DEFCON 19: This is REALLY not the droid you're looking for.

so talk that you’re in is this is really not the droids you’re looking for and I want to thank everybody for coming here and under during the dinner hour I’m Nick and this is my co-presenter Sean and we’re gonna we’re gonna walk you through some fun journey today I’m actually personally really excited about this talk I know Sean is as well and so I’m gonna jump in brief agenda there’s to tell you what what we’re gonna take you what journey we’re gonna take you on this after this evening I’m gonna go through some introductions talk about a little bit of primer history I you know I personally feel it’s really important and it’s very often presentations jump into deep technical concepts from the get-go we’re gonna sort of build everybody up to the same level and we dive into some of the technical pieces and then we really want to talk about some research motivations before that we’ll talk about some mobile user interfaces use and don’ts some implications we’ll do a demo we have a live demo where I talk then Sean’s gonna jump into a deep dive on how how our demo works and do a little different in this talk we’re actually gonna show you the demo first before we do the deep dive a little and you’ll see why and then we’ll do a second demo which will be which will be a lot of fun as well and we’ll conclude so symmetry directions I’m Nick Percoco I am the head of the spider labs team at Trustwave I started my InfoSec career in the 90s you know mid late 90s and I was really just started out as a pen tester this is my fifth Def Con talk my except one more this weekend with Paul Kerr who’s sitting in the ions over there tomorrow I’m doing a mobile SSL talk called getting slizzard I’m also the primary author of trust which global security port and so here’s your Shaun I’m uh I’m just a back-end developer for the SL team so it’s the first time I’ve done anything like this that uh not as quite not quite as experience I hope you enjoy it anyway so what did this talk all about so this is part two from a talk that I was part of last year did anybody see that talk last year okay so it’s a handful of folks so that really focused on it was a kernel level rootkit so the whole idea was what are the implications of of a rootkit getting on a mobile device and so we explored that and really raised awareness about the risk and implications of rootkits on mobile devices what they’re capable of but we didn’t really touch on anything in user land at all this year and so you know I after the talk last year I was thinking you know I really would like to do another Android talk and and what are some things we can do and we will talk a bit about how we actually came to the to start doing this research but but basically this year we focus 100% in userland we just want to focus on the user interface 1% the whole ideas of what tricks we can play using available api’s nothing nothing nothing out of the ordinary all the api’s that are available in the android sdk and then really you know what did google allow developers to do what are some sort of you know what bad things can we do with it with the api’s and in the process we discovered in basically a layer 7 O’Dea in the process and we’re gonna talk about what that is so just a jump in at primer we’re not gonna spend a lot of time here I’m sure everybody knows what the Android OS is how many people here have Android devices ok that’s gonna be fun so basically everybody knows you know it’s almost majority of you raise your hand so when I could spend a lot of time here but it’s a software stack you know it’s it’s developed for mobile devices and really the kernels Linux and it’s basically all we need to talk about here and then and how is it evolved well they they release probably a new a new OS version more a little more than once a year and a few years ago is when it really started to get good with 2.1 the donut declare and they they introduced the slide from write animation that lets them that lets them make it seem like you’re in the same task even if you’re opening different apps and that’s pretty cool and then Froyo came out that one that one got pretty popular it was fast and had flash which everybody knows is great and since then it’s been a little tougher than ago updates they got Gingerbread and not so many phones have those and honeycomb is just tablet only an and close source so maybe that maybe the hellah maybe they’ll open that one up yeah and it’s so um one thing to note here just to keep in mind living and talking so on their side so the percentages we have there is something that it Shawn you pulled from stats from it’s from Google of the Google stats and it’s a couple weeks out of date so it might be percentage points off now but yeah so that’s that’s the user population so just something to keep in mind as well we’re talking about updates so Google actually develops Android closed inside Google they don’t they don’t let you look at the code as the development they don’t let you support submit patches and and then when they release the new version then they they publish a source sometimes and it there’s usually if they when they do do

open that there’s a delay anyway and they give you the they give you the stock Android only on a few devices and usually there’s a you know HTC Sense or other om customizations that that take a while for them to update and that’s why people aren’t getting up on Gingerbread because it’s been taking them awhile to to update that stuff for the newer versions and they they’re trying to fix that and work with the carriers to get them to update but the carrier’s say they have really no incentive to try that so we’ll sit we’ll see if the updates get better and they need to because people come up with security updates that need to get pushed out right so um you know what does the Android Market so I’ll just take a little bit of this and basically it’s a place where you buy apps everybody here in this room you know it was Android phone or Android mobile device you know tablet or whatever they have and that’s what that’s where you get your apps from yeah and unlike unlike some other app stores that check your apps and have to approve them to get in and that which can take some time the Android Market does not approve any apps and when you submit it they’re available immediately and they don’t check that you’re not doing anything malicious before they send it out they can if they discover that you are they can take it out of the market and they can remotely delete it from phones but it’s a it’s a less proactive approach to protecting the users one thing that gets to think about the comparison is your Android versus versus the iOS and Apple devices I was recently asked you know if you were going to have to attack either those devices what method would you use and and you know it’s just sort of interview conversation I basically said if I was one of the tech Android users I would use the I would use the marketplace I use the Android Market I might want to attack iOS users I’d use a jailbreak vulnerability to go after that user base so that’s it that’s a very different different model there as well from an attack vector standpoint so when you’re developing for Android there are a few there just a few basic building blocks that you really want to use to put your stuff together the most basic unit of Android app is the activity that’s just a screen that sits in front of the user all all the UI that you build is in an activity and you can bundle up some data in an intent and publish that intent that other apps can register that they care about that intent so that type of intent and so for example if you open up your email client and you code you click a link that link is put into intent and intent by the email client that the Android and the Android system sees oh well I know the app that uses that link that you’re so you open directly in the browser instead of requiring the email client to implement their own web kit view or something so that’s how that’s how they that’s how they implement their there their goal of having task based UI with using different apps and then if you want to run anything in the background you have these services so the app themself once you once you hit the home button or something and you leave your app it’s not continuing to run unless it registers as a service which doesn’t have any UI in it obviously but can can perform tasks and and network network i/o and play and play sounds I think but when you want to get the users attention from the background your your service can get can receive some information of the network and pop up a notification that shows up in the top bar and it’s pretty those are pretty easy to deal with and that’s that’s really the primary way that developers should be giving it users the users attention when they’re not in focus so when you’re making it half you want to you want to be simple consistent and and get the users attention because you want them to use your app they open up your app to do one thing at a time and really one thing only so the each screen should be focused on one purpose and just do one thing and it should be obvious what you do it you know sometimes you’re gonna be reading a tweet or making a phone call or looking at sports scores they also be consistent you know you don’t you don’t want to have to reimplemented one else’s functionality in your own app because then it wouldn’t work the same and it wouldn’t look the same so you you use other apps to perform the stuff that that people are going to be doing in yours and they’ll get back to you with the back button if you send them away and then they’ll gonna remember that and come back so you can see on those images there that’s a that’s a you know a little task I took a picture and wanted to tweet it and so that’s how you do just use select you select the share and it lists off everything all the apps that can receive a picture and act on it and you choose you know Twitter and then you can go tweet the image yeah and the consistent these pieces is also extremely important from a security standpoint because your users who you want them to expect certain activity or you know that are going on in their in their applications and so they’re gonna be secure the security implications of that and what we’re going to show you some of those those images by the way as uh that was me tweeting an image of my iPad getting a kernel panic so that’s

fun Google tells all developers not to over I the baby or the back button they want the back button to behave consistently across everything so when you send an intent or someone intense an intent to you and they expect the user expects to hit the back button and go back to the place they came from for this first task based model but in some of Google’s own apps they don’t really do that very well this this example here is the Google Voice text messaging app I received a text message from a friend of mine responded to it and left the and then got another one and another one we’re having a text conversation and then later I wanted to go back and text someone else so I opened up the Google Voice app and he brought me back into this conversation now that’s about what I would have expected but then I hit the back button to go back to the list of conversations and select a new one except it brought me back to the same conversation I was already in and I had to hit the back button the same number of times as the number of times I’d received a text message in that conversation and they probably should fix that so what’s important in getting a users attention is to use a notification and don’t just jump in front of them you know that that’s that’s not really what you want to do that’s not what the user wants to see and you just really shouldn’t do that but of course that’s just a best practice and you don’t have to follow those practices on Android so we think about sort of research motivation so you know why did we do this research this was initially a side effect of some other research that Paul and Paul Kerr and I were doing for the Gideon scissor talk we noticed a quirk in one of the apps we were we were starting to work with and then we started talking to talking to Sean about it but basically well you’ll see what we mean when we could get further into this presentation but basically a lot of research focuses on breaking things so you want to find some malicious input that’s going to cause some bad result and so the inputs malicious the outputs bad and that’s a lot of what a lot of a lot of what happens in our industry but we wanted to raise the question and sort of you know go down the path of saying what can we do by using good building blocks you know good things good tools approved invalid api’s and could the output be bad and so that was really you know a big big driver in the motivation and then the other piece is that mobile often sacrifices security for screen size so we’re going to show you when we show you the demo you know you when you’re sitting at your desk and you’re sitting and you have a 27-inch screen in front of you and something goes awry from a security standpoint or some application you know a house is having a problem you can see that and you can recognize it because you’re sitting idle you’re just sitting there you might be eating some Cheetos and surfing the web but the but when you have a mobile device you could be walking down the Hall you could be jumping on a bus jumping in a cab boarding a plane and you glance at your device sometimes very quickly and respond to two messages could be you know Twitter messages you could be on Facebook you could be every place any place and and when there’s when there’s things that go awry it may not be a parent you know sometimes it may not be apparent as security people it’s definitely gonna be a parent to your grandma so so that’s one another piece of the research motivation and then we also want to see you know how far can we push the end user now how can far can we push them using valid api’s to do bad things and then you know some of the research implications and so we’re gonna talk about one of them here and there’s we’ll have some more at the end but basically consider the following scenario an attacker builds an app using approved api’s now these are these are things that if even if Google was doing some filtering with within their app submission process they wouldn’t be able detect they submit the app to a public app market the app is approved in the Google Market example it’s approved immediately and available for download so the user downloads the app the app is able to steal credentials from popular apps the users expect nothing in there but with their device and so that’s exactly what we’re going to show you so Shawn’s going to do a demo in a few minutes what we’re gonna do is we’re gonna play with an app called bantha who do I think the original version of the Apple is a magic 8-ball and since this is somewhat of a Star Wars themed talk I told them that we need to call it something you know something like bantha or bantha poo Doo and of course you’ll see what you’ll see you’ll see what we put it within this app too because it’s maybe slightly offensive but but you’ll see so when you play with some popular apps and you can see sits credentials being stolen while we’re actually playing with those apps and logging into those apps so right here right now right over here I have my server over in Russia where I’m trying to steal everyone’s passwords and here this is just some user who went to the market and he downloaded this this cool app that you know everyone is talking about and so you get a kick out of it that’s that’s a lot of fun then you know you’re you’re bored but you’re bored you have to get out of there so all right I’m

gonna go I’m gonna go log into Facebook now and all right so pasty was telling me I have to log in that’s fine usually when when Facebook tells me to login I’ll just do that so I’ll quit hit the login button Facebook seems to be acting weird so I’m just gonna leave and over here in Russia you see device ID on the emulator is always zero so if there’s a section on an actual phone we’d get the real device ID that’s unique across all the devices and then I know that somebody logged into Facebook and here’s a username and here’s the password I’ve typed in I guess you’re gonna have to trust me that that’s the one I typed in because they kind of block that and it’s it’s really any app that that has a login screen if they can make it you can make it too so jump over here on the email and the email client wants me to log in and it’s also acting weird if you if you wanted to make this a real attack you’d probably not have an attack so aggressively and as soon as they type in their password you ask them again you could you know go away but here’s here’s the one who’s just psyched in there and then jump over a Google Voice the same thing if you want to get someone’s Google password this looks exactly like the Google Voice login screen and there is that so any app that any app that wants to let you log in has to ask for your username and password and if they can do it then someone else can do it and the problem is that once you instance the user installed bantha Pudu or any other app that’s trying to be malicious it can run in the background and it can know what app is running in the foreground and it doesn’t have to use a notification to get your attention it can just jump out in front yeah so what we’re gonna actually gonna do is we’re gonna do a deep dive yeah I’m gonna I’m gonna run through what you have to do to actually do that it’s it’s it’s painfully not complicated actually so the first thing is that you need to register the service you’re going to run in the background and you’re gonna do the point is to monitor what’s happening on the phone so you register your service and you call it org dot Android unimportant system service so if the user goes and looks at their running services they’re gonna think that’s important and it’s from Android so I’m not gonna quit it and you see here it’s using an it’s using an intent filter that will let it respond to respond to and send some intents here I’ve set up a receiver that receives the boot completed event so every time the phone starts up I received this and I start the important system service and that way I showed I showed you that I opened up an tapu didn’t played with it but you don’t have to open it if I if you install it and then go away and your phone restarts or whatever you in your bent was just sitting in the background it’s not you don’t have to actually use it but it starts up it’s running and you don’t you don’t ever need to know you don’t even ever need to know that I’m attacking you so and then you decide which apps you want to which apps you want to attack and you just have to look at them and figure out how they built their screen you take screenshots you cut their images out you can in the case of Facebook I do you compile their apk and took their assets sorry and then just set up a map of the package name to the clappy activity Pecha name of the app to the activity that you’re using to attack it well yeah I mean this could be any application so I mean we just we just chose these four for this for this proof of concept but this could be an online banking application this could be a VPN credentials it could be you could be with other to any type of application you want and it doesn’t necessarily just have to be credentials it could be it could be a data input field in a specific app that you know is always there always there on startup and you can ask the user to enter their information that you want to gather from them so then in your service you you set up a timer that’s gonna run you know every so often this one is running every two seconds it doesn’t have to be that aggressive but it’s a it’s a it’s not an expensive task to do to check this out so you ask the yes the system service to get the actual Android system service to give you the activity service and that’s going to let you monitor what activities are currently being run and so you loop over all the running activities and here importantly you find the you find the one that has importance foreground that means it’s running in front and that’s

what the user is currently looking at so as soon as you find that one I built a new intent and I put the I tell the I tell the intent that it’s going to be an activity new task so it knows it’s gonna pop up a new up on your screen in a different application you know in a new task so it’s not gonna be in the same the same stack as their as their actual task what that what that’ll do for me is that if they if they hit home and leave and then go back to the app through the app switcher if I didn’t do the new task here it would they would come back in and they’d come back to my app and that would be that would be the one in the foreground but if I do the new task they’ll do that and they’ll go back to their app where they were before where I can attack them again but I won’t be the one in front and then I just start that activity I mean one thing we didn’t show in the demo which would mostly be a parent in many users you typically don’t log in to your say Facebook app for the first time so in the real world scenario the person would actually long Facebook see their timeline on the screen for a fraction of a fraction of a second and the login screen would pop up but what he’s saying is that what you saw in the demo I opened up Facebook hit login and it went away and there was another login screen and then another login screen on top of it normally you’re authenticated to Facebook so there wouldn’t be there would be a stack of logins screen waiting for you anyhow so you have to when you’re attacking when you’re building these these views some of them leave the bar on at the top some of them get rid of it some of them customize the color some of them just used their own image so you just have to mimic that and you just ask Android it the same way the same way they do when they legitimately make their app you say I want to use a custom title bar or I I don’t want there to be a title title all up bar at all and if you’re using a custom one you just you pick which custom one that you build you use this one and it’s activity suspicious-activity specific so each one of my login each one of my attacking screens looks looks like it wants to just just like a name just like any other activity can and this one is crucial you override the back button so that when they come to your login screen and they head back not only do we want to go back to the app they were in before which it would be the default behavior of the back button we want to get rid of this task so this move task to back is is kind of is it’s kind of like a quit it throw it throws the task you were in that the new task we created with our intent to the back of the the activity stack that it changes changes behavior pretty pretty starkly and it it’s something that Google may actually want to do in their Google Voice app so once we have the credentials they we get them we get them to type using password in and we ship that off in another intent to our service that’s running in the background and when it receives that intent it fires up a new thread where it just uploads it to a server that’s that’s what Google wants you to do they don’t want you doing Network IO on the UI thread so you just spin it off on a background thread in the in the service so it doesn’t it doesn’t delay the user and if your network is slow you’re just gonna continue and you’re not gonna not gonna worry that you have to wait to send me your password and here in order to in order to do this stuff Google does require you to have security permissions and the thing is you just ask for them and people go to the market and they see this app needs to use the internet and and view the phone’s state I mean most apps need to do those things and the boot completed event doesn’t even show up in the market like I want to know that you started your phone and Google doesn’t think you really need to know that so that I have a picture here of what you see on the market website when you when you try to download my when you try to download an app with these exact permissions it doesn’t it looks it looks a little innocuous and in some ways they want it to be because apps need to use this stuff they don’t want to scare everyone away from downloading any app for any reason and here in the I just have a couple of a couple more a couple more tidbits for you that sometimes you want to make sure that some of some of you have to resize the elements on the screen when the keyboard pops up and some don’t sometimes the keyboard slides up in front of things if they can do it you can do it too and no history is it kind of a cool one that way when they leave your app like they come to your app and then they leave it normally if you hold down the home button it’ll show you all the apps that you’ve recently run but if we start it up and we ran in

the background we’re attacking you and then they they’re switching apps with the with the app switcher and they see bantha putu in there and they’re like I haven’t played Banta poodoo for two weeks we don’t want them to see that so we do we tell it no history it doesn’t it doesn’t show up in the app switcher when it’s not when it’s not running so it’s kind of cool that you can do that too so we have a second demo here and so what we want to do is we’re gonna modify vanthu puto remove its credential upload capabilities because we don’t actually want their passwords and we’re gonna submit it to the Android Market no I guess we hope we have Internet connectivity here from this from this laptop here but and also hopefully they’re not watching and then you can tell me you can download it and try it yourself so you could play with it on your phone but we will guarantee you will be annoyed yeah you shouldn’t uninstall it pretty quickly especially if you use any of those apps that we’re jumping in front of so here the got my ad credentials receiver don’t have a lot of screen space though so this could see I am uploading here and I’ll just comment that line out so it doesn’t actually upload now I’m gonna build a package and explore them they’re like I said the original version was magic 8-ball I think that’s why it’s still called that yeah so I call it bantha poo Doo yes I that’s right I mean if they can make it you can make it there’s no there’s nothing special about it I mean this is long just packaged today 927 p.m. Central Time so if all goes well I think everybody this audience can actually go and download this app Oh somebody took my my name I tried I tried that one out a little while ago and was off it was free so I guess that one is in there as recently so it’ll take me a little while to rejigger the package name I have to change a bunch of things around in the code and I need a little more space in this but will will release it at the market later on we wanted to let you download it right now but it’ll be this weekender or next week yeah and there’s actually is a version of it an earlier version of it on the DEF CON DVD yeah so you can you can play route the right now if you wanted to load it on manually so let’s go back in to the presentation and basically some other thoughts on how to weaponize obviously the functionality in the in the app that were that we released it’s it’s it’s not the greatest from from an attackers perspective you know there’s some quirks or some things that would be annoying to end-users but basically you know one of the concepts is you know being able to phone home to a server and have that server successfully check for the authentication to make sure that authentication is valid and then send a message back to the app to say stop popping in front of the Facebook application we already know their username password and then you know a couple other things is you know showing the login screen after they’ve been in app for a while you know we set ours what does it setup is every two seconds I mean it it doesn’t need to be that aggressive and and even if it even if it is if it checks every two seconds it doesn’t have to put it in front of every two seconds it can wait you know ten minutes while you’re using they happen if it’s open that long maybe the app wants you don’t authenticate again I mean that that could be a legitimate thing it happens actually pretty often in Bank applications that they were security reasons want to make you reallocate so nobody just picked up your phone and and uses it so that that exact that exact security feature can can be dangerous so I give you so then then we also were thinking about this and there’s some other uses to this design flaw it’s not just stealing credentials so unfortunately this may be coming to your phone very soon app targeted pop-up ads so basically what that means is that if you’re in one app and you download an app that has this features and functionality in it they can decide that hey you’re in Facebook I’m gonna throw ads in front of you while you’re in logger in your phone and you’re using those applications the

other idea is is hijacking competitors apps so someone wants to make a new social network or a new a new app and they they want they don’t want Facebook to work quite as well for you for example so every time you open up Facebook you know some crap pops in front of you and then goes away up to three seconds but or doesn’t and it just gets really annoying because you can you should just screw with other people’s apps and there’s nothing they can really do to stop you from doing another thing you can do is say say your Angry Birds competitor you can you can embed a really crappy version of Angry Birds into your app and every single time someone goes to play Angry Birds on your version pops up in front of them and they decide to uninstall Angry Birds and then there’s other ways that you probably can think of that you can be a jerk so some conclusions here that we can we can talk through your really approved api’s can be used to create malicious apps and that’s basically what we did here this is this is specifically a design flaw where these these ap is are not restricted and in this in this type of use and Google really has to has to change that because not restricting developers from from doing whatever they want to is a disaster waiting to happen that iOS doesn’t suffer from this because you can’t monitor who is what app is running and you can’t put something in front of the user without their direct intervention and they have different in different animations for switching between different apps versus switching between views in the same app they those are those are the three key differences that allow this and it it’s not it’s not just this that’s the problem it’s it’s it’s the fact that the that developers can do whatever they want on the platform yeah so that that’s that’s our talk I guess we have a little bit time as any we have any questions you