Bypassing the Android Permission Model

1

• Bypassing the Android Permission Model
• Georgia Weidman
• Founder and CEO, Bulb Security LLC

2

• Is the permission model working? Are users making
  good decisions?

3
Most Popular Android App
4
Demo

• App abusing permissions

5
Demo explained

• Permissions
• Read IMEI
• Read Contacts
• Send SMS
• We exploited every one of these

6
Rooting Android
7
Rooting Android for Evil(DroidDream)
8
DroidDream Permissions

• INTERNET
• READ_PHONE_STATE
• CHANGE_WIFI_STATE
• ACCESS_WIFI_STATE

9
DroidDream
10
DroidDream
11
DroidDream Rooting

• Exploid
• CVE-2010-Easy (RageAgainsttheCage)

12
Rooting Android
13
DroidDream Root Payload

• Permission model no longer applies
• installed packages
• All personal data
• Send to CC

14
Rooting Android for Evil(DroidDream)
15
Rooting Android
16
Mitigation

• Users update their phones
• That means they need the updates pushed out
• That means you third party platforms!!

17
(No Transcript)
18
(No Transcript)
19
Android Storage

• Sdcard
• VFAT
• With apps
• Only visible to app (default)
• World readable

20
Demo

• Exploiting bad storage practices

21
Demo Explained

• Stores sensitive data on the sdcard
• Sdcard is VFAT
• Everything is world readable

22
Demo Explained

• Discovers how the data is stored
• Accesses it
• Sends it to an attacker

23
Code Examples

• Vulnerable Code
• Malicious Code

24
BadSaveFile
25
BadSendFile
26
Wait? How do we get source code?

• Winzip/7zip etc.
• dex2jar
• jd-gui
• Whitepaper with more info http//cdn01.exploit-db
  .com/wp-content/themes/exploit/docs/17717.pdf

27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
Nonsensical Code

• while (true)
• if (i lt 0)
• String str
• while (true)
• return
• try

31
Mitigation

• Store information securely
• Not on sdcard
• Not in source code
• Not world readable

32
Android Interfaces

• Call other programs
• Don't reinvent the wheel
• Take a picture
• Twitter from photo app

33
Demo

• Exploiting open interface with SMS functionality

34
Demo Explained

• When it is called it sends an SMS
• Caller can set the number and message
• Sadly this is considered useful!

35
Demo Explained

• Calls the SMSBroadcastr
• Sends number and message
• Sends an SMS

36
Code Examples

• Vulnerable Code
• Malicious Code

37
SMSBroadcastr
38
SMSIntent
39
Mitigations

• Don't have dangerous functionality available in
  interfaces
• Require user interaction (click ok)
• Require-permission tag in manifest for interface

40
Contact

• Georgia Weidman
• georgiaweidman.com bulbsecurity.com
• georgia_at_bulbsecurity.com
• _at_georgiaweidman