Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack
-
date post
14-Sep-2014 -
Category
Technology
-
view
292 -
download
1
description
Transcript of Pinpointing Vulnerabilities in Android Applications like Finding a Needle in a Haystack
© 2014 IBM Corporation
IBM Security Systems
1
© 2014 IBM Corporation
Pinpointing Vulnerabilities in Android Applications: Like Finding a Needle in a Haystack
Roee Hay, [email protected] IBM Application Security ResearchGroup Lead
© 2014 IBM Corporation
IBM Security Systems
2
Please noteIBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision .
The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
© 2014 IBM Corporation
IBM Security Systems
3
Agenda
Mobile Vulnerabilities Primer
Malicious Apps and the Android Security Model
Mobile DAST Research Project: The Mobile Analyzer
Case Study. The NY Times Cross-Application Scripting (XAS)
© 2014 IBM Corporation
IBM Security Systems
4
© 2014 IBM Corporation
Mobile Vulnerabilities Primer
© 2014 IBM Corporation
IBM Security Systems
5
A Typical Mobile App
Client Back-end
App
© 2014 IBM Corporation
IBM Security Systems
6
The Mobile Vulnerabilities Space
New Client-side vulnerabilities:
?
Classic Back-end vulnerabilities:
SQL InjectionCode Executionetc
© 2014 IBM Corporation
IBM Security Systems
7
Attack Vectors for Client-Side Vulnerabilities
Client Back-end
App
© 2014 IBM Corporation
IBM Security Systems
8
(1) Taking Over the Backend
Client Back-end
App
Attacker
© 2014 IBM Corporation
IBM Security Systems
9
(2) Man-in-the Middle (MiTM)
Client Back-end
App Attacker
© 2014 IBM Corporation
IBM Security Systems
10
(3) Malicious Apps
Client Back-end
Attacker
App
© 2014 IBM Corporation
IBM Security Systems
11
© 2014 IBM Corporation
Malicious Apps
© 2014 IBM Corporation
IBM Security Systems
12
The Android Threat Model Apps in Android are sandboxed from each other:
Each app package runs with a different Linux user-id so by default resources created by one app cannot be accessed by another app
Apps are constrained: A-Very-Cool-Game cannot just send SMSs. Some constraints can be relaxed at deployment time by
using permissions. These features protect the integrity and confidentiality of:
The Installed Apps. The Android system.
Browser Mail
SMSPhone
Contacts Search
© 2014 IBM Corporation
IBM Security Systems
13
Two Types of Malicious Apps (1) Attack the System
Abuse system services for its own profit e.g. Premium SMSs and MMS GPS access System log access
No vulnerability is required. Suspicious use of permissions!
Source: http://www.threattracksecurity.com/it-blog/russian-language-facebook-android-app-premium-sms-is-out-daily-service-fees-are-in/
© 2014 IBM Corporation
IBM Security Systems
14
Two Types of Malicious Apps (2) Attack other Apps
Try to subvert the integrity and/or confidentiality of other applications Target applications must be vulnerable. No suspicious use of permissions!
© 2014 IBM Corporation
IBM Security Systems
15
Inter-Process-Communication in Android Apps want to be able to talk to each other:
For feature reuse.
This is achieved by Inter-Process Mechanisms, controlled by special objects called Intents.
Intents carry both the destination information and the payload data.
When an application component is willing to receive Intents from external apps, it becomes exported and opens a hole in the Android Sandbox!
Browser
Google Play Store
Phone
© 2014 IBM Corporation
IBM Security Systems
16
A Typical Attack by a Malicious App For a vulnerable app to be exploited, it must accept
external Intents, i.e. open the IPC channel in its manifest file.
The Malicious App initiates a malicious intent targeting the vulnerable app.
The Intent’s payload is specific to the vulnerability found in the App
e.g. an SQL Injection payload.
Vulnerable App
Malicious App
MaliciousIntent
© 2014 IBM Corporation
IBM Security Systems
17
© 2014 IBM Corporation
The Mobile Analyzer
© 2014 IBM Corporation
IBM Security Systems
18
The Mobile Analyzer: Modus Operandi (1) Explore. Discover of the elements of the application that should be tested
In Classic Web: This is done by crawling. Mobile Analyzer: We analyze the Android manifest file and dynamically learn of Intent
parameters.
(2) Attack. Trigger the vulnerabilities In Classic Web : Done by sending HTTP requests with malicious data. Mobile Analyzer : We send Intents with malicious payloads using our security
knowledge.
(3) Validate. In Classic Web: Done by looking at the HTTP responses (Black-box / DAST) or by
placing hooks on the target app (Glass-box / IAST). Mobile Analyzer: We mainly do it by placing hooks on the target mobile app (IAST).
© 2014 IBM Corporation
IBM Security Systems
19
The Mobile Analyzer: In Front of the Scenes
Uploads an APK
Our Client
© 2014 IBM Corporation
IBM Security Systems
20
The Mobile Analyzer: In Front of the Scenes
Receives a Security Report
Our Client
© 2014 IBM Corporation
IBM Security Systems
21
Debug Flag enablement
Insecure Pending
Intent
Memory Corruptions
Client-side SQL
Injection
UI Spoofing
Client-side
Denial-of-Service
It Detects Many Issue Types!
Cross-Application Scripting
(XAS)
Android Fragment Injection
Insecure File
Rights
Insecure Class
Loading
Activity & Service
Hijacking
Cross-Site Scripting
via
Man-in-the-Middle
Weak Random Number
Generators
© 2014 IBM Corporation
IBM Security Systems
22
© 2014 IBM Corporation
Demo
© 2014 IBM Corporation
IBM Security Systems
23
Structure of the DoNothing App
Intent(data)
Log (Native code)
SQLite DB
data
data
Exported activity Exported activity
© 2014 IBM Corporation
IBM Security Systems
24
The Developer’s Mistake
Intent(data)
data
data
Exported activity Exported activity
Log (Native code)
SQLite DB
© 2014 IBM Corporation
IBM Security Systems
25
© 2014 IBM Corporation
Case Study:
NYTimes Cross-Application Scripting
© 2014 IBM Corporation
IBM Security Systems
26
Cross-Application Scripting (XAS) The Vulnerable app contains an embedded browser
(WebView)
Due to bad input validation, The URL of the embedded browser can be controlled by a malicious app with problematic URI schemes, such as ‘javascript://’ or ‘file://’:
WebView.loadURL(url)
Injecting these schemes enables the attacker to execute JS code in the context of the vulnerable app
Subverts the Android’s sandboxing as it allows the attacker to steal information pertaining to the vulnerable app
Vulnerable App
Malicious App
Intent: javascript://…
© 2014 IBM Corporation
IBM Security Systems
27
The NYTimes Vulnerability
protected void onCreate(Bundle bundle) {… g.getSettings().setJavaScriptEnabled(true); g.getSettings().setCacheMode(2); g.getSettings().setSavePassword(false);… cookiemanager.removeAllCookie();… s = getIntent().getStringExtra("url"); if(TextUtils.isEmpty(s)) s = h.l().f(); if(getIntent().getBooleanExtra("hideTitle", false)) setTitle(""); g.loadUrl(s); }
* Issue was fixed in August 2013 as per our responsible disclosure
© 2014 IBM Corporation
IBM Security Systems
28
Stealing the Session-ID
Client Back-end
NYTNYTimes Session-ID
© 2014 IBM Corporation
IBM Security Systems
29
Stealing the Session-ID
Client Back-end
NYTNYTimes Session-ID
Attacker
StealsClient Session-ID
© 2014 IBM Corporation
IBM Security Systems
30
Stealing the Session-ID
Client Back-end
NYT
Attacker
NYTimes Session-ID
Stolen Client Session-ID
© 2014 IBM Corporation
IBM Security Systems
31
Goal & Impact The Attacker would like to leak some sensitive NYTimes files:
The session identifier is found under NYTIMES_PREFS.xml.
Impact: User impersonation.
root@android:/data/data/com.nytimes.android/shared_prefs # lsNYTIMES_BLOGCATS.xmlNYTIMES_ENT.xmlNYTIMES_PREFS.xmlcSPrefs.xmlcom.nytimes.android_preferences.xmlny_times_widget.xmluptAdsQueue.xmluptEventsQueue.xml
root@android:/data/data/com.nytimes.android/shared_prefs # cat NYTIMES_PREFS.xml...<string name="NYT-S">18CBbkG2ru6usGm4bmrmZvSlDZeHDEfrlQxsnMdUmY896gFXg1szP13uvJJp.6isWKzDs7ugEhp41N4bsEDh836YV.Ynx4rkFI</string>...
© 2014 IBM Corporation
IBM Security Systems
32
Exploitation: Abusing file:// URI schemes The javascript:// URI scheme cannot access files. We cause the embedded browser of NYTimes to load a globally readable file via the
file:// URI scheme. This file contains JS code that leaks NYTIMES_PREFS.xml
NYTimesMalicious app
AJAX file://data/…/nyt/NYTIMES_PREFS.xml
Malicious.html
<string name="NYT-S">18CBbkG2ru6usGm4bmrmZvSlDZeHDEfrlQxsnMdUmY896gFXg1szP13uvJJp.6isWKzDs7ugEhp41N4bsEDh836YV.Ynx4rkFI</string>
NYTIMES_PREFS.xml
Intent: file://data/malicious/Malicious.html
© 2014 IBM Corporation
IBM Security Systems
33
© 2014 IBM Corporation
Demo
© 2014 IBM Corporation
IBM Security Systems
34
© 2014 IBM Corporation
Questions
© 2014 IBM Corporation
IBM Security Systems
35 © 2014 IBM Corporation
IBM Security Systems
35
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.