Why this matters • New, different platform • PlayBook targets enterprises • Designed to separate “personal” apps/data from “corporate” apps/data 3 ...and we can steal that corporate data
authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together 12
System updates • Signed packages (SHA1, SHA256, SHA512) • Three stage process: • Poll available update bundles (HTTPS) • Request download info for a specific bundle (HTTPS) • Download and install individual packages (HTTP) 27
System updates: So what? • Control the version of software running on a device • Extract TabletOS file system • Reverse engineer system stuff • Diff changes between versions 29
System updates: MITM • x.509 checks were not originally enforced • 1.0.1 • 1.0.3 • Downgrades probably not possible • Control version of out-of-the-box devices • Cannot be fixed in a software update 30
Native Code • Native applications request permissions, too • Our first PoC native app requested *zero* permissions, read device PIN, sent it to a remote listener • (This should have required "access_internet" and "read_device_identifying _information") 49
Native Code • Currently nothing stops native code from doing even nastier things (sans permissions) • We promised you a shell, Nico -- hopefully this will do for now :) 50
BlackBerry Bridge • Bridge allows you to “connect your BlackBerry® PlayBook™ tablet to your smartphone to access email, calendars... other data directly from your tablet.” • Read: where the Good Stuff’s at. 51
BlackBerry Bridge • Bridge apps authenticate to SapphireProxy, receive token • If BB handset has password set, user must enter this • Once auth token is set, apps send as both cookie and HTTP header 53
“Bridging” The Gap • Once user has paired and “unlocked” Bridge, session token is available to anyone • Malicious app can steal via special PPS file, re-use /pps/system/sapphire/.all 54
“Bridging” The Gap • Sapphire Proxy (on http://127.0.0.1:187) also serves as an open HTTP proxy • Proxied traffic goes over Bluetooth link, and out of BlackBerry handset’s interface (WiFi or cell radio) • Possible access to corporate net or BES 56
App World • Purchase / download functionality (duh) • PlayBook and BBOS share a common interface • Asynchronous app purchase and download components 57
Oh... • Sequential file names • No session management • A local cache of App World can be yours (be sure to bring along external storage)!* * assuming there’s anything that you want 59
App World • Evidently hosts all versions of all BBOS and PlayBook applications • Applications can be side-loaded • No centralized license management • Not unique to PlayBook, but significant • RIM response 61
Bridge: More to consider • Bridge “Files” accesses BB handset storage...via WebDAV • Internal storage, SD card, camera images, etc. • Currently world readable/writable 70
Things to keep an eye on • System scripts • Python / shell • “cleanup” stuff • File permissions • Logs • Support apps (Desktop Manager, Device Manager) 72
quine
usaito
gpeyre
kazaneya
naok615
masatoto
tosseto
yumakoizumi
forest1988
javiergs
nttcom
reisato12345
seiichiinoue
speakerdeck
nonsquared
chriscoyier
garrettdimon
danielanewman
tmm1
shlominoach
reverentgeek
brad_frost
morganepeng
michaelherold
sferik