Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

CNIT 128 7. Attacking Android Applications (Part 1)

90 vues

Publié le

For a college class: Hacking Mobile Devices at CCSF

Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml

Publié dans : Formation
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

CNIT 128 7. Attacking Android Applications (Part 1)

  1. 1. CNIT 128 Hacking Mobile Devices 5. Attacking Android Applications Part 1
  2. 2. Topics • Part 1 • Exposing Security Model Quirks • Attacking Application Components 
 (to p. 271) • Part 2 • Attacking Application Components (finishes)
  3. 3. Topics • Part 3 • Accessing Storage and Logging • Misusing Insecure Communications • Exploiting Other Vectors • Additional Testing Techniques
  4. 4. Three Main Components
  5. 5. Application Container • Ways to defeat application sandbox • Gain access to app data • Malicious app on a device • Physical access to device • Other vulnerabilities in the app
  6. 6. Communications • ARP poisoning • Hosting a malicious wireless network • Compromising upstream providers • Intercept and modify traffic
  7. 7. Internet Server • Server may have vulnerabilities • Compromised server exposes all information flowing to and from mobile apps
  8. 8. Exposing Security Model Quirks
  9. 9. Interacting with App Components
  10. 10. targetSdkVersion • Determines default publishing of components • Other values: compileSdkVersion and minSdkVersion (link Ch 7a)
  11. 11. Android Distribution Dashboard • Link Ch 7b
  12. 12. Explicitly Exported Components • Explicitly 
 exported • Unspecified; will be exported implicitly if targetSdkVersion < 17
  13. 13. Implicitly Exported • Any component using an <intent-filter> is exported by default • Like this activity
  14. 14. Finding Exported Components • Examine Manifest • Drozer's attacksurface module shows exported components
  15. 15. app.<component>.info • Broadcast receivers exposed by the Android browser
  16. 16. Intent Filters • -i switch
  17. 17. Supreme User Contexts • root and system users can interact with application components • Even when they are not exported • Components that are not exported in the manifest are private • Limited to internal use by the app • Only attackers with root privileges can attack them
  18. 18. Permission Protection Levels • Best protection is a custom permission with protection level signature • Only apps with the same signature can have that permission
  19. 19. Protection Level Downgrade Attack • The first app that sets a permission's protection level wins • Later apps can't change it • A malicious app that defines a permission first can downgrade its permission level, for example to normal • Fixed in Android 5.0 • Links Ch 7e, 7f
  20. 20. Attacking Application Components (to p. 271)
  21. 21. Intents • Intent is a data object that defines a task to be performed • To start an activity, call startActivity(Intent) • sendBroadcast(Intent) sends to a broadcast receiver • startService(Intent) sends to a service • Intent is generic, does not specify tye type of component receiving it
  22. 22. Example • Link Ch 7g
  23. 23. Explicit Intents • State the component that must receive it • Using setComponent() or setClass() • Bypasses the intent resolution process in the OS • Directly delivers the intent to the specified component
  24. 24. Implicit Intent • Does not specify the component to be used • Relies on the OS to determine the best candidate to deliver it to • Ex: "Play this MP3" • Using whatever player is available • A box may pop up asking the user which app to use
  25. 25. Example • This intent tells the Android system to display a webpage • All installed Web browsers should be registered to via an intent filter
  26. 26. Intent Filters • Defined by installed apps • Filters can match • Action • Data • Category • Action is mandatory
  27. 27. Example Intent Filters
  28. 28. Example Intent Filters
  29. 29. am: Activity Manager • Part of Android • Lets you send intents to app components • Link Ch 7h
  30. 30. • Sieve: vulnerable password manager
  31. 31. Attack Surface
  32. 32. Activity Info • No Permissions on them: they are unprotected • Any app or user can launch them
  33. 33. PIN Bypass • Reveals usernames
  34. 34. Auditing Content Providers • Only /Keys requires permissions
  35. 35. Finding URIs • /Passwords requires no permissions
  36. 36. Password Exposure • It's not in plaintext yet
  37. 37. SQL Injection • SQL error indicates vulnerability • Enumerate table names
  38. 38. Reveal Plaintext Password
  39. 39. Real-World Examples
  40. 40. Lock Screen Bypass • adb shell am start -n com.android.settings/ com.android.settings.ChooseLockGeneric --ez confirm_credentials false --ei lockscreen.password_type 0 --activity-clear-task •
  41. 41. Tapjacking • Malicious app overlays a false UI on top of buttons • So taps activate something unexpected • Using toasts --small graphic elements
  42. 42. Recently-Used App Screenshots • May contain sensitive info • Stored in RAM • Only available to privileged users
  43. 43. Fragment Injection • On Android 4.3 and earlier • Using a "fragment", could change PIN without knowing old PIN
  44. 44. Opens this screen directly

×