8 Android Implementation Issues (Part 1)
0 likes41 views
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
8 Android Implementation Issues (Part 1)
- 1. CNIT 128 Hacking Mobile Devices 8. Identifying and Exploiting Android Implementation Issues Part 1 Updated 10-24-22
- 2. Topics • Part 1 • Reviewing Pre-installed Applications • Exploiting Devices • Start through "Explanation of Privilege Levels" (up to p. 375)
- 3. Topics • Part 2 • Exploiting Devices • "Practical Physical Attacks" (p. 376) through • "Man-in-the-Middle Exploits" (up to p. 401)
- 4. Topics • Part 3 • Exploiting Devices • "Injecting Exploits for JavaScript Interfaces" (p. 401) and following • Infiltrating User Data
- 6. Root Access • Each installed app has its own attack surface • But when you exploit an app, you get access with the privileges of that app • Not root access • But you can often exfiltrate user data without root access
- 8. INSTALL PACKAGES • Exploiting an app with this permission allows an attacker to install a Trojan app • Permission level signature|system • Defined by the android package
- 9. Drozer on an Emulator • Real devices have many more apps with this dangerous permission
- 10. Apps Running as System • On an emulator • Many more on a real device (66 in book)
- 12. Techniques • Trick user into installing a malicious app • Server-side: exploit a listening port • Client-side: open a malicious document
- 13. Browsers and Document Readers • Frequently vulnerable • Complex parsers written in native code • Fuzzers can fund vulnerabilities • Samsung has Polaris Viewer for PDFs by default • No PDF reader on my emulator
- 14. BROWSEABLE Activities • Allows users to open content inside an installed app rather than the browser • App stores installed on the device use this functionality • To open links that point to apps
- 15. Example • Manifest from a rogue Drozer agent • Opening a link starting with pwn:// will open this activity • But can't be used in an iframe anymore <activity android:name="com.mwr.dz.PwnActivity"> <intent-filter> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="pwn" /> </intent-filter> </activity>
- 16. Two Methods • Via pwn:// URI or "web intent" <a href="pwn://me">Start drozer<a> <a href="intent://me/#Intent;scheme=pwn;end"> Start Drozer</a>
- 17. Many apps use BROWSABLE filters on my emulator
- 18. Custom Update Mechanisms • Apps often write their own update mechanisms • Rather than using the Play Store • This requires the INSTALL_PACKAGES permission • Code may be vulnerable • May check for a new file over HTTP or broken HTTPS
- 19. Remote Loading of Code • Link Ch 8b
- 20. Remote Loading of Code • Apps can load new code at runtime • Using the Java Reflection API • With the DexClassLoader class • May load code over the network, or from a local location that can be overwritten by other applications • May cause code injection vulnerabilities
- 21. WebViews • Recipe for disaster • Using a WebView • Defining a JavaScript interface • Loading from a cleartext source or having SSL bypass code • Targeting API versions prior to 17 or using an Android version earlier than 4.2 • May allow JavaScript code injection
- 24. Listening Services • Android is unlikely to have listening ports • My Genymotion has a few
- 25. Messaging Applications • Examples, may be vulnerable • Short Message Service (SMS) • Multimedia Messaging Service (MMS) • Commercial Mobile Alert System (CMAS) • Email clients • Chat clients
- 26. Finding Local Vulnerabilities • Manual process • Download all installed apps • Convert them to readable source code • Use grep to search for vulnerabilities • Or use Drozer's scanner modules
- 27. Drozer's SQLi Scanner • Doesn't find the Sieve SQL injection
- 29. Remote and Local Exploits • Remote exploit • Gives attacker a foothold on the device • Such as software exploits, MITM attacks, or malware • Local exploit • Requires a foothold on the device already • Local privilege escalation
- 31. • Performs ARP poisoning, DNS spoofing, etc. • We're using local proxy settings • You need ettercap to perform real MITM attacks on a LAN Ettercap
- 32. Burp • Can inspect and modify traffic • Sends fake TLS certificates • Burp can be added as a "trusted CA"
- 34. Drozer • Infrastructure Mode • Runs a Drozer server, as a C&C server • Make "rogue agents" which are like malware • Custom-built to phone home to the Drozer server • Much like Metasploit
- 35. Privilege Levels
- 36. Non-System App without Context • Ex: a shell from a Web browser • Attacker has privileges of the compromised app • Can navigate filesystem under the app's user account • Cannot use Java libraries • Cannot install packages, or read SMS, etc.
- 37. Non-System App with Context • Attacker takes over app's execution flow and can load arbitrary classes • Attacker can retrieve app Context • Can do anything the app can do
- 38. Installed Package • Can request arbitrary permissions • Can be granted them, depending on protection level
- 39. ADB Shell Access • Can install apps • Can interact with apps as a developer
- 40. System User Access • Running as system user, can • Install apps • Change device configuration • Access data from any app's private directory
- 41. Root User Access • Ultimate power, can • Install apps • Read and write RAM • Manipulate any aspect of the device