Académique Documents
Professionnel Documents
Culture Documents
S
u
se
d
Lo
slgn
allse
Lh
e
se
rve
r Lh
aL ln
-
gam
e
go
o
d
s w
e
re
p
u
rch
ase
d
CbfuscaLed code
W
h
o
calls Lh
ls ,ah
co
n
sLru
cLo
r?
CbfuscaLed code
4 greps laLer...
c.f lncludes Lhe key
c.f calls a.bs(key)
a.bs calls a.ah(key)
a.ah uses Lhe key and locale varlables for encrypuon
We know all Lhe lnpuL daLa for Lhe encrypuon
rouune
lL's symmeLrlc crypLo
We can decrypL ,lL (whaLever lL mlghL be)
1esLxxxxx.[ava
?eah, leL's copy/pasLe a LesL emall!
1esLxxxxx2.[ava
And credenuals for Lhe LesL server...
Some apps l looked aL more
closely
(lL's gemng worse)
App 1 - banklng app
Who really wanLs banklng on Lhe moblle?
A loL of banklng apps! ?ay!
App 1
no obfuscauon + can easlly be recomplled
App slmply shows Lhe webslLe
Pldes Lhe u8L and SSL cerL/lock from Lhe user
Can only be used wlLh m1An
App 2
Server had self-slgned SSL cerucaLe
SSL Ml1M uump:
/usernam e=B1436A 13E85D20 F2428D6E 232C2B93
FE....pa ssword=2 C30F3866 016E6C59 52655C06
400BCC6. imei=405 23204606 E450... ...
W
o
w
, lL
's
e
n
c
r
y
p
L
e
d
... u
o
n
'L
w
e
n
e
e
d
a
k
e
y
fo
r
L
h
a
L
?
App 2
ALS key
public byte[] cryptKey42 = {-31, -21, 4, 24, -21,
54, -63, -40, -38, 61, -47, -115, -95, -36, -142,
64, 53, 120, -85, -96, -69, 85, 81, 16, -36, 80,
-102, 95, -20, 110, 36, -11};
App 3 - rooL deLecuon
private boolean deviceRoot(){
try{
Runtime.getRuntime().exec("su");
return true;
}
catch (IOException localIOException){
return false;
}
}
App 3 - Clrcumvenung rooL deLecuon
noL necessary
App 4 - AnoLher rooL deLecuon
public static boolean isDeviceRooted(){
File f = new File(/system/sbin/su)
return f.exists()
}
App 4 - 8emovlng rooL deLecuon
me$ java -jar apktool.jar d app.apk source
[]
me$ sed -i "" 's/system\/sbin\/su/system\/sbin\/
CEW1PFSLK/g' source/smali/net/example/checks.smali
me$ java -jar apktool.jar b source/ fake.apk
[]
me$ keytool -genkey -alias someone -validity 100000
-keystore someone.keystore
[]
me$ jarsigner -keystore someone.keystore fake.apk
someone
me$ adb install fake.apk
App 4 - Was LhaL a good meLhod Lo
remove Lhe rooL deLecuon?
AlLerlng Lhe app
no updaLes
We only wanL Lo fall LhaL slmple check
App 4 - revenL rooL deLecuon
me$ adb shell
$ su
# cd /system/bin/; mount -o remount,rw -o rootfs rootfs /;
mount -o remount,rw -o yaffs2 /dev/block/mtdblock3 /system
# echo $PATH
/sbin:/system/sbin:/system/bin:/system/xbin
# mv /system/sbin/su /system/xbin/
r
o
o
L
s
L
a
y
s
r
o
o
L
!
A speclal secreL key
443 apps use Lhe same ALS key
byLe[] a = [ 10, 33, -112, -47, -6, 7, 11, 73, -7, -121,
121, 69, 80, -61, 13, 3 }
Coogle Ads
LncrypL lasL known locauon
All locauon provlders (CS, Wl, ...)
Send vla Lhe ,uule !SCn parameLer
noued Coogle on Lhe 23Lh of !une
no response yeL
1o be honesL l haven'L seen Lhe ,uule
parameLer ln my neLwork yeL
Coogle Ads
Why dldn'L Lhey use asymmeLrlc crypLo?
CounLermeasures
use asymmeLrlc crypLo lnsLead of symmeLrlc
when Lransferlng daLa Lo a server
SLore hashes/sesslon Lokens lnsLead of
passwords
Cood obfuscauon ls SecurlLy 1hrough
CbscurlLy
enLesL your apps
know Lhe llmlLauons
rooL sLays rooL
8eferences
hup://deslgnora.com/graphlcs/androld-logo/
hup://blog.duosecurlLy.com/2011/03/when-angry-blrds-auack-androld-edluon/
hup://[on.oberhelde.org/blog/2011/03/07/how-l-almosL-won-pwn2own-vla-xss/
hup://www.h-onllne.com/open/news/lLem/Androld-apps-send-unencrypLed-auLhenucauon-Loken-1243968.hLml
hups://www.lnfoseclsland.com/blogvlew/13439-Coogle-Sued-for-Surrepuuous-Androld-Locauon-1racklng.hLml
hup://www.h-onllne.com/open/news/lLem/Androld-malware-acuvaLes-lLself-Lhrough-lncomlng-calls-1233807.hLml
hup://www.slldeshare.neL/bsldeslondon/bsldeslondon-spo#LexL-verslon
hups://www.hashdays.ch/asseLs/les/slldes/burns_androld_securlLy_Lhe20fun20deLalls.pdf
hups://Lheassurer.com/p/736.hLml
hup://Lhomascannon.neL/blog/2011/02/androld-lock-screen-bypass/
hup://www.symanLec.com/conLenL/en/us/abouL/medla/pdfs/symc_moblle_devlce_securlLy_[une2011.pdf?
om_exL_cld=blz_socmed_Lwluer_facebook_markeLwlre_llnkedln_2011!un_worldwlde_mobllesecurlLywp
hup://www.xkcd.com/898
hup://www.madaxeman.com/general/2009/11/losL-phone.hLml
hup://Lhomascannon.neL/pro[ecLs/androld-reverslng/
hup://www.lnfsec.cs.unl-saarland.de/pro[ecLs/androld-vuln/
hup://www.madaxeman.com/general/2009/11/losL-phone.hLml
hup://www.helse.de/mobll/meldung/Androld-verschlckL-SMS-an-falsche-Lmpfaenger-2-updaLe-1162683.hLml
hup://blog.duosecurlLy.com/2011/09/androld-vulnerablllues-and-source-barcelona/
1hx!
1wluer: oyd_ch
hup://oyd.ch