Tweet
Tweet

Slide 1

Slide 1 text

DEEP DIVE INTO ANDROID STATIC ANALYSIS AND EXPLOITATION Gaurang Bhatnagar

Slide 2

Slide 2 text

2 ABOUT THE RESEARCH Case Studies from Popular Applications Mainly focused on Custom URI Schemes and Webview Exploitation Performed Code Review on Popular Applications (100+) Found interesting Scenarios and Misconfigurations

Slide 3

Slide 3 text

PROJECT - INSECURESHOP

Slide 4

Slide 4 text

4 PROJECT - INSECURESHOP • Vulnerable Android app built in Kotlin • Real-World Vulnerabilities • Based on my research on URI Scheme and WebView Exploitation • Replicates Vulnerabilities disclosed by Well-Known Mobile Researchers

Slide 5

Slide 5 text

DEEPLINKS

Slide 6

Slide 6 text

WHAT ARE DEEPLINKS? 6 • Deeplink are specific URIs which sends users directly into a specific point in the app, rather than opening an external website • Helps users to navigate between web and mobile apps

Slide 7

Slide 7 text

DEEPLINK COMPONENTS

Slide 8

Slide 8 text

TRIGGERING DEEPLINKS IN ANDROID

Slide 9

Slide 9 text

TRIGGERING DEEPLINKS IN IOS

Slide 10

Slide 10 text

FINDING SCHEMES AND AUTHORITY AndroidManifest.xml

Slide 11

Slide 11 text

FINDING PATHS AND QUERY PARAMETERS Defined paths within a specific class

Slide 12

Slide 12 text

FINDING PATHS AND QUERY PARAMETERS Defined paths within a specific class

Slide 13

Slide 13 text

JOINING THE PIECES TOGETHER

Slide 14

Slide 14 text

LOADING ARBITRARY URLS IN WEBVIEW

Slide 15

Slide 15 text

DEEPLINK ABUSE IMPACT XSS: Possible if setJavaScriptEnabled(true) is set in Webview. Theft of Auth tokens: May result in account takeover if authentication tokens are passed to websites that are opened in webview. Phishing: Possible If you can load any arbitrary URL in Webview. Load Local files in webview: Possible if setAllowFileAccess(true) is set in Webview. DOS: Possible if a malformed deeplink can be used to crash the application.

Slide 16

Slide 16 text

THEFT OF AUTH TOKENS

Slide 17

Slide 17 text

INSECURE HOST VALIDATION

Slide 18

Slide 18 text

INSECURE HOST VALIDATION

Slide 19

Slide 19 text

CVE-2017-13274 • There was a problem in android.net.Uri and java.net.URI parsers. These parsers don't recognize backslashes in authority part Payload: http://attacker.com\\\\@legitimate.com/smth • CVE-2017-13274 - Fixed for API level 28 and above

Slide 20

Slide 20 text

INSECURE SCHEME VALIDATION

Slide 21

Slide 21 text

21 OAUTH ATTACK VECTOR – REDIRECT URI Developers often fail to validate Redirect URI parameter, thus allowing attackers to steal access tokens. A lack of scheme validation may also lead to leak of access tokens. Redirect URLs are a critical part of the OAuth flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL.

Slide 22

Slide 22 text

CREATING AN APP WITH A CUSTOM SCHEME AndroidManifest.xml MainActivity.java

Slide 23

Slide 23 text

SYMLINK ATTACK

Slide 24

Slide 24 text

REMOTE THEFT OF SESSION COOKIES There are following Pre-Requisites: • If you can load any arbitrary URL in Webview • If setJavaScriptEnabled(true) is set in Webview [Disabled by default] • If setAllowFileAccess(true) is set in Webview [Enabled by default]

Slide 25

Slide 25 text

REMOTE THEFT OF SESSION COOKIES Malicious app sends an intent with url which loads attacker provided html file in webview. http://attackerdomain.com/symlink/set_cookies.html

Slide 26

Slide 26 text

(JavaScript payload which sends current document contents to attacker-controlled domain) Base64 decoded set_cookies.html

Slide 27

Slide 27 text

The attacker domain and cookie gets stored in the database file ‘app_webview/Cookies’.

Slide 28

Slide 28 text

The Malicious app creates a symlink with .html extention (symlink.html) to force webview parse database file as a HTML file. ln -s /data/data/com.target/app_webview/Cookies /data/data/com.hack/symlink.html

Slide 29

Slide 29 text

When symlink.html file is loaded in webview, JavaScript payload is triggered which sends data to the attacker domain.

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

REMOTE THEFT OF ALL FILES There are following Pre-Requisites: • If you can load any arbitrary URL in Webview • If target app can read data from External storage • If setAllowUniversalAccessFromFileURLs(true) is set in Webview [Disabled by default]

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

EXPLOITING IPC COMPONENTS

Slide 35

Slide 35 text

35 ACCESS TO PROTECTED COMPONENTS As researched by OVERSECURED, It was found that more than 80% of apps contain this vulnerability. DEVELOPERS often create proxy components (activities, broadcast receivers and services) that take an embedded Intent and pass it to dangerous methods like startActivity(...), sendBroadcast(...), etc.

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

EXPORTED ACTIVITY

Slide 38

Slide 38 text

VULNERABLE CODE

Slide 39

Slide 39 text

CODE IN A MALICIOUS APP

Slide 40

Slide 40 text

EXPLOITING IMPLICIT INTENTS

Slide 41

Slide 41 text

41 EXPLICIT VS IMPLICIT INTENT EXPLICIT IMPLICIT Explicitly specify the name of the component to be invoked by activity and we use explicit intents to start a component in our own app. Does not specify any name of the component to start. Instead, it declares an action to perform and allows a component from other apps to handle it. INTENT

Slide 42

Slide 42 text

IMPLICIT INTENT Intent Explicit Implicit Implicit intent used to send a broadcast Implicit intent used to launch an activity

Slide 43

Slide 43 text

INTENT INTERCEPTION (BROADCAST) Intent Explicit Implicit AndroidManifest.xml

Slide 44

Slide 44 text

INTENT INTERCEPTION (BROADCAST) Intent Explicit Implicit EvilReceiver.java

Slide 45

Slide 45 text

45 INTENT INTERCEPTION (BROADCAST) • Since Android Oreo, implicit broadcast receivers won’t work when registered in the AndroidManifest.xml. • To use Implicit Receivers in your application, you need to define them programmatically in your code, using registerReceiver().

Slide 46

Slide 46 text

INTENT INTERCEPTION (BROADCAST) – OREO AND ABOVE Intent Explicit Implicit MainActivity.java

Slide 47

Slide 47 text

INTENT INTERCEPTION (BROADCAST) – OREO AND ABOVE Intent Explicit Implicit EvilReceiver.java

Slide 48

Slide 48 text

DEMO TIME

Slide 49

Slide 49 text

SUMMARIZING DEMO Intent Explicit Exploited Broadcast Receiver Loaded untrusted URL in webview Access to Content Provider with android:grantUriPermissions=“true”

Slide 50

Slide 50 text

SUMMARIZING DEMO (CONTINUED…) Intent Explicit Insecure use of File Paths in FileProvider Code Execution by Overwriting Native Library Ability to read and overwrite internal app files Yet to implement in InsecureShop…

Slide 51

Slide 51 text

SUMMARIZING DEMO (CONTINUED…) Intent Explicit placed Malicious HTML file in sdcard Data exfiltrated to remote domain Malicious HTML file is called via file:// scheme Webview used “setAllowUniversalAccessFromFileURLs=true”

Slide 52

Slide 52 text

MITM FLAWS

Slide 53

Slide 53 text

LACK OF SSL VALIDATION Android apps are often coded in such a way that it ignores any kind of SSL warning and proceeds with an attacker provided certificate. This makes an app vulnerable to MITM attacks.

Slide 54

Slide 54 text

54

Slide 55

Slide 55 text

55 COMMON QUESTIONS • How are you going to exploit this in a real scenario? • How are you going to issue an attacker provided certificate to the Android user and capture the traffic originating from their device?

Slide 56

Slide 56 text

USING BURP’S INVISIBLE PROXY

Slide 57

Slide 57 text

USING IPTABLES TO FORWARD TRAFFIC TO BURP

Slide 58

Slide 58 text

HARDCODED API KEYS AND SECRET

Slide 59

Slide 59 text

HARDCODED API KEYS AND SECRET KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can be used, to check if they are valid.

Slide 60

Slide 60 text

NUCLEI TEMPLATES

Slide 61

Slide 61 text

NUCLEI TEMPLATES Releasing 40+ nuclei templates to aid mobile security assessments.

Slide 62

Slide 62 text

TAKEAWAYS

Slide 63

Slide 63 text

63 TAKEAWAYS Most of the time developers don’t add scheme and host validation check or either they don’t implement that correctly. Loading arbitrary URL in webview may give you authentication tokens. Also, try to exfiltrate data from local sandbox to the remote domain (depending on the webview properties enabled). Note, Google has fixed the Symlink attack as part of the system webview update. So symlink attack won’t work on latest android devices or devices with the updated system webview. IPC components can introduce many vulnerabilities if not properly configured

Slide 64

Slide 64 text

64 TAKEAWAYS Expand your attack surface to non-exported components. Developers often pass sensitive data via Implicit intents which can be intercepted by other apps on the device MITM vulnerabilities are too common in android apps. Developers often override SSL error which makes app vulnerable to MITM attack (eg. Unsafe implementation of onReceivedSslError ). Hardcoding API keys and secrets in mobile app is common. You must understand the purpose of hardcoding these keys, check the API docs and see if the keys are supposed to be public or private

Slide 65

Slide 65 text

65 OPTIV RESOURCES • InsecureShop App (https://github.com/optiv/Insecureshop) • Nuclei Templates (https://github.com/optiv/mobile-nuclei-templates) • Optiv Source Zero Blog (https://www.optiv.com/insights/source-zero)

Slide 66

Slide 66 text

66 ADDITIONAL RESOURCES • https://github.com/streaak/keyhacks • https://hackerone.com/reports/431002 • https://blog.oversecured.com/Interception-of-Android-implicit-intents • https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all- cookies-from-all-sites-and-more • https://blog.mzfr.me/posts/2020-11-07-exported-activities/ • https://medium.com/@dPhoeniixx/tiktok-for-android-1-click-rce- 240266e78105