Bust a Cap in an Android App

Transcription

1 Bust a Cap in an Android App ToorCon 13 October 7th, 2011 Max Veytsman & Subu Ramanathan

2 Us Security Consultants from Toronto Specialize in application security Especially Slide 2

3 You Security analysts, developers or QA testers Fairly familiar with web application pentesting Intrigued by mobile applications Have attempted to root an Android Some knowledge of programming Slide 3

4 This Workshop Introducing ExploitMe Mobile Mobile threat model What you need to know about Android Intercepting traffic Filesystem access Static analysis Runtime analysis (Bonus!) Mobile cryptography pitfalls (Bonus!) Slide 4

5 Demo INTRODUCING EXPLOITME MOBILE Slide 5

6 ExploitMe Mobile Android Labs Server iphone Labs also available Slide 6

7 MOBILE THREAT MODEL Slide 7

8 What can the developers get wrong? Backend implementation Client behavior Client-server communication Slide 8

9 Backend Mobile backend implementations are all susceptible to Authentication/Authorization issues Privilege escalation Input validation errors Injection Threat model is the same as a web app Slide 9

10 Client Insecure data storage Poor cryptography Overzealous Logging Eg. Old Android browser Memory leakage Input validation Eg. Skype XSS bug Threat includes lost/stolen phone and mobile malware Slide 10

11 Client-Server Communication Insecure communication Not using SSL/TLS Leaking sensitive data GPS, identifying phone information, etc Threat includes Man-in-the-Middle attacks Malicious wifi hotspots GSM base station Slide 11

12 Demo (Also available at BYPASSING ANDROID PASSWORD Slide 12

13 Side topic: How easy to root? how easy is it to root a found device? If lockscreen isn t enabled we can enable USB debugging to provide ADB access (yes big if) ADB server is created on a uid=shell user which is not a privileged user in the android world. Slide 13

14 Side topic: How easy to root? Quick example Rage against the cage (Android local root exploit) Slide 14

15 Side topic: How easy to root? AGer restarhng adb, you ll be connected as root Exploited shell to perform root achons on device Install shell, busybox, pull data, apks Slide 15

16 What you need to know ANDROID SECURITY MODEL Slide 16

17 The architecture Multiuser OS running Dalvik VM. (root being highest user) Dalvik runs compiled.dex files, similar to.class files in JAVA, optimized for low powered devices Slide 17

18 Key design points Each app runs as its own user and group Each app runs its own Dalvik VM Breaking out of Dalvik is useless Dalvik does not manage security User permissions do this Apps interact using permission agreed upon on installation Slide 18

19 Android Application Packaging Image : Slide 19

20 Permissions Unique UID / GID for each applicahon Slide 20

21 Permissions Applications must request permissions on install u u u u u Phone calls SMS Location services Calendar access Etc. Unfortunately, you can t deny specifics u Install or no install imgsource: techpp.com Slide 21

22 Permissions Permissions are configured in the APK packaging in AndroidManifest.xml If the permissions change, user will be requested to manually reaccept <permission android:description="string resource" android:icon="drawable resource" android:label="string resource" android:name="string" android:permissiongroup="string" android:protectionlevel=["normal" "dangerous" "signature" "signatureorsystem"] /> Slide 22

23 Android Security Model Summary Android runs.dex files on DalvikVM, each app runs own instance of Dalvik Apps run under their own user and group IDs for segregation of user processes Security is managed through users & file permissions App permissions set in AndroidManifest.xml on install Slide 23

24 INTERCEPTING TRAFFIC Slide 24

25 Android proxying Intercept with proxy Internet Slide 25

26 Proxy using what? We will discuss two Android proxy scenarios for an assessor The Android emulator A rooted Android device Slide 26

27 Quick requirements: The Android SDK u hsp://developer.android.com/sdk/index.html u u Android Debugging Bridge (adb) Enable USB debugging (careful!) The Bouncy Castle Java Library u hsp://bouncycastle.org/latest_releases.html u u Place in $JAVA_HOME/lib/ext Used for inserhon of cerhficate into Android keystore Slide 27

28 Intercepting Traffic PROXYING THE ANDROID EMULATOR Slide 28

29 Proxying the Android Emulator Start up and configure an emulator using Android SDK./emulator -avd <name> -partition-size 128 Slide 29

30 A note on SSL Small issue: invalid SSL cert = dropped connection Proxying SSL will give invalid SSL certificate Slide 30

31 A note on SSL trusted certificate for our proxy Solution: modify the Android certificate store to trust our proxy certificate Slide 31

32 Adding a Trusted Certificate to Android adb pull /system/etc/security/cacerts.bks cacerts.bks Pull trusted cerhficate store from device cacerts.bks Slide 32

33 Adding a Trusted Certificate to Android keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.bouncycastleprovider -storepass changeit -importcert -trustcacerts -alias <##CERT ALIAS HERE##> -file <##YOUR PROXY.CRT HERE##> Insert our cerhficate into keystore using keytool (Standard with JAVA JRE) Slide 33

34 Adding a Trusted Certificate to Android adb remount Mount remote Android file system read & write Slide 34

35 Adding a Trusted Certificate to Android adb push cacerts.bks /system/etc/security/ 4) Push modified CA keystore (May have to change permissions to overwrite) Slide 35

36 Save this system image Why? upon bootup, the keystores for the emulator reset To avoid hassle, you can save this version of system parhhon Slide 36

37 Save this system image >adb push /path/to/mkfs.yaffs2.arm /system/xbin/mkfs.yaffs2 1) Upload YAFFS2 mkfs binary Here: Slide 37

38 Save this system image >adb shell # mkfs.yaffs2 /system /sdcard/system.img mkfs.yaffs2: Android YAFFS2 Tool,Build by PowerGUI at Building... Build Ok. # 2) build system image on emulator Slide 38

39 Save this system image adb pull /sdcard/system.img 3) Pull system image from emulator Slide 39

40 Restart emulator using proxy flag./emulator -avd myavd -partition-size 128 -system /path/to/system.img -http-proxy :8888 Here, we specify the hsp- proxy flag and the system parhhon that we created Slide 40

41 A note about http-proxy flag -http-proxy :8888 Flag has problems. Browser traffic will proxy, however applicahon traffic is very hit or miss. u If issues, try debug- proxy flag Used rooted Android device for true app assessments u other tests can be done on the emulator Slide 41

42 Android emulator proxy complete! Slide 42

43 Tsocks for app traffic on emulator tsocks will be our soluhon to the inability to proxy app traffic in the emulator u u u u Encapsulates network traffic transparently into a SOCKS proxy Install tsocks and modify semngs in /etc/ tsocks.conf Run tsocks emulator Charles and Slide 43

44 Intercepting Traffic PROXYING AN ANDROID DEVICE Slide 44

45 Proxy real device Android does not include built in proxy support Network proxy is for browser, not apps There are workarounds we ll show you best way to proxy apps is using a device! Note: You ll need to be root and have a ROM that supports iptables such as CyanogenMod hsp:// Slide 45

46 Proxy real device To proxy a Android device we ll go through three steps: 1. Have rooted ROM with iptables (Cyanogen) 2. Install Superuser (if not already part of ROM) 3. Install a proxy tool such as Autoproxy Slide 46

47 Proxy real device Connect device to computer with USB Enable USB Debugging Semngs > Manage ApplicaHons > Development Slide 47

48 If you need SSL, same steps: adb pull /system/etc/security/cacerts.bks cacerts.bks keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.bouncycastlepr ovider -storepass changeit -importcert - trustcacerts -alias <##CERT ALIAS HERE##> - file <##YOUR PROXY.CRT HERE##> adb remount adb push cacerts.bks /system/etc/security/ Slide 48

49 Install tools 1) Enable Unknown sources Slide 49

50 adb install superuser.apk 2) Install Superuser (reboot) Slide 50

51 adb install transproxy.apk 3) Install TransProxy or AutoProxy Slide 51

52 Configure proxy app Slide 52

53 Device proxy complete! Why do we need such tools? As discussed, by default Android has no proxy mechanism for applicahon traffic these tools act as a front end to iptables If you are elite, then you can use iptables command line in Cyanogen Slide 53

54 One last thing tcpdump Emulator supports - tcpdump <file> flag Captures network traffic to file Great for debugging or understanding network side of emulator Use for quick traffic analysis for apps.. Doesn t need proxy Slide 54

55 TCPDump open with wireshark emulator -avd LabAVD tcpdump dump.cap Slide 55

56 Demo PARAMETER MANIPULATION Slide 56

57 FILESYSTEM ACCESS Slide 57

58 Android Filesystem Access We want to analyze files within the device, so how do we do this? ADB (windows, linux, mac) Slide 58

59 Android Filesystem Access Android Debug Bridge (adb) command Access a shell Pull/push files Many more Slide 59

60 ADB Slide 60

61 Example of ADB Slide 61

62 Quick look at some apps We re going to use Android s default mail client (Note this is for a rooted device) Navigate to the shared_prefs directory of the applicahon Slide 62

63 Quick look at some apps cat (read) the file Slide 63

64 Quick look at some apps aw1hcctzc2wroi8vc2ntb2jpbgvhchb0zxn0jtqwz21hawwuy29tomfi Y0RFRjEyM0BpbWFwLmdtYWlsLmNvbTo5OTM= Base 64 decode imap+ssl+://scmobileapptest SCMOBILETESTAPP:abcDEF123 Slide 64

65 Other ADB Commands Pull: Push: Slide 65

66 Advanced Shell (BusyBox) AlternaHve shells exist such as Busybox. These include features not in ADB Grep, find, vi, etc. Slide 66

67 Filesystem Access COMMON FILES Slide 67

68 SQLite Single file relahonal database Supported by Android to store applicahon semngs/data Often favored by developers for key/value storage Slide 68

69 SQLite LisHng tables:.tables Select statements for queries, SQL syntax Slide 69

70 XML Used by Android to store many things (shared prefs, manifest, etc.) OGen contains data stored by apps such as usernames or passwords Slide 70

71 Demo EXTRACTING CREDENTIALS Slide 71

72 LOGGING Slide 72

73 Logging ApplicaHons may leak data through gratuitous logging In older versions of Android, the browser would log URLs visited This also logged session IDs for websites that put it in the GET request Slide 73

74 Viewing Android Logs Use adb logcat Slide 74

75 Demo INSECURE LOGGING Slide 75

76 CLIENT ANALYSIS Slide 76

77 Android Application Layout Apps are packaged in an APK file (zip archive) What s in it? Dalvik class files (dex) Assets and Resources AndroidManifest.xml (packed in a binary format) APKs stored at /data/app on a device Can extract this Slide 77

78 Android Application Layout Android JAVA Original.java.java Compiled.dex.class Optimized.odex n/a Packaging.apk.jar Modification Apktool, baksmali Jad, java decompiler Slide 78

79 Android Application Layout Image : Slide 79

80 AndroidManifest.xml Enumerates permissions We are most interested in permissions and metadata Slide 80

81 Analyzing an APK The files inside an APK aren t directly useful Need to unpack the XML, disassemble the dex class files Apktool does this!! hsp://code.google.com/p/android- apktool/ Slide 81

82 Apktool Uses APK APK (reengineered) Slide 82

83 Disassembly to Smali Smali is the Dalvik assembly Unlike JVM, register based Fairly readable.class public LHelloWorld;.super Ljava/lang/Object;.method public stahc main([ljava/lang/string;)v.registers 2 sget- object v0, Ljava/lang/System;- >out:ljava/io/printstream; const- string v1, "Hello World! invoke- virtual {v0, v1}, Ljava/io/PrintStream;- >println(ljava/lang/string;)v return- void.end method Slide 83

84 Decompilation Looking at decompiled java is easier than reading Smali You may be familiar with jad or jdgui Use dex2jar to get a (JVM) jar from an apk Perform source review on decompiled app Doesnt work for all apks Slide 84

85 Decompilation Slide 85

86 Demo CLIENT ANALYSIS Slide 86

87 Tips Approach like traditional application reverse engineering Be aware of attack vectors buffer overflow type bugs not always fruitful Lot s of apps have poor key management Try to turn off rooting detection either through patching or application settings Slide 87

88 RUNTIME ANALYSIS Slide 88

89 Why Do Runtime Analysis Companion to stahc analysis Explore execuhon through a debugger Access stack values Extract code from encrypted binary (ios only) Possible asack vector Use a debugger to jump through a security check Slide 89

90 Why Do Runtime Analysis Many things that happen in an app lifecycle memory branch Slide 90

91 Debugging as an Attack Vector Jump over client- side business logic checks ipad app client- enforced restrichons Jump over the branch to access other areas of code Using a debugger to get confidential data in memory (lost or stolen phone) Slide 91

92 Debugging as an Attack Vector Locked banking app manually call Intents? Bypass screens by directly launching achvihes Slide 92

93 Android Debugging We use ddms (Dalvik Debug Monitor Server) available in the SDK Dump the applicahon's heap ASach a remote debugger Slide 93

94 Attach to process Slide 94

95 Dump the heap (hprof) Slide 95

96 A Note on HPROF HPROF is java s heap and cpu profiling file format This is used by developers to profile cpu and memory usage We use it to browse heap values at the Hme of the heap dump Slide 96

97 Convert HPROF file We need to convert the file from the Dalvik HPROF format to the format used by Java We can then use Java tools to analyze it hprof- conv com.android. .hprof com.android. .fixed.hprof Slide 97

98 Analyze Heap Slide 98

99 Memory Analyzer Dominator tree Group by List objects Slide 99

100 Finding Heap Values Slide 100

101 Finding Heap Values Slide 101

102 Demo (Android) DUMPING MEMORY Slide 102

103 MOBILE CRYPTOGRAPHY Slide 103

104 Mobile Cryptography We must treat the mobile device as hoshle Don t store sensihve data unencrypted! (Basic EncrypHon lab) Doing encryphon well is HARD (Advanced EncrypHon lab) Best prachce: don t store any sensihve data on device Slide 104

105 If You Must Encrypt Issues of cryptography are issues of implementahon This is ogen taken to mean Don t write your own AES library, but no. We mean key management We mean how the cipher is used Slide 105

106 Data in transit SSL/TLS is the golden standard here Easy to plug into mobile app, use HTTPS We find some mobile apps add a second layer of encryphon over SSL/TLS Make it harder to analyze app s traffic Extra security Slide 106

107 Data at rest Easier to get right than data in transit SHll hard to do right Your main concern is key management If the client can decrypt data on its own, an asacker can too (reverse engineering) We need to have a secret not stored on the client Slide 107

108 External Secret The user can type in the encryphon key Difficult to remember/type The backend can give the client the encryphon key ager user authenhcates Need secure authenhcahon framework OR we can have the user remember a password, and somehow derive a key from it Slide 108

109 Password Based Key Derivation In ExploitMe Mobile we had the user authenhcate with local password This was inihally used as a UI lock, in case the phone was lost/stolen We will use this password to generate a key The standard we use is PBKDF2 Slide 109

110 Password Based Key Derivation public SecretKey genkeypwkdf2(string password, byte[] salt, int iterations) throws { SecretKeyFactory f =SecretKeyFactory.getInstance ("PBKDF2WithHmacSHA1"); PBEKeySpec keyspec = new PBEKeySpec( password.tochararray(), salt, iterations, KEY_BITS); SecretKey generatedkey = f.generatesecret(keyspec); return generatedkey; } Slide 110

111 How Do We Use This? public int unlockapplication(string password) throws exceptions { if (checkpassword(password)) { mcryptokey=mcipher.genkeypwkdf2(password, getpbksalt(), CryptoTool.NUM_ITERATIONS).getEncoded(); cleartextserveruser = mcipher.decryptb64string( getrestusername(), mcryptokey, getrestusernameiv()); cleartextserverpass = mcipher.decryptb64string( getrestpassword(), mcryptokey, getrestpasswordiv()); int statuscode = performlogin( cleartextserveruser, cleartextserverpass); if (statuscode == RestClient.NULL_ERROR) { locked = false; return statuscode; } } return RestClient.NO_OP; } Slide 111

112 Checking the Password Note if (checkpassword(password)) We perform a password check against a hash If we stored hashed passwords on the device, an asacker could crack it We can also use PBKD as an authenhcahon mechanism Slide 112

113 Using PBE for authentication As before, use the password entered by the user to generate the key Now encrypt a known value with that key When the user enters a password, try to decrypt the known value with the derived key If it is successful, the user has the correct password, otherwise the user doesn t Slide 113

114 Other Considerations An asacker can build up a rainbow table, especially if they know an encrypted value we store Or they can pre- compute keys derived from common passwords Salt the password used for PBKDF Enforce strong local passwords Slide 114

115 Questions? Max Subu Slide 115