Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Seguridad en las aplicaciones Android

Alvaro
April 26, 2016

Seguridad en las aplicaciones Android

Alvaro

April 26, 2016
Tweet

More Decks by Alvaro

Other Decks in Technology

Transcript

  1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    Los smartphones nos han
    invadido, ¿y ahora qué?
    Seguridad en las
    aplicaciones Android
    Alvaro Muñoz | Software Security Consultant | @pwntester
    HP Enterprise Security Products

    View Slide

  2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    2
    Familiar Model

    View Slide

  3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    3
    Can’t We All Get Along?
    Your
    app
     Formal communication
    - Inter-application
    - Intra-application
    - With the OS
     A new trust boundary

    View Slide

  4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    4
    Android Talk
    OS
    App 2
    App 1
    App 3
    Service 2
    Service 1
    Service
    Content Provider
    Broadcast Receiver
    Activity

    View Slide

  5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    5
    Google Android Vulnerabilities
    1 Intent Hijacking
    2 Intent Spoofing
    3 Sticky Broadcast Tampering
    4 Insecure Storage
    5 Insecure Network Communication
    6 SQL Injection
    7 Promiscuous Privileges

    View Slide

  6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    6
    Description: Malicious app intercepts an intent bound for another app to compromise data
    or alter behavior
    Cause: Implicit intents (do not require strong permissions to receive)
    Fix: Explicit intents and receiver permissions
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    7
    Google Android Vulnerabilities
    Showtime
    Search
    Results UI Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    Implicit Intent
    Action: willUpdateShowtimes
    IMDb App
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    8
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    9
    Google Android Vulnerabilities
    Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    Eavesdropping App
    Malicious
    Receiver
    Showtime
    Search
    Results UI Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    Implicit Intent
    Action: willUpdateShowtimes
    IMDb App
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    10
    Description: Malicious app spoofs a legitimate intent to inject data or alter behavior
    Cause: Public components (necessary to receive implicit intents)
    Fix: Explicit intents and receiver permissions
    Sensitive operations in private components
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    11
    Google Android Vulnerabilities
    Malicious
    Component
    Action: showtimesNoLocationError
    Spoofing App
    Showtime
    Search
    Results UI Handles Actions:
    willUpdateShowtimes,
    showtimesNoLocationError
    IMDb App
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    12
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    13
    Description: Persistent intents can be accessed and removed by malicious apps
    Cause: BROADCAST_STICKY allows to full access to any sticky broadcasts
    Fix: Explicit, non-sticky broadcasts and receiver permissions
    Google Android Vulnerabilities
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    14
    Google Android Vulnerabilities
    Requests
    BROADCAST_STICKY
    Permission
    Sticky Broadcasts (intents) Malicious App
    Victim App
    SB2 ?
    Receiver
    (expects SB2)
    SB1
    SB3
    Intent Spoofing
    Sticky Broadcast
    Tampering
    Insecure Storage
    Insecure Network
    Communication
    SQL Injection
    Promiscuous
    Privileges
    Intent Hijacking

    View Slide

  15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    15
    Empirical Results: DEFCON ‘11
    Vulnerability Type % of Apps
    1. Intent Hijacking 50%
    2. Intent Spoofing 40%
    3. Sticky Broadcast Tampering 6%
    4. Insecure Storage 28%
    5. Insecure Communication N/A
    6. SQL Injection 17%
    7. Promiscuous Privileges 31%

    View Slide

  16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    16
    Bonus: OWASP iGoat
    iGoat 1.0 documents 5 vulnerabilities
    We find 15+
    iGoat 1.2 documents 7 vulnerabilities
    We find 20+

    View Slide

  17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
    Gracias
    Alvaro Muñoz | Software Security Consultant | @pwntester
    HP Enterprise Security Products

    View Slide