Bypassing the Android Permission Model - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Bypassing the Android Permission Model

Description:

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Demo Explained When it is called it sends an SMS Caller can set the number ... – PowerPoint PPT presentation

Number of Views:209
Avg rating:3.0/5.0
Slides: 41
Provided by: isacadenv5
Category:

less

Transcript and Presenter's Notes

Title: Bypassing the Android Permission Model


1
  • Bypassing the Android Permission Model
  • Georgia Weidman
  • Founder and CEO, Bulb Security LLC

2
  • Is the permission model working? Are users making
    good decisions?

3
Most Popular Android App
4
Demo
  • App abusing permissions

5
Demo explained
  • Permissions
  • Read IMEI
  • Read Contacts
  • Send SMS
  • We exploited every one of these

6
Rooting Android
7
Rooting Android for Evil(DroidDream)
8
DroidDream Permissions
  • INTERNET
  • READ_PHONE_STATE
  • CHANGE_WIFI_STATE
  • ACCESS_WIFI_STATE

9
DroidDream
10
DroidDream
11
DroidDream Rooting
  • Exploid
  • CVE-2010-Easy (RageAgainsttheCage)

12
Rooting Android
13
DroidDream Root Payload
  • Permission model no longer applies
  • installed packages
  • All personal data
  • Send to CC

14
Rooting Android for Evil(DroidDream)
15
Rooting Android
16
Mitigation
  • Users update their phones
  • That means they need the updates pushed out
  • That means you third party platforms!!

17
(No Transcript)
18
(No Transcript)
19
Android Storage
  • Sdcard
  • VFAT
  • With apps
  • Only visible to app (default)
  • World readable

20
Demo
  • Exploiting bad storage practices

21
Demo Explained
  • Stores sensitive data on the sdcard
  • Sdcard is VFAT
  • Everything is world readable

22
Demo Explained
  • Discovers how the data is stored
  • Accesses it
  • Sends it to an attacker

23
Code Examples
  • Vulnerable Code
  • Malicious Code

24
BadSaveFile
25
BadSendFile
26
Wait? How do we get source code?
  • Winzip/7zip etc.
  • dex2jar
  • jd-gui
  • Whitepaper with more info http//cdn01.exploit-db
    .com/wp-content/themes/exploit/docs/17717.pdf

27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
Nonsensical Code
  • while (true)
  • if (i lt 0)
  • String str
  • while (true)
  • return
  • try

31
Mitigation
  • Store information securely
  • Not on sdcard
  • Not in source code
  • Not world readable

32
Android Interfaces
  • Call other programs
  • Don't reinvent the wheel
  • Take a picture
  • Twitter from photo app

33
Demo
  • Exploiting open interface with SMS functionality

34
Demo Explained
  • When it is called it sends an SMS
  • Caller can set the number and message
  • Sadly this is considered useful!

35
Demo Explained
  • Calls the SMSBroadcastr
  • Sends number and message
  • Sends an SMS

36
Code Examples
  • Vulnerable Code
  • Malicious Code

37
SMSBroadcastr
38
SMSIntent
39
Mitigations
  • Don't have dangerous functionality available in
    interfaces
  • Require user interaction (click ok)
  • Require-permission tag in manifest for interface

40
Contact
  • Georgia Weidman
  • georgiaweidman.com bulbsecurity.com
  • georgia_at_bulbsecurity.com
  • _at_georgiaweidman
Write a Comment
User Comments (0)
About PowerShow.com