ͘͠ΕΔͷͰɺͦͷ஋Λ্ॻ͖͢Ε͹OK • dexdump can calculate checksum after manipulation, it should be OK to overwrite it. 22 Preinstalled Android Application Poisoning Practice

23. Demonstration • ϙοϓΞοϓ͕දࣔ͞Εͯऴྃͯ͠͠·͏ΞϓϦέʔγϣϯ • The application which show a popup

    dialog and exit immediately. • վ͟Μͯ͠ɺϙοϓΞοϓ͕දࣔ͞Εͳ͍(ऴྃ͠ͳ͍)Α͏ʹ͢Δɻ • Avoid popup and exit by manipulation. 23 Preinstalled Android Application Poisoning Practice

24. վ͟Μͷεςοϓ(again)
    manipulation steps 1.odexΛऔಘ 1.obtaining odex file 2.dexdumpʹͯվ͟Μ 2.manipulation by

    dexdump 2-1.վ͟Μ͢ΔՕॴΛಛఆ 2-1.Identify the place for manipulation 2-2.վ͟ΜʢόΠφϦύονϯάʣ 2-2.Manipulation.(binary patching) 2-3.νΣοΫαϜΛ࠶ܭࢉ (*optional) 2-3.Re-calculate checksum ! 3.Android ্ͷϑΝΠϧʹ্ॻ͖ίϐʔʢΠϯετʔϧͰ͸ͳ ͘ʣ 3.Overwrite copy to Android. 4.࠶ىಈ/reboot 24 Preinstalled Android Application Poisoning Practice

25. ར఺/advantage • ؆୯!! / easier • ॺ໊͕มߋ͞Εͳ͍ • The signature

    is not changed. • dalvik-cache্ͷodexϑΝΠϧΛ࡟আ͢Δ͜ͱͰɺ؆ ୯ʹݩͷঢ়ଶʹ໭ͤΔɻʢodex͕࠶ੜ੒͞ΕΔʣ • Easily rollback by deleting odex file on dalvik- cache.(odex would be re-generate) 25 Preinstalled Android Application Poisoning Practice

26. ख๏ʹ໊લΛ͚ͭͨ / name this technic ... Installed application poisoning 26

    Preinstalled Android Application Poisoning Practice

27. Installed application poisoning
    practical use case 27 Preinstalled Android Application

    Poisoning

28. ͜ͷख๏Λ࢖ͬͨղੳํ๏ɹͦͷ̍
    practical use case part 1 • ΞϓϦέʔγϣϯΛಈతղੳ͢ΔࡍɺϩάΛ͸͔ͤΔͱղੳͷޮ཰্͕͕Δɻ • For

    a dynamic analysis of application, Log output would be effective. • ΞϓϦέʔγϣϯʹ͸σόοά༻ͷϩάΫϥε͕࢒͍ͬͯΔ͜ͱ͕ଟ͍ɻ • Logging functionality would be exist in a lot of released application. • ͦΕΛѱ༻͢Δɻ • Then, abuse it. 28 Preinstalled Android Application Poisoning Use case

29. Α͋͘Δϩάग़ྗΫϥε / Common Log class Debug FlagʹΑͬͯग़ྗΛίϯτϩʔϧ ͍ͯ͠Δ/ Log output

    is controlled by debug flag ̏ͭͷϩάग़ྗؔ਺/ Three log output functions 29 Preinstalled Android Application Poisoning Use case

30. Flag manipulation
    ϩάΫϥεͷdexdump / dexdump of log class 30 Use

    case Preinstalled Android Application Poisoning want to change it to 1

31. 31 Preinstalled Android Application Poisoning Use case Flag manipulation
    ϩάΫϥεͷdexdump

    / dexdump of log class

32. 32 Preinstalled Android Application Poisoning Use case Flag manipulation
    ϩάΫϥεͷdexdump

    / dexdump of log class

33. 33 Use case Practical use case 2 ࠶౓Α͋͘Δϩάग़ྗΫϥε / Common

    Log class again Error log͚ͩ͸Debug flagͱ ؔ܎ͳ͘ग़ྗ͞ΕΔ Error log would be outputted regardless of Debug flag Preinstalled Android Application Poisoning

34. 34 Preinstalled Android Application Poisoning Use case Function pointer manipulation
    

    ϩάؔ਺Λcall͢ΔΫϥεͷdexdump / dexdump of the class that call log functions Function pointer. it can be changed to arbitrary function

35. 35 Preinstalled Android Application Poisoning Use case Function pointer manipulation

    point to same function.(error log)

36. 36 Preinstalled Android Application Poisoning Use case Function pointer manipulation

    ErrorLog ErrorLog

37. 37 Preinstalled Android Application Poisoning Use case Practical use case

    3 Functionality manipulation some email application

38. 38 Preinstalled Android Application Poisoning Use case dexdump for try

    - exception flow normal case Return to invoker

39. 39 Preinstalled Android Application Poisoning Use case dexdump for try

    - exception flow exception case exception occurred exception occurred Return to invoker

40. 40 Preinstalled Android Application Poisoning Use case ͜͜Ͱͪΐͬͱߟ͑ͨ/Then I thought..

    • exception۟ͷதͷLogؔ਺Λ࢖ͬͯɺσʔλʢ͜ͷ৔߹ɺύεϫʔυͱIDʣΛϩ άग़ྗͰ͖ͳ͍ͩΖ͏͔ʁ • Can we output datas(in this case, ID and Password) using Log function in exception? - exception࣌ͷॲཧΛਖ਼ৗܥͰ΋ͤͯ͞ - The process for exception would be done in normal case, - Logؔ਺ͷҾ਺ʹσʔλΛ౉ͯ͠΍Ε͹ - Then, Give datas to arguments for Log function, ! • Ͱ͖Δ͔ʁɹCan we do this?

41. 41 Preinstalled Android Application Poisoning Use case Return to invoker

    dexdump for try - exception flow manipulation 1

42. 42 Preinstalled Android Application Poisoning Use case dexdump for try

    - exception flow manipulation 2

43. 43 Preinstalled Android Application Poisoning Use case dexdump for try

    - exception flow manipulation completed!!

44. Pre-installed application poisoning
    practical attack use case 44 Preinstalled Android

    Application Poisoning

45. • ΞϓϦ಺ͷจࣈྻΛվ͟Μ͢Δɻ • strings manipulation technic. • ΞϓϦ಺ͷจࣈྻʹ͸ΞϓϦ͕࢖༻͢ΔAPIͷURLؚ͕·Ε͍ͯΔ͜ͱ͕ଟ͍ • Many

    applications have URL strings which would be used for Web API. • URLͷจࣈྻΛվ͟Μ͠ɺຊདྷͱ͸ҟͳΔαʔόʹ઀ଓͤ͞Δ͜ͱͰ MITM(Man In The Middle)߈ܸΛ੒ཱͤ͞Δɻ • MITM(Man In The Middle) attack would be executed by be connected manipulated URL. 45 Preinstalled Android Application Poisoning Use case for attack Pre-installed application poisoning concept

46. https://www.facebook.com/ https://www.facebook.com/ poisoned normal 46 Preinstalled Android Application Poisoning Pre-installed

    application poisoning overview Use case for attack https://www.facebook.com/ facebook application poisoned URL Attacker’s server

47. • dex಺Ͱ͸จࣈྻ͕ιʔτ͞Εͨ഑ྻͱͯ͠อ࣋͞Εɺιʔτ่͕Εͯ͠·͏ͱΤ ϥʔͱͳͬͯ͠·͏ɻ • Strings have been hold with sorted

    in dex/odex, Then if sort would be corrupted, It would be error. ! ! • ͞Βʹؔ਺಺ͰจࣈྻΛ࢖༻͢Δࡍ͸ɺ഑ྻ൪߸Λࢦఆ͍ͯ͠ΔͨΊɺॻ͖׵͑ޙ࠶ ιʔτͯ͠͠·͏ͱશମ΁ͷมߋ͕ඞཁͱͳΔɻ • And also, A string is specified by sort number when function use it, so Re- sort after manipulation would not be a realistic approach 47 Preinstalled Android Application Poisoning Use case for attack Notice: Strings manipulation

48. • վ͟Μ༻ͷΞϓϦΛ࡞ͬͯΈ·ͨ͠ɻͦͷ໊΋ʮStrings poisonerʯ • I made an application for manipulation,

    “Strings poisoner”. • վ͟Μʹ͸ύιίϯ͕ඞཁͳ͍ɻ • No need pc poisoning. • ΢ΠϧεΞϓϦͷಈ͖Λ૝ఆ͍ͯ͠·͢ɻ • Assuming Virus attraction. 48 Use case for attack Preinstalled Android Application Poisoning Demonstration

49. 49 Use case for attack Preinstalled Android Application Poisoning Demonstration

    steps https://www.facebook.com/ https://www.facebooj.com/ poisoned normal https://www.facebook.com/ facebook application Attacker’s server, facebooj.com Strings Poisoner facebook facebooj ᶃ ᶄ ᶅ ᶆ ᶇ

50. • ߈ܸΞϓϦΛΞϯΠϯετʔϧͯ͠΋߈ܸ͕ଓ͘ • still under attack if malicious application would

    be uninstalled. • unrootͯ͠΋ଓ͘ • still under attack if Android devices would be unrooted • ϓϦΠϯετʔϧΞϓϦ͸म෮Ͱ͖ͳ͍ɻ޻৔ग़ՙ࣌ʹ໭͞ͳ͍ͱɻ • Pre-install application can not be fixed because it’s not uninstallable. 50 Preinstalled Android Application Poisoning Use case for attack Pre-installed application poisoning point

51. • ϑϥάͷվ͟Μ / Flag manipulation • ؔ਺ϙΠϯλͷվ͟Μ / Function pointer

    manipulation • ؔ਺ͷվ͟Μ / Functionality manipulation • จࣈྻͷվ͟Μ / Strings manipulation • จࣈྻͷϙΠϯλͷվ͟Μ΋Ͱ͖·͢ɻ/ Possibly Strings pointer manipulation 51 Preinstalled Android Application Poisoning Use case for attack Pre-installed application poisoning use case summary

52. Pre-installed Android application poisoning ๏pros – ࠓ·ͰΑΓ؆୯ͳख๏ / easier technic.

    – ࢖͍ํʹΑͬͯ͸ղੳ΍߈ܸʹ࢖͑ΔϋοΧʔͷख๏ /Hacker’s technic for analysis(white hacker) or attack(black hacker). ๏cons – େ͖ͳվ͟Μ͸޲͔ͳ͍ / not suitable for big manipulation. – odex͸σόΠε͝ͱʹҟͳΔͷͰɺվ͟ΜՕॴ΍ํ๏͕ҟͳΔɻ/ odex is device specific file. manipulation target and method would be changed each odex file. 52 Preinstalled Android Application Poisoning Conclusion

53. Thank you!! Question? [email protected] [email protected] 53 Preinstalled Android Application Poisoning