Authen'catorLeakageThroughBackupChannelsonAndroid

GuangdongBai

Na'onalUniversityofSingapore

Webservicesareincreasinglydeliveredthroughmobileapps…

2

SocialNetworking

OnlineBanking EmailService

Can’twesimplyusemobilebrowsers?

3

V.S.

ü  Fulluseofdevice/APIsü Lessprogramminglimita'onü Runningfaster

ü CrossplaQormsü Reusablebrowserfunc'onality(JSengine,…)ü Developedfaster

Can’twesimplyusemobilebrowsers?

4

…the(mobile)browserhasbecomeasingleapplica'onswimminginaseaofapps.--FlurryInsights

Therefore,mobileappsplaythesameroleaswebbrowsers

5

HTTP/1.1200Set-Cookie:cookie1=87654321;domain=.idp.com----------------------------------------<bodyonload=foo()><script>vardomain="hfp://www.sp.com/login";varauthToken="3fa09d24a3ce";varuEmail="alice@idp.com";varidpSign="2oOs5u29erIas…“;func'onfoo(){varmessage=uEmail+"&"+authToken+"&"+idpSign;window.postMessage(domain,message);}</script></body>

GETHTTP/1.1

WebServer App

②Contentrendering

①Communica'on

protocols

However,thisisanon-trivialtask…

6

WebServer App

②Contentrendering

①Communica'on

protocols

•  Codeinjec'onafacks–  Havebeenextensivelystudied[CCS’13,CCS’14,ESORICS’15]

•  Securityofcommunica'onprotocols–  Novelafacksurface–  NovelTrustedCompu'ngBase(TCB)

Focusofthistalk:webauthen'ca'onprotocolsonAndroid •  Implementa'onofwebauthen'ca'onschemesonAndroid

–  Authen'ca'onprocess–  Howauthen'ca'oncreden'als(authen'cators)aremanaged

•  Backupchannel:anewafacksurfaceagainstwebauthen'ca'ononAndroidplaQorm–  Whybackupisadangerousfunc'onalityonAndroid–  Howtoabusebackupchannels

•  Casestudiesandmi'ga'ons

7

Sec'on1.WebAuthen'ca'ononAndroid

Webauthen'ca'on:safeguardtowebaccounts

•  WebAuthen'ca'on–  Aprocessbyservertoconfirmwhetheranen'ty(client)iswhoitdeclared –  Oneofthemostlyusedwebfunc'onali'es

9

HowAndroidappsimplementwebauthen'ca'on?

•  Ourinves'ga'on–  Goal:tolearnapproachescontemporaryappsusetoimplementtheir

authen'ca'onschemes

–  Focus:howauthen'catorsaremanaged

–  Methodology:wehavemanuallyanalyzedtop-ranked100appsonGooglePlay(byreverseengineeringandtrafficanalysis)

10

Resultsummary

11Figuresource:hfp://geektechreviews.com/wp-content/uploads/2015/07/Top-10-Free-Android-Apps-Must-Have.jpg

TOP100

66withauthen'ca'on

schemes

34withoutauthen'ca'on

schemes

Standaloneappse.g.,newsbrowsers,mapsandvideoplayers

–  Basicauthen'ca'on(40)–  SingleSign-on(40)–  AndroidAccountManager(16)

Webauthen'ca'onscheme#1:Basicauthen'ca'on •  Basicauthen'ca'onstandsfortradi'onalauthen'ca'onschemes

onthebasisof–  Knowledge(e.g.,apasswordandsecurityques'ons)

•  34outof40appsusepassword-basedschemes

–  Ownership(e.g.,ahardwaretokenandamobilephone)•  6outof40appsuseSMS-basedone'mepasswordschemes

–  Inherence(e.g.,fingerprintandre'nalpafern)•  Noneisfound•  Fingerprintconfiden'alityatBlackHatUS2015byDr.WeiTao

12

Generalprocessofbasicauthen'ca'onondesktopbrowsers

13

WebServer

UID/PWD

•  Authen'cator–  Anauthen'ca'oncreden'alindica'ngclient’sloginsession–  E.g.,cookies,sessionID,OAuthTokenandOAuthCode

ü  Sameoriginpolicy(SOP)ü Contentsecuritypolicy(CSP)ü Cookieprotec'onü …

WebBrowser

Generalprocessofbasicauthen'ca'ononAndroidapps

14

WebServer

UID/PWD RestAPI

Webview

ContentProvider

SharedPreference

AndroidApp

InternalStorage /data/data/appname

Webauthen'ca'onscheme#2:SingleSign-on

•  SingleSign-On(SSO)–  Akerberos-likesinglecreden'al

authen'ca'onscheme

–  BrowserID(Mozilla)–  FacebookConnect

•  250+Millionusers,2,000,000websites–  OpenID

•  onebillionusers,50,000websites–  …

15

Threepar'esinSSO

16

User

Iden'tyProvider(IDP)

RelyingParty(RP)

e.g.,

e.g., Token

SSOinAndroid •  RelyingParty(RP)

–  Applica'on•  Iden'typrovider(IDP)

–  SSOServiceisreleasedinformofSDK–  E.g.,FacebookConnect,TwiferID

17

Aconcreteprocess:Facebookconnect

18

Legend Secretcookies

OAuthAccesstoken

FacebookServer

RPapp

FacebookSDK

Android

/app/app/RP

Android

IDPapp

RPapp

FacebookSDK

/app/app/IDP /app/app/RP

Webauthen'ca'onscheme#3:AndroidAccountManager

19hfp://blog.udinic.com/2013/04/24/write-your-own-android-authen'cator/

•  AccountManager–  AnAndroidservicewhichprovidesadelegated

authen'ca'onserviceandcentralizedaccount/authen'catorcontrol

–  Pros•  Simplifiestheprocessforthedeveloper

–  Byimplemen'ngsomeinterface

•  Canhandlemul'pletokentypesforasingleaccount

•  Automa'callybackgroundupdate(SyncAdapters)

BriefinghowAccountManagerworks •  Developerneedsonlyto…

–  TocreateanAccountAuthen)cator•  Addaccounts,accounttypes,authtoken

–  TocreateanAc'vity•  Throughwhichusersentercreden'als

•  Accountmanagerwill…–  Manageauthen'cators

•  Locatedinaccount.dbin/data/system/users/0

–  Updateauthen'catorsonbackground

20

Securityofauthen'ca'onschemes •  Securityofprotocolsinthreelayers

–  Design-levelsecurity:designandlogicflaws•  Anotoriousexample:flawsinNeedham-Schroederprotocol•  Protocolverifica'on:theoremproving(Proverif),modelchecking(PAT)

–  Implementa'on-levelsecurity•  Implementa'onerrors/bugsinthecode•  E.g.,GooglelDflaw:notallmessagesarecoveredinsignature(IEEES&P’12)Guessableauthen'cators(NDSS’13)

–  Infrastructure-levelsecurity•  Exploitsintheso|warestack(e.g.,OS,filesystem)thattheprotocolsrelyupon•  Apreviousstudy:passwordleakagethroughcompromisedADB(ClaudXiaoonHITCON’14)

21

Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid

22

UID/PWD RestAPI

Webview

ContentProvider

SharedPreference

AndroidApp

InternalStorage /data/data/appname

BasicAuthen'ca'on

Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid

23

SingleSign-on

Legend Secretcookies

OAuthAccesstoken

FacebookServer

RPapp

FacebookSDK

Android

/app/app/RP

Android

IDPapp

RPapp

FacebookSDK

/app/app/IDP /app/app/RP

Let’slookatinfrastructure-levelsecurityofwebauthen'ca'ononAndroid

24

SingleSign-on

BasicAuthen'ca'on

AccountManager

/app/app/appname

Theownerapp’sproprietarydirectory

Systemdirectory /data/system/users/0

Isola'onMechanisminAndroid

25

Sandbox Sandbox

/data/data/appname

✓✗

Uname/password

Whatifthesandboxisbypassed?

Backupfunc'onalityhastoviolatesandboxmechanism

26

Backupapp

Sandbox Sandbox

✓✗✓

Sec'on2.BackuponAndroid

TwowaystoimplementbackuponAndroid •  Root-basedbackup

–  Rootthedeviceandgrantrootprivilegetothebackupapps

•  ADB-basedbackup

28

Backupapp

Sandbox Sandbox

✓✓

Weconsideronlytobackupanapp’sdatalocatedinitsproprietaryfolder,insteadoftheuser’sdatacanbeaccessedthroughAPIslikecontactsandSMSmessages

ADB-basedbackup •  ADB(AndroidDebugBridge)

–  ADBisaversa'lecommandlinetoolthatletsuserscommunicatewithanemulatorinstanceorconnectedAndroid-powereddevice.

–  Runningonsystem(orsignature)levelprivilege•  Root>system>user

•  HowdoesADB-basedbackupwork?(doweneed“addbackup”every'me?)

29

System level Android

proxy

1.  adbshell2.  app_processproxy User level

Backup app

HowdoesanADBproxyconductbackup?

30

bu1backupappname>backupdata.ab

bu0restore<backupdata.ab

backup

restore

ANDROIDBACKUP11noneorAES-256

Reference:hfp://nelenkov.blogspot.sg/2012/06/unpacking-android-backups.html

magicformatversion

compressionflag

encryp'onalgo

compressedusingdeflatealgorithm

data

Howbackupcanbeathreattoauthen'ca'on?

31

BackupAppVic'mApp

Globallyreadablestorage

ADBProxy

MaliciousApp

Channel#1:BackupdataLeakage

Channel#2:BackupcapabilityLeakage

Asummaryofleakagethroughtheexis'ngbackupapps

Category Apps Installs Publiclyaccessible?

Backupdataencrypted?

Compromisedinterfaces?

Leakagepossible?

Root-based

MyBackup 1,000,000-5,000,000 SDcard ✗ -- ✓

Ul'mateBackup

500,000-1,000,000 SDcard ✗ -- ✓

EaseBackup 100,000-500,000 SDcard ✗ -- ✓

TitaniumBackup

10,000,000-50,000,000 SDcard ✗ -- ✓

ADB-based Helium 1,000,000-5,000,000 SDcard ✗ ✓ ✓

32

AnalyzinganADB-basedBackupApp •  Helium

–  Oneofthebestappsin2013(www.gizmap.com/best-android-apps-2013/30238)–  Developer:ClockworkMod

•  DeveloperofCyanogenModAndroidOS•  Hasreleased19appsonGooglePlay,15millioninstalls

•  OuranalysisontheADB-basedappisenlightenedbyScreenMilker[NDSS’14]

33

InternalsofHelium(obtainedbyreverseengineering)

34

ShellRunner ShellProxyService am startservice ①

③

/data/data/helium Local Socket Server

②

Android Helium

Legend control

flow

flow data

settings.db

InternalsofHelium(obtainedbyreverseengineering)

35

ShellRunner ShellProxyService am startservice ①

③

/data/data/helium Local Socket Server

②

LocalBackup Main

Activity ⑴

⑵ ⑶ ⑷

SD Card

Android Helium

Legend control

flow

flow data

settings.db

InternalsofHelium(obtainedbyreverseengineering)

36

ShellRunner ShellProxyService am startservice ①

③

/data/data/helium Local Socket Server

②

WebBackup

LocalBackup Main

HTTPServer

Activity

Asyn

⑴

⑵ ⑶ ⑷

SD Card

(i) (ii) (iii)

(iv)

Android Helium

Legend control

flow

flow data

settings.db

AccessControlProtocolintheADBProxy

37

ADBProxy

LocalSocketServer HeliumMainapp

CodeofADBproxy

CodeofbroadcastPassword()

Alogicflaw

38

ADBProxy

LocalSocketServer HeliumMainapp

CodeofADBproxy

CodeofbroadcastPassword()

HowhandleSocket()works?

39

handleSocket(){try{

while(true){r=getRequest();if(checkOTP(r)) serve(r);else throwexcep'on;}

catch{ //notterminate}}

Alogicflaw

40

ADBProxy

LocalSocketServer HeliumMainapp

CodeofADBproxy

CodeofbroadcastPassword()

Afack#1:Exploitthelogicflaw

41

ShellRunner ShellProxyService

AuthSniffer User

uninstall start

mHelium

Monitor uninstall events Attacker

Monitor install events Trick user to install mHelium

install

start

Helium uninstalled

Wrong token

•  Disadvantageoftheafacker–  Heliumneedstobeuninstalled–  Afackerneedstoinstallan

malwarewiththesamenameasHelium

•  Advantageoftheafacker–  OnceobtainingtheOTP,the

afackerisabletobackupthevic'mappatany'me(ac'veafack)

–  OnceobtainingtheOTP,theafackerisabletoconductotherhigh-privilegedac'ons(seehfp://developer.android.com/tools/help/adb.html)

Afack#2:InvoketheWebinterface

42

HTTPServeronport5000

URL Method HTTPBody DescripKon

hfp://IP:5000/api/package GET NULL Fetchthelistofinstalledapps

hfp://IP:5000/api/backup.zip POST Nameoftheapptobackup

Backup

hfp://IP:5000/api/restore.zip

POST Backupdata Restore

Afack#2:InvoketheWebinterface

43

HTTPServeronport5000

•  Disadvantageoftheafacker–  TheHTTPserverisclosedbydefaultandonlyopenwhenweb

backupisused(semi-ac'veafack)–  NeedsINTERNETpermission

•  Advantageoftheafacker–  Canbackuptargetvic'm–  EasiertoimplementthanAfack#1

Afack#3:Accessbackupdataonexternalstorage

44

•  Disadvantageoftheafacker–  Cannotchosetargetvic'm(passiveafack)

•  Advantageoftheafacker–  Easytoimplement

Sec'on3.ImpactandCasestudies

ExtentoftheADBbackup •  Theappswon’tbebackupbyADBproxywhen

–  UsingAndroidAccountManagerforauthen'ca'on–  Android:allowBackupisfalse

•  IfadeveloperdoesnotspecifyitinAndroidManifest.xml,itistruebydefault!!–  Ourstudyrevealsthatonly~10%appsspecifyitfalse.

46

Howmanyappsaresubjecttotheseafacks? •  DataSetI

–  Topranked100apps•  DataSetII

–  Randomlychosen10CategoriesofappsfromGoolgePlay–  Top10appsfromeachcategory

47Helium

Device 1 Device 2 Web Server

?

Attacker PC

①

Proxy ②

③ ④ ⑤

⑥

Victim App

Howmanyappsaresubjecttotheseafacks?

48

W/OAuthen'ca'on,

83

Infected,80 AccountManager,23

W/OBackup,14

Notinfected,

37

Casestudy#1:FacebookApp

49

POSThfps://b-api.facebook.com/method/auth.loginHTTP/1.1...User-Agent:[FBAN/FB4A;FBAV/9.0.0.26.28;FBBV/2403143;FBDM/email=alice.tester%40gmail.com&password=pwd&sig=452aca050cdce967a699e969076962f0&...

HTTP/1.1200OK...Content-Type:applica'on/json{"session_key":"5.71T...411696","access_token":"CAAAAUaZA...XW8ZD","session_cookies":[{"name":"c_user","value":“100003708411696","expires":"Thu,28May201510:11:48GMT","domain":".facebook.com"},{“name":"xs","value":"201:71TTJlPmwZwjXQ:2:1401271908:10025","expires":"Thu,28May201510:11:48GMT","domain":".facebook.com"},...]...}

Iden'fyingauthen'cators

50

access_token Creden'alsinsubsequentrequests,e.g.,pos'nganewpost

c_user Creden'alsindica'ngtheuser’sloginstate xs

prefs_db

/data/data/com.facebook.katana

Casestudy#2:FacebookSingleSign-on

51

user id/pwd

rpApp Facebook Server

c_user, xs verification

OAuth token

Facebook SDK

? user_info&OAuth token user_info

①

②

③

④

c_user, xs OAuth token

Authen'ca'on

Authoriza'on

• Authoriza'on:theusercancontrolwhatinforma'oncanbeaccessedbytherpApp.

Authen'catorsbelongingtotwoorigins?

52

FacebookServer

RPapp

FacebookSDK

Android

/app/app/RP

c_user

xs

OAuthtoken

facebook.com

rp.com

• Facebookcompletelydelegatesthesecrecyofitscreden'alstoRPapp?!

Usingc_userandxstologintouser’saccountandcompletelyviolateauthoriza'on…

53

Facebook’sopinion

54

FacebookSecurity

Butcouldn'tamaliciousapplica)onwithaWebViewalsostealusernamesandpasswordsasthey'resubmiKed?Oncetheuserisenteringtheircreden)alsoutsideofatrustedbrowser,there'sveryliKlethatwecandofromourendtoprotectthem.That'swhyit'ssoimportantthatmarketplaceslikeGooglePlayandApple'sAppStoretakestepstoprotectusersfrommaliciousapplica)ons.

Sec'on4.Mi'ga'on

Sugges'onstobackupappdevelopers •  BuildsecureADB-basedBackup

–  Preventbackupprivilegefromexposure•  VerifiedAccesscontroloftheADBproxy•  Secrecyofbackupdata

–  Followtheprincipleofleastprivilege•  Exposeonlybackup/restorefunc'onality

–  ManagelifecycleofADBproxy•  ADBproxyneveroutlivesthemainapp

56

Sugges'onstowebappdevelopers •  Protectauthen'cators

–  Disableandroid:allowBackupifnotnecessary–  Avoidstoringpassword–  Shortenauthen'catorlife'me

•  Avoidimplementa'onownauthen'catormanagement–  UseAndroidAccountManager

57

SummaryandTake-away •  Thedilemma

–  Backupfunc'onalityv.s.Confiden'ality–  Pushtheboundaryorbreakthesandbox?

•  ScreenMilker[NDSS’14]

•  Authen'ca'on–  Awarenessofinfrastructure-levelafacks

58

References •  [CCS’13]Wang,Rui,etal."UnauthorizedorigincrossingonmobileplaQorms:Threatsand

mi'ga'on."•  [CCS’14]Jin,Xing,etal."Codeinjec'onafacksonHTML5-basedmobileapps:Characteriza'on,

detec'onandmi'ga'on."•  [ESORICS’15]Hassanshahi,Behnaz,etal."Web-to-Applica'onInjec'onAfacksonAndroid:

Characteriza'onandDetec'on."•  [IEEES&P’12]Wang,Rui,etal."Signingmeontoyouraccountsthroughfacebookandgoogle:A

traffic-guidedsecuritystudyofcommerciallydeployedsingle-sign-onwebservices.“•  [NDSS’13]Bai,Guangdong,etal.“AUTHSCAN:Automa'cExtrac'onofWebAuthen'ca'on

ProtocolsfromImplementa'ons.”•  [NDSS’14]Lin,Chia-Chi,etal."Screenmilker:Howtomilkyourandroidscreenforsecrets."

59

60

Thankyou!

BaiGuangdongbaiguangdong@gmail.com