26. Wait? How do we get source code?
Winzip/7zip etc.
dex2jar
jd-gui
Whitepaper with more info: http://cdn01.exploit-db.com/wp-
content/themes/exploit/docs/17717.pdf
39. Mitigations
Don't have dangerous functionality available in
interfaces
Require user interaction (click ok)
Require-permission tag in manifest for interface
Song lyrics Android permission model- how does it work. Explicitly ask for permissions Users must accept or deny
Edit and Read SMS, send SMS, receive SMS Modify/delete USB storage contents Prevent phone from sleeping, write sync settings GPS data Services that cost you money Act as account authenticator, manage accounts Read and write to your personal information including contact data Phone calls, read phone state and identity Full network access
Now that I am doing a lot of development I know why this happens. I used to rag on developers for doing this, but after having my app crash over and over and me spending hours on google and rewriting code and putting debugging statements in, unable to come up with a good reason why a very simple instruction is crashing my app, and then realizing its because I forgot to ask for the permission, I see why developers would just ask for every permission imaginable right off the bat
So naturally I wrote an app to demo how ridiculously easy it is to abuse users acceptance of dangerous permissions
Anyone used a tool like this to root your Android phone? They use known exploits to give you root so you can load custom firmwares etc.
Trojaned Android apps on the official android market. Antivirus finds it now, doesn't find my app. Pretends to be a normal app, runs exploits and steals your data in the background
That's all. It actually does abuse the IMEI one right off the bat before it even roots your phone.
Pretended to be different apps, games, ads, dirty apps
Droiddream takes all the code from the regular apps and calls the it so to the user it looks like the app is running normally but it runs evil code in the background
Tried two different known root exploits for Android Both were patched in Android 2.2.1 which was released before the droiddream story broke Not necessarily patched when droiddream was written
These are the same sorts of roots that tools like these use In fact from reading the source of both I have reason to believe that the ragegainstthecage payload in droiddream was actually copied from z4root
So after it runs the root exploits if it is successful then it installs a system service. Only firmware apps should be system. System services have access to additional permissions and the permission model breaks down around system services. System app steals your data and sends it to a C&C
The moral of the story is Droiddream was an evil app masquerading as a beneign one
What's to stop these guys from doing the same?
For a while Android had the best updating mechanism out there for a smartphone Iphone you had to plug it in blackberry you had to plug it in Android pushes over the air, so do the others now Problem with Android is third party. Google releases new versions and Google phones get it. Others have to port it. There have been instances of new versions taking 6 months to push out to everyone. Older phones don't update. G1 still runs Android 1.6. That phone I rooted for Mom's fried
So far we've looked at apps that were meant to be evil by their developers. Now we are going to look at what I consider to be next generation flaws.
Benign apps that have flaws that allow bad code to take advantage of it. I'm not talking about traditional attack vectors like buffer overflows. Those are old and uninteresting. What I'm interested in here is getting permissions we shouldn't by piggybacking on poorly coded apps.