Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018...
Transcript of Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018...
![Page 1: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/1.jpg)
Android Security Auditing
Investigating unauthorized screenshots of my activity
by Michael Altfieldhttps://www.michaelaltfield.net
![Page 2: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/2.jpg)
Context
● IamA Power User● Nexus 5X (bullhead)● ROM = Lineage OS 15.1 (8.1.0 Oreo)● No Gapps● Rooted● IANA Android Dev
![Page 3: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/3.jpg)
Discovery
DiskDigger(Actual Image Files)
![Page 4: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/4.jpg)
Discovery
Encrypted Conversations
![Page 5: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/5.jpg)
Discovery
Media Consumption
![Page 6: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/6.jpg)
Discovery
Seemingly Useless
![Page 7: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/7.jpg)
Discovery
Many Corrupt
![Page 8: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/8.jpg)
Approach #1: SELinux
● Since 2013, 4.3 (Jelly Bean) [1][2]
● Irony
![Page 9: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/9.jpg)
Approach #1: SELinux (cont)
Google + /sepolicy 9.7. Security Features…
[C-0-3] MUST NOT make SELinux or any other security features implemented below
the Android framework configurable to the user or
app developer.
Source: Android 9 Compatibility Definition
No `auditctl`Intentional?
![Page 10: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/10.jpg)
Approach #1: SELinux (cont)
Hacking /sepolicy
Sepolicy-inject [1][2][3][4]
- >2 years old- 100G
- compile errors galore
Abandon!
![Page 11: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/11.jpg)
Approach #2: Files & MetadataTop bar
Blacked-out
Keyboard area
Bottom bar
![Page 12: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/12.jpg)
Approach #2: Files & Metadata
● JPG (not PNG)● exif
michael@amy:/tmp$ exiftool 8064090112.jpg … Profile Copyright: Google Inc. 2016
![Page 13: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/13.jpg)
Approach #2: Files & Metadata
bullhead:/ $ find / -name *.jpg \ 1>/sdcard/findJpgs.txt
![Page 14: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/14.jpg)
Approach #2: Files & Metadata
bullhead:/ # tail /sdcard/findJpgs.txt.../data/system_ce/0/snapshots/3419_reduced.jpg/data/system_ce/0/snapshots/3419.jpgbullhead:/ #
![Page 15: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/15.jpg)
Approach #2: Files & Metadata/data/system_ce/0/snapshots
![Page 16: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/16.jpg)
Root Cause Identified!Google “/data/system_ce/0/snapshots/”
TaskSnapshotPersister [1]
Recents Screen = Overview Screen
= Recent Task List = Recent Apps
aka “App Switcher” in iOS
![Page 17: Investigating unauthorized screenshots of my activity › wp-content › files › ...Nov 09, 2018 · Android Security Auditing Investigating unauthorized screenshots of my activity](https://reader034.fdocuments.net/reader034/viewer/2022042315/5f03816d7e708231d409655b/html5/thumbnails/17.jpg)
Take-away
●Don’t be too paranoid [1][2][3][4]
●Google makes Android Sec Audit hard●Devs: use FLAG_SECURE [1]