SlideShare une entreprise Scribd logo
1  sur  37
Télécharger pour lire hors ligne
CNIT 128


Hacking Mobile Devices
8. Identifying and Exploiting 

Android Implementation Issues

Part 2 Updated 3-11-2020
Topics
• Part 1


• Reviewing Pre-installed Applications


• Exploiting Devices


• Start through "Explanation of Privilege
Levels" (up to p. 402)
Topics
• Part 2


• Exploiting Devices


• "Practical Physical Attacks" (p. 375)
through


• "Polaris Viewer Memory Corruption" (up to
p. 402)
Topics
• Part 3


• Exploiting Devices


• "Injecting Exploits for JavaScript
Interfaces" (p. 402) and following


• Infiltrating User Data
Practical Physical Attacks
Bypassing Lock Screen
• Getting ADB Shell
Access: Two Ways


• USB Debugging


• Unlocked
Bootloaders
USB Debugging
• adb shell


• Usually turned off by
default


• Exposes data and
can be used to install
new packages


• User must approve it


• Not possible if
screen is locked
Bug
• In Android 4.2.2 up to 4.4.2


• Navigating to emergency dialer or lock screen
camera


• Shows the USB debugging authorization
prompt


• With the screen locked
Privilege Levels
• /default.prop file controls ADB privileges


• By default: ro.secure=1


• Adb runs as the shell user


• If ro.secure=0


• adbd runs as root
ALLOW_ADBD_ROOT
• From Android 4.3 onwards


• ADB won't run as root unless it's compiled with
the ALLOW_ADBD_ROOT flag


• Even if ro.secure=0


• To get root, compile a custom version of adbd
and overwrite the binary on the device
Unlocked Bootloaders
• First boot phone into Fastboot mode


• Hold down power and volume keys while
turning on the phone


• or adb reboot bootloader


• Then flash or boot a custom image


• Not possible with Genymotion, Nox, or
Bluestacks


• They have no recovery partition
Unlock Bootloader
• Forces factory
reset


• Wipes all user
data


• To stop thieves
Unlocked Bootloader
• If user unlocked the bootloader and left it
unlocked


• Boot into ClockworkMod Recovery ROM
(not updated since 2014)


• Get a root ADB shell
Bypassing Lock Screens
• Using the DISABLE_KEYGUARD Permission


• Allows an app to remove the lock screen


• App code:


KeyguardManager kgm =
((KeyguardManager)getSystemService("keyguard"));
 

KeyGuardManager.KeyguardLock kgl =
kgm.newKeyguardLock("mahh");
 

kgl.disableKeyguard(); Even though the
KeyguardManager.KeyguardLock
Custom Drozer Agent
drozer agent build --permission
android.permission.DISABLE_KEYGUAR
D

• Install agent with adb, launch it, and bypass
screen lock


• Works on Nox (Android 5.1.1)


• Fails on Genymotion (Android 9.0)
Removing Key Files
• Pattern lock screen uses data from


• /data/system/gesture.key


• PIN or password lock uses data from


• /data/system/password.key


• Removing these files disables lock screen
entirely
Removing Key Files
• But that requires running as system or root


• Privilege escalation
Abusing Android
Application Issues
• On Android 4.3 and earlier, this intent unlocks
the phone from an adb shell in any context:


shell@android:/ $ am start -n 

com.android.settings/
com.android.settings.ChooseLockGeneric 

--ez confirm_credentials false 

--ei lockscreen.password_type 0 --activity-clear-task
 

Starting: Intent { flg=0x8000
cmp=com.android.settings/.ChooseLockGeneric (has
extras)
}
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
Using Logic Flaws that
Don't Require Shell Access
• Some actions are allowed when a phone is
locked


• Make emergency phone calls


• Receive phone calls


• Allow third-party apps to temporarily disable
the lock screen


• Or place an activity in front of it
Motorola Droid
• Phone the locked device


• Answer the call


• Press Back button


• Escape the lock screen
Viber
• Messaging and calling app


• Place a Viber call


• Answer it


• Press the back button multiple times


• Escape the lock screen
Using Legitimate Lock
Screen Reset Functionality
• You can bypass a
lock screen if you
have the use's
Google credentials


• Entering the PIN
five times incorrectly


• Connects to a linked
Google account


• But only for Android
4 and earlier
Android Device Manager
• Allows lock
screen to be
bypassed from a
Google account


• Not active by
default--user
must enable it


• And it erases all
your data (link
Ch 8b)
Practical Remote Attacks
Remote Exploits
• Launched over the Internet


• Three modes of exploitation:


• Loading a drozer JAR that loads a limited
agent


• Installing and starting a rogue drozer agent
by abusing INSTALL_PACKAGES


• Loading a drozer JAR that is passed
Context
Browser Memory
Corruption
• The most technical method


• Reverse shells via buffer overflow, etc.


• Becoming rarer as the browser becomes more
secure
Polaris Viewer


Memory Corruption
• Office and PDF file viewer


• Pre-installed on some devices


• Exploited in 2012 with a crafted DOCX file


• Using a stack-based buffer overflow


• App also had INSTALL_PACKAGES
permission
Android Browser JavaScript
Interface
• All WebViews using JavaScriptInterface


• And targeting API before 17


• Are vulnerable to code execution flaws


• Includes all stock Android browsers on Android
4.1.1 and below


• Can get Context and use full permissions of
browser
Use Metasploit
• Link Ch 8c
CNIT 128 8. Android Implementation Issues (Part 2)
Privilege Escalation
• Exynos driver exploit on some devices


• Drozer has a exploit.mmap_abuse module


• Tries to get root by abusing the map device
operation


• Similar to the exynos exploit


• Dangerous: may cause a kernel panic and
reboot the device
Maintaining Access
• Must install a special su binary bundled with
Drozer, called "minimal su"


• Allows every app to escalate to root


• Without alerting the user
Man-in-the-Middle Exploits
• Getting in the middie


• Host a wireless network


• ARP Poisoning


• Use Burp
Man-in-the-Middle Exploits
• Intercepting SSL requires the ability to get a
root CA certificate


• Only nation-states or very rich attackers


• But many apps ignore this defense and allow
MITM attacks anyway
CNIT 128 8. Android Implementation Issues (Part 2)

Contenu connexe

Tendances

CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 1)
CNIT 128 7. Attacking Android Applications (Part 1)CNIT 128 7. Attacking Android Applications (Part 1)
CNIT 128 7. Attacking Android Applications (Part 1)Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingTom Keetch
 
CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgSam Bowne
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...Vincent Giersch
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCanSecWest
 

Tendances (20)

CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
 
CNIT 128 7. Attacking Android Applications (Part 1)
CNIT 128 7. Attacking Android Applications (Part 1)CNIT 128 7. Attacking Android Applications (Part 1)
CNIT 128 7. Attacking Android Applications (Part 1)
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
Hack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical SandboxingHack In Paris 2011 - Practical Sandboxing
Hack In Paris 2011 - Practical Sandboxing
 
CNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbgCNIT 126 Ch 9: OllyDbg
CNIT 126 Ch 9: OllyDbg
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on androidCSW2017 Geshev+Miller logic bug hunting in chrome on android
CSW2017 Geshev+Miller logic bug hunting in chrome on android
 

Similaire à CNIT 128 8. Android Implementation Issues (Part 2)

CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)Sam Bowne
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)Sam Bowne
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android ApplicationsSam Bowne
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
Whats different in android L, M, N and O
Whats different in android L, M, N and OWhats different in android L, M, N and O
Whats different in android L, M, N and OPietro F. Maggi
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsJerod Brennen
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Android Security, From the Ground Up
Android Security, From the Ground UpAndroid Security, From the Ground Up
Android Security, From the Ground UpOpersys inc.
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS ConsolidatedKarter Rohrer
 

Similaire à CNIT 128 8. Android Implementation Issues (Part 2) (20)

CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
 
CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)CNIT 128 6. Analyzing Android Applications (Part 3)
CNIT 128 6. Analyzing Android Applications (Part 3)
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Java Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant VulnerabilitiesJava Insecurity: How to Deal with the Constant Vulnerabilities
Java Insecurity: How to Deal with the Constant Vulnerabilities
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
Whats different in android L, M, N and O
Whats different in android L, M, N and OWhats different in android L, M, N and O
Whats different in android L, M, N and O
 
Mobile security
Mobile securityMobile security
Mobile security
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Attacking and Defending Mobile Applications
Attacking and Defending Mobile ApplicationsAttacking and Defending Mobile Applications
Attacking and Defending Mobile Applications
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Android Security, From the Ground Up
Android Security, From the Ground UpAndroid Security, From the Ground Up
Android Security, From the Ground Up
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Forensics WS Consolidated
Forensics WS ConsolidatedForensics WS Consolidated
Forensics WS Consolidated
 

Plus de Sam Bowne

3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-HellmanSam Bowne
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard ProblemsSam Bowne
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis MethodologySam Bowne
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated EncryptionSam Bowne
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)Sam Bowne
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)Sam Bowne
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream CiphersSam Bowne
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data CollectionSam Bowne
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers Sam Bowne
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 

Plus de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 
4. Block Ciphers
4. Block Ciphers 4. Block Ciphers
4. Block Ciphers
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 

Dernier

CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...Nguyen Thanh Tu Collection
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?TechSoup
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...CaraSkikne1
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfTechSoup
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphNetziValdelomar1
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.EnglishCEIPdeSigeiro
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17Celine George
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...raviapr7
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17Celine George
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesMohammad Hassany
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17Celine George
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptxSandy Millin
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxAditiChauhan701637
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice documentXsasf Sfdfasd
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17Celine George
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationMJDuyan
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptxmary850239
 
Diploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfDiploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfMohonDas
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxraviapr7
 

Dernier (20)

CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
CHUYÊN ĐỀ DẠY THÊM TIẾNG ANH LỚP 11 - GLOBAL SUCCESS - NĂM HỌC 2023-2024 - HK...
 
What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?What is the Future of QuickBooks DeskTop?
What is the Future of QuickBooks DeskTop?
 
5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...5 charts on South Africa as a source country for international student recrui...
5 charts on South Africa as a source country for international student recrui...
 
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdfMaximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
Maximizing Impact_ Nonprofit Website Planning, Budgeting, and Design.pdf
 
Presentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a ParagraphPresentation on the Basics of Writing. Writing a Paragraph
Presentation on the Basics of Writing. Writing a Paragraph
 
Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.Easter in the USA presentation by Chloe.
Easter in the USA presentation by Chloe.
 
How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17How to Add Existing Field in One2Many Tree View in Odoo 17
How to Add Existing Field in One2Many Tree View in Odoo 17
 
Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...Patient Counselling. Definition of patient counseling; steps involved in pati...
Patient Counselling. Definition of patient counseling; steps involved in pati...
 
How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17How to Add a New Field in Existing Kanban View in Odoo 17
How to Add a New Field in Existing Kanban View in Odoo 17
 
Human-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming ClassesHuman-AI Co-Creation of Worked Examples for Programming Classes
Human-AI Co-Creation of Worked Examples for Programming Classes
 
How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17How to Add a many2many Relational Field in Odoo 17
How to Add a many2many Relational Field in Odoo 17
 
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
2024.03.23 What do successful readers do - Sandy Millin for PARK.pptx
 
In - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptxIn - Vivo and In - Vitro Correlation.pptx
In - Vivo and In - Vitro Correlation.pptx
 
The Singapore Teaching Practice document
The Singapore Teaching Practice documentThe Singapore Teaching Practice document
The Singapore Teaching Practice document
 
How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17How to Make a Field read-only in Odoo 17
How to Make a Field read-only in Odoo 17
 
UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024UKCGE Parental Leave Discussion March 2024
UKCGE Parental Leave Discussion March 2024
 
Benefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive EducationBenefits & Challenges of Inclusive Education
Benefits & Challenges of Inclusive Education
 
3.21.24 The Origins of Black Power.pptx
3.21.24  The Origins of Black Power.pptx3.21.24  The Origins of Black Power.pptx
3.21.24 The Origins of Black Power.pptx
 
Diploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdfDiploma in Nursing Admission Test Question Solution 2023.pdf
Diploma in Nursing Admission Test Question Solution 2023.pdf
 
Prescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptxPrescribed medication order and communication skills.pptx
Prescribed medication order and communication skills.pptx
 

CNIT 128 8. Android Implementation Issues (Part 2)

  • 1. CNIT 128 Hacking Mobile Devices 8. Identifying and Exploiting 
 Android Implementation Issues Part 2 Updated 3-11-2020
  • 2. Topics • Part 1 • Reviewing Pre-installed Applications • Exploiting Devices • Start through "Explanation of Privilege Levels" (up to p. 402)
  • 3. Topics • Part 2 • Exploiting Devices • "Practical Physical Attacks" (p. 375) through • "Polaris Viewer Memory Corruption" (up to p. 402)
  • 4. Topics • Part 3 • Exploiting Devices • "Injecting Exploits for JavaScript Interfaces" (p. 402) and following • Infiltrating User Data
  • 6. Bypassing Lock Screen • Getting ADB Shell Access: Two Ways • USB Debugging • Unlocked Bootloaders
  • 7. USB Debugging • adb shell • Usually turned off by default • Exposes data and can be used to install new packages • User must approve it • Not possible if screen is locked
  • 8. Bug • In Android 4.2.2 up to 4.4.2 • Navigating to emergency dialer or lock screen camera • Shows the USB debugging authorization prompt • With the screen locked
  • 9. Privilege Levels • /default.prop file controls ADB privileges • By default: ro.secure=1 • Adb runs as the shell user • If ro.secure=0 • adbd runs as root
  • 10. ALLOW_ADBD_ROOT • From Android 4.3 onwards • ADB won't run as root unless it's compiled with the ALLOW_ADBD_ROOT flag • Even if ro.secure=0 • To get root, compile a custom version of adbd and overwrite the binary on the device
  • 11. Unlocked Bootloaders • First boot phone into Fastboot mode • Hold down power and volume keys while turning on the phone • or adb reboot bootloader • Then flash or boot a custom image • Not possible with Genymotion, Nox, or Bluestacks • They have no recovery partition
  • 12. Unlock Bootloader • Forces factory reset • Wipes all user data • To stop thieves
  • 13. Unlocked Bootloader • If user unlocked the bootloader and left it unlocked • Boot into ClockworkMod Recovery ROM (not updated since 2014) • Get a root ADB shell
  • 14. Bypassing Lock Screens • Using the DISABLE_KEYGUARD Permission • Allows an app to remove the lock screen • App code: KeyguardManager kgm = ((KeyguardManager)getSystemService("keyguard")); KeyGuardManager.KeyguardLock kgl = kgm.newKeyguardLock("mahh"); kgl.disableKeyguard(); Even though the KeyguardManager.KeyguardLock
  • 15. Custom Drozer Agent drozer agent build --permission android.permission.DISABLE_KEYGUAR D • Install agent with adb, launch it, and bypass screen lock • Works on Nox (Android 5.1.1) • Fails on Genymotion (Android 9.0)
  • 16. Removing Key Files • Pattern lock screen uses data from • /data/system/gesture.key • PIN or password lock uses data from • /data/system/password.key • Removing these files disables lock screen entirely
  • 17. Removing Key Files • But that requires running as system or root • Privilege escalation
  • 18. Abusing Android Application Issues • On Android 4.3 and earlier, this intent unlocks the phone from an adb shell in any context: shell@android:/ $ am start -n 
 com.android.settings/ com.android.settings.ChooseLockGeneric 
 --ez confirm_credentials false 
 --ei lockscreen.password_type 0 --activity-clear-task Starting: Intent { flg=0x8000 cmp=com.android.settings/.ChooseLockGeneric (has extras) }
  • 21. Using Logic Flaws that Don't Require Shell Access • Some actions are allowed when a phone is locked • Make emergency phone calls • Receive phone calls • Allow third-party apps to temporarily disable the lock screen • Or place an activity in front of it
  • 22. Motorola Droid • Phone the locked device • Answer the call • Press Back button • Escape the lock screen
  • 23. Viber • Messaging and calling app • Place a Viber call • Answer it • Press the back button multiple times • Escape the lock screen
  • 24. Using Legitimate Lock Screen Reset Functionality • You can bypass a lock screen if you have the use's Google credentials • Entering the PIN five times incorrectly • Connects to a linked Google account • But only for Android 4 and earlier
  • 25. Android Device Manager • Allows lock screen to be bypassed from a Google account • Not active by default--user must enable it • And it erases all your data (link Ch 8b)
  • 27. Remote Exploits • Launched over the Internet • Three modes of exploitation: • Loading a drozer JAR that loads a limited agent • Installing and starting a rogue drozer agent by abusing INSTALL_PACKAGES • Loading a drozer JAR that is passed Context
  • 28. Browser Memory Corruption • The most technical method • Reverse shells via buffer overflow, etc. • Becoming rarer as the browser becomes more secure
  • 29. Polaris Viewer Memory Corruption • Office and PDF file viewer • Pre-installed on some devices • Exploited in 2012 with a crafted DOCX file • Using a stack-based buffer overflow • App also had INSTALL_PACKAGES permission
  • 30. Android Browser JavaScript Interface • All WebViews using JavaScriptInterface • And targeting API before 17 • Are vulnerable to code execution flaws • Includes all stock Android browsers on Android 4.1.1 and below • Can get Context and use full permissions of browser
  • 33. Privilege Escalation • Exynos driver exploit on some devices • Drozer has a exploit.mmap_abuse module • Tries to get root by abusing the map device operation • Similar to the exynos exploit • Dangerous: may cause a kernel panic and reboot the device
  • 34. Maintaining Access • Must install a special su binary bundled with Drozer, called "minimal su" • Allows every app to escalate to root • Without alerting the user
  • 35. Man-in-the-Middle Exploits • Getting in the middie • Host a wireless network • ARP Poisoning • Use Burp
  • 36. Man-in-the-Middle Exploits • Intercepting SSL requires the ability to get a root CA certificate • Only nation-states or very rich attackers • But many apps ignore this defense and allow MITM attacks anyway