Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

© 2014 IBM Corporation

IBM Security Systems

1


Pinpointing Vulnerabilities in Android Applications: Like Finding a Needle in a Haystack

Roee Hay, [email protected] IBM Application Security ResearchGroup Lead

mailto:[email protected]



2

Please noteIBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.

Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision .

The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.



3

Agenda

Mobile Vulnerabilities Primer

Malicious Apps and the Android Security Model

Mobile DAST Research Project: The Mobile Analyzer

Case Study. The NY Times Cross-Application Scripting (XAS)



4


Mobile Vulnerabilities Primer



5

A Typical Mobile App

Client Back-end

App



6

The Mobile Vulnerabilities Space

New Client-side vulnerabilities:

?

Classic Back-end vulnerabilities:

SQL InjectionCode Executionetc



7

Attack Vectors for Client-Side Vulnerabilities

Client Back-end

App



8

(1) Taking Over the Backend

Client Back-end

App

Attacker



9

(2) Man-in-the Middle (MiTM)

Client Back-end

App Attacker



10

(3) Malicious Apps

Client Back-end

Attacker

App



11


Malicious Apps



12

The Android Threat Model Apps in Android are sandboxed from each other:

Each app package runs with a different Linux user-id so by default resources created by one app cannot be accessed by another app

Apps are constrained: A-Very-Cool-Game cannot just send SMSs. Some constraints can be relaxed at deployment time by

using permissions. These features protect the integrity and confidentiality of:

The Installed Apps. The Android system.

Browser Mail

SMSPhone

Contacts Search



13

Two Types of Malicious Apps (1) Attack the System

Abuse system services for its own profit e.g. Premium SMSs and MMS GPS access System log access

No vulnerability is required. Suspicious use of permissions!

Source: http://www.threattracksecurity.com/it-blog/russian-language-facebook-android-app-premium-sms-is-out-daily-service-fees-are-in/

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&docid=U_AMw0AkqXS3YM&tbnid=QJ-ZGa4_OtNMaM:&ved=0CAUQjRw&url=http://www.threattracksecurity.com/it-blog/russian-language-facebook-android-app-premium-sms-is-out-daily-service-fees-are-in/&ei=UjAGU5jiGueN0AXdyoGoAQ&bvm=bv.61725948,d.bGE&psig=AFQjCNE0gB-UwIK1CEZliyqaAmSYzlZ2Ng&ust=1393000912540475



14

Two Types of Malicious Apps (2) Attack other Apps

Try to subvert the integrity and/or confidentiality of other applications Target applications must be vulnerable. No suspicious use of permissions!



15

Inter-Process-Communication in Android Apps want to be able to talk to each other:

For feature reuse.

This is achieved by Inter-Process Mechanisms, controlled by special objects called Intents.

Intents carry both the destination information and the payload data.

When an application component is willing to receive Intents from external apps, it becomes exported and opens a hole in the Android Sandbox!

Browser

Google Play Store

Phone



16

A Typical Attack by a Malicious App For a vulnerable app to be exploited, it must accept

external Intents, i.e. open the IPC channel in its manifest file.

The Malicious App initiates a malicious intent targeting the vulnerable app.

The Intent’s payload is specific to the vulnerability found in the App

e.g. an SQL Injection payload.

Vulnerable App

Malicious App

MaliciousIntent



17


The Mobile Analyzer



18

The Mobile Analyzer: Modus Operandi (1) Explore. Discover of the elements of the application that should be tested

In Classic Web: This is done by crawling. Mobile Analyzer: We analyze the Android manifest file and dynamically learn of Intent

parameters.

(2) Attack. Trigger the vulnerabilities In Classic Web : Done by sending HTTP requests with malicious data. Mobile Analyzer : We send Intents with malicious payloads using our security

knowledge.

(3) Validate. In Classic Web: Done by looking at the HTTP responses (Black-box / DAST) or by

placing hooks on the target app (Glass-box / IAST). Mobile Analyzer: We mainly do it by placing hooks on the target mobile app (IAST).



19

The Mobile Analyzer: In Front of the Scenes

Uploads an APK

Our Client



20

The Mobile Analyzer: In Front of the Scenes

Receives a Security Report

Our Client



21

Debug Flag enablement

Insecure Pending

Intent

Memory Corruptions

Client-side SQL

Injection

UI Spoofing

Client-side

Denial-of-Service

It Detects Many Issue Types!

Cross-Application Scripting

(XAS)

Android Fragment Injection

Insecure File

Rights

Insecure Class

Loading

Activity & Service

Hijacking

Cross-Site Scripting

via

Man-in-the-Middle

Weak Random Number

Generators



22


Demo



23

Structure of the DoNothing App

Intent(data)

Log (Native code)

SQLite DB

data

data

Exported activity Exported activity



24

The Developer’s Mistake

Intent(data)

data

data

Exported activity Exported activity

Log (Native code)

SQLite DB



25


Case Study:

NYTimes Cross-Application Scripting



26

Cross-Application Scripting (XAS) The Vulnerable app contains an embedded browser

(WebView)

Due to bad input validation, The URL of the embedded browser can be controlled by a malicious app with problematic URI schemes, such as ‘javascript://’ or ‘file://’:

WebView.loadURL(url)

Injecting these schemes enables the attacker to execute JS code in the context of the vulnerable app

Subverts the Android’s sandboxing as it allows the attacker to steal information pertaining to the vulnerable app

Vulnerable App

Malicious App

Intent: javascript://…



27

The NYTimes Vulnerability

protected void onCreate(Bundle bundle) {… g.getSettings().setJavaScriptEnabled(true); g.getSettings().setCacheMode(2); g.getSettings().setSavePassword(false);… cookiemanager.removeAllCookie();… s = getIntent().getStringExtra("url"); if(TextUtils.isEmpty(s)) s = h.l().f(); if(getIntent().getBooleanExtra("hideTitle", false)) setTitle(""); g.loadUrl(s); }

* Issue was fixed in August 2013 as per our responsible disclosure



28

Stealing the Session-ID

Client Back-end

NYTNYTimes Session-ID



29


Client Back-end

NYTNYTimes Session-ID

Attacker

StealsClient Session-ID



30


Client Back-end

NYT

Attacker

NYTimes Session-ID

Stolen Client Session-ID



31

Goal & Impact The Attacker would like to leak some sensitive NYTimes files:

The session identifier is found under NYTIMES_PREFS.xml.

Impact: User impersonation.

root@android:/data/data/com.nytimes.android/shared_prefs # lsNYTIMES_BLOGCATS.xmlNYTIMES_ENT.xmlNYTIMES_PREFS.xmlcSPrefs.xmlcom.nytimes.android_preferences.xmlny_times_widget.xmluptAdsQueue.xmluptEventsQueue.xml

root@android:/data/data/com.nytimes.android/shared_prefs # cat NYTIMES_PREFS.xml...<string name="NYT-S">18CBbkG2ru6usGm4bmrmZvSlDZeHDEfrlQxsnMdUmY896gFXg1szP13uvJJp.6isWKzDs7ugEhp41N4bsEDh836YV.Ynx4rkFI</string>...



32

Exploitation: Abusing file:// URI schemes The javascript:// URI scheme cannot access files. We cause the embedded browser of NYTimes to load a globally readable file via the

file:// URI scheme. This file contains JS code that leaks NYTIMES_PREFS.xml

NYTimesMalicious app

AJAX file://data/…/nyt/NYTIMES_PREFS.xml

Malicious.html

<string name="NYT-S">18CBbkG2ru6usGm4bmrmZvSlDZeHDEfrlQxsnMdUmY896gFXg1szP13uvJJp.6isWKzDs7ugEhp41N4bsEDh836YV.Ynx4rkFI</string>

NYTIMES_PREFS.xml

Intent: file://data/malicious/Malicious.html



33


Demo



34


Questions



35 © 2014 IBM Corporation


35

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack

Technology

Transcript of Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack