Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

1 531 vues

Publié le

CanSecWest2016

Publié dans : Internet
  • Soyez le premier à commenter

Csw2016 chaykin having_funwithsecuremessengers_and_androidwear

  1. 1. Having fun with secure messengers and Android Wear (and Android Auto) Artem Chaykin Positive Technologies CanSecWest’16
  2. 2. Who I am? •  Russian hacker / Putin’s agent •  Mobile application security team lead •  SCADA Strangelove Team •  RDot.Org team member
  3. 3. Android IPC basics •  Private memory for each process •  Data is passed through kernel module – Binder •  Intent-based
  4. 4. Intents •  Intent is an object •  App1 can send intents to exported components of App2 Intent Package name Component name Ac0on Data
  5. 5. Android IPC basics Binder App 1 App N App 2
  6. 6. Android IPC basics App1 Binder IAc/vityManager
  7. 7. Android IPC basics App1 Binder IAc/vityManager App2
  8. 8. Example 0x1: MobiDM
  9. 9. Example 0x1: MobiDM
  10. 10. Example 0x1: MobiDM
  11. 11. PendingIntent Intent Iden/ty Permissions •  getActivity() •  getService() •  getBroadcast()
  12. 12. PendingIntent App1
  13. 13. PendingIntent App1 App2 pIntent
  14. 14. PendingIntent App1 App2 pIntent
  15. 15. PendingIntent App1 App2 pIntent
  16. 16. PendingIntent •  AlarmManager •  NotificationManager •  Identity confirmation
  17. 17. Example 0x2 – PendingIntent hijacking •  3rd party push services •  Identity confirmation Victims:
  18. 18. Example 0x2 – Victim:
  19. 19. Example 0x2 – Victim: •  Exploit:
  20. 20. Android Wear & Android Auto •  Remote Input class is based on PendingIntent
  21. 21. Android Wear & Android Auto •  Remote Input class is based on PendingIntent
  22. 22. Android Wear & Android Auto
  23. 23. Android Wear & Android Auto
  24. 24. Android Wear & Android Auto Voice reply
  25. 25. Example 0x3: Spam Victim: •  Bug:
  26. 26. Example 0x3: Spam Victim: •  Bug:
  27. 27. Example 0x3: Spam Victim: •  Exploit:
  28. 28. Example 0x3: Spam Victim: •  Result:
  29. 29. Example 0x3: Spam •  Victims:
  30. 30. Example 0x3: Intercepting Victim: •  Bug:
  31. 31. Example 0x3: Intercepting Victim: •  Exploit:
  32. 32. Example 0x3: Intercepting •  Android Auto victims: •  Android Wear victims:
  33. 33. Detecting with Xposed module
  34. 34. Fixes Still no thanks •  Signal – emailed Moxie – fixed same day – got “thanks” •  Telegram – emailed security@ - partial fix after ~ 45 days -
  35. 35. Microsoft
  36. 36. Microsoft
  37. 37. Fin! Questions?

×