Why this matters • New, different platform • PlayBook targets enterprises • Designed to separate “personal” apps/data from “corporate” apps/data 3 ...and we can steal that corporate data
Dingleberry • PlayBook jailbreak / root privesc released in Dec. 2011 • Discovered by @xpvqs and @neuralic, packaged by @cmwdotme • Issue (tl;dr): backups aren’t signed; jailbreak process creates custom backup, restores overwriting smb.conf; Samba then executes scripts as root • Now irrelevant 9
authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together 12
System updates • Signed packages (SHA1, SHA256, SHA512) • Three stage process: • Poll available update bundles (HTTPS) • Request download info for a specific bundle (HTTPS) • Download and install individual packages (HTTP) 27
System updates: So what? • Control the version of software running on a device • Extract TabletOS file system • Reverse engineer system stuff • Diff changes between versions 29
System updates: MITM • x.509 checks were not originally enforced • 1.0.1 • 1.0.3 • Downgrades probably not possible • Control version of out-of-the-box devices • Cannot be fixed in a software update 30
Native Code • Native applications request permissions, too • Our first PoC native app requested *zero* permissions, read device PIN, sent it to a remote listener • (This should have required "access_internet" and "read_device_identifying _information") 49
BlackBerry Bridge • Bridge allows you to “connect your BlackBerry® PlayBook™ tablet to your smartphone to access email, calendars... other data directly from your tablet.” • Read: where the Good Stuff’s at. 51
BlackBerry Bridge • Bridge apps authenticate to SapphireProxy, receive token • If BB handset has password set, user must enter this • Once auth token is set, apps send as both cookie and HTTP header 53
“Bridging” The Gap • Once user has paired and “unlocked” Bridge, session token is available to anyone • Malicious app can steal via special PPS file, re-use /pps/system/sapphire/.all 54
“Bridging” The Gap • Sapphire Proxy (on http://127.0.0.1:187) also serves as an open HTTP proxy • Proxied traffic goes over Bluetooth link, and out of BlackBerry handset’s interface (WiFi or cell radio) • Possible access to corporate net or BES 57
App World • Purchase / download functionality (duh) • PlayBook and BBOS share a common interface • Asynchronous app purchase and download components 58
Oh... • Sequential file names • No session management • A local cache of App World can be yours (be sure to bring along external storage)!* * assuming there’s anything that you want 60
App World • Evidently hosts all versions of all BBOS and PlayBook applications • Applications can be side-loaded • No centralized license management • Not unique to PlayBook, but significant • RIM response 62
Bridge: More to consider • Bridge “Files” accesses BB handset storage...via WebDAV • Internal storage, SD card, camera images, etc. • FS perms controlled through group membership (1000_shared, which maps to access_shared app perm) 71
Things to keep an eye on • System scripts • Python / shell • “cleanup” stuff • Android support (a lot of potentially kludgy glue) • File permissions • Logs • Support apps (Desktop Manager, Device Manager) 73