3. ABOUT ME
Security Consultant in Diverto
Linux and FLOSS enthusiast
Open source developer
Have code in OpenVAS, Nmap, Metasploit, ...
Android "developer" since 2010
started counting from first Market app
mostly focused on NDK and ADK
https://github.com/kost
6. INTRODUCE ELEPHANT
Talk will cover
producing standalone binaries
executing standalone binaries
Talk is mostly about Nmap experience
Most Nmap frontends on playstore are using this port
in source or binary form
Talk will NOT cover
producing libraries or JNI
integrating with Android Studio
https://github.com/kost/nmap-android
https://github.com/kost/NetworkMapper
7. NATIVE CODE
NOT your Java code :)
It's mostly about
C/C++
Assembler
Not portable across platforms
For each platform, you need different binary
x86
arm
mips
8. WHY BOTHER WITH NATIVE CODE?
performance
legacy code
code reuse
you just need that tool
13. OPEN SOURCE / FREE
Crystax
drop-in replacement for Google's NDK
WCHAR, locales, full C+11 standard library...
Buildroot
Standard embedded cross compilation toolchain
ARM, x86, MIPS
Scratchbox
ARM, x86, MIPS (experimental)
Anyone remembers Maemo? :)
...
14. ANDROID NDK
Android official toolchain
Available for free from developer.android.com
Bionic
No full ANSI C support
locale
different threads
Patch as you grow
standalone binary support/bugs
stdout symbol bug
WCHAR support
standard library support
15. WHAT'S THE FUZZ?
Download NDK
Download tool you want to port
./configure --host=arm-linux-androideabi
make
make install
It works - go home!
16. IN CASE IT IS HELLO WORLD...
/* Hello World program */
#include <stdio.h>
void main()
{
printf("Hello World");
}
It works pretty well indeed.
17. IN REAL WORLD
Code isn't perfect
Not portable
Endianess
Path Separators
Dependencies
Extensions
3rd party libraries
18. TWO WAYS TO INVOKE COMPILER
Calling with sysroot
export CC="$NDK/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86/bin/a
export CFLAGS="--sysroot=$SYSROOT"
$CC $CFLAGS -o hello hello.c
Producing directory for target
$NDK/build/tools/make-standalone-toolchain.sh --platform=android-3 --install-
/opt/ndk3/bin/arm-linux-androideabi-gcc -o hello hello.c
20. PROCESS OF CROSS COMPILING
Compile and fix as you go :)
sorry, no single recipe
Standard problems
stdout bug
old autoconf/automake support files
arm-linux-androideabi missing
In short
nothing that google/stackoverflow can't help :)
21. STATIC VS DYNAMIC LINKING
Dynamic
small size
run-time dependency
Static
large size
no dependencies
22. LIFE IS PERFECT
Static binaries working like a charm
“until resolv.conf disappeared :) ”
23. DNS PROBLEMS
int main(int argc,char *argv[]) {
int i;
struct hostent *hp;
for ( i=1; i<argc; ++i ) {
hp = gethostbyname(argv[i]);
if ( !hp ) {
fprintf(stderr, "%s: host '%s'n", hstrerror(h_errno),
argv[i]);
continue;
}
printf("Host:t%sn" ,argv[i]);
printf("tResolves to:t%sn", hp->h_name);
}
}
Original at gist
24. DNS AND RESOLV.CONF
#ifdef ANDROID_CHANGES /* READ FROM SYSTEM PROPERTIES */
dns_last_change_counter = _get_dns_change_count();
[..]
#else /* !ANDROID_CHANGES - IGNORE resolv.conf in Android */
#define MATCH(line, name)
[..]
Original at https://code.google.com/p/android-source-
browsing
25. DYNAMIC VS STATIC
Type Size Dependency DNS OOTB
Dynamic smaller yes yes
Static bigger no no
Mixed medium yes (basic) yes
26. HERE COMES LOLIPOP
error: only position independent executables (PIE) are supported.
Position Independent Executable (PIE)
PIE support appeared in API level 16
Finally they implemented it :)
Too bad binaries does not work
27. WHAT'S PIE?
Position Independent Executable (PIE)
Security protection
better Address Space Layout Randomization (ASLR)
Exploitation mitigation technique
Harder return-to-libc exploitation
Requirements
PIE required for dynamic executables
PIE not required for static executables
28. PIE EXAMPLE
#include <stdio.h>
int global;
int checkadr (int *bla)
{
int local;
printf("bla adr = %pn", &bla);
printf("global adr = %pn", &global);
printf("local adr = %pn", &global);
}
int main (void) {
int c;
printf("c adr = %pn", &c);
printf("checkadr adr = %pn", &checkadr);
30. PIE WORKAROUND
Way to run PIE executables on non supported systems
if system suppports PIE
just run executable
if system does not suppport PIE
use run_pie.c
run_pie your_proggy args
CFLAGS +=-fvisibility=default -fPIE
LDFLAGS += -rdynamic -pie
https://gist.github.com/kost/5fd4628f45a4995bec28
31. CALLING NATIVE EXECUTABLES
p = Runtime.getRuntime().exec(command);
p.waitFor();
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputSt
String line;
while ((line = reader.readLine()) != null) {
output.append(line).append("n");
}
32. BETTER WAY - USING
PROCESSBUILDER
ProcessBuilder processBuilder = new ProcessBuilder(shellToRun);
processBuilder.redirectErrorStream(true);
scanProcess = processBuilder.start();
outputStream = new DataOutputStream(scanProcess.getOutputStream());
inputStream = new BufferedReader(new InputStreamReader(scanProcess.getInputSt
while (((pstdout = inputStream.readLine()) != null)) {
output.append(pstdout).append("n");
}
33. RUNNING BINARIES AS ROOT
Not needed to set any new android permission
Historic references to SUPERUSER permissions
Not much different than executing as normal user
Have to Runtime.getRuntime().exec("su")
Write commands to stdin of process
Loop the output
34. ROOT IMPLICATIONS
Killing run away root processes
Hard as it can be due to blocking nature
UI does not have root access
Killing spawned root processes
parse ps output
spawn su shell
kill process
36. SECURITY IMPLICATIONS -
PERMISSIONS
Setting insecure permissions to executables/libraries
Very common when something does not work
Dangerous and heroic
Other apps can write to your bin or library
Exploitation
Find insecure .so library, inject your code
Find insecure binary, replace it with your version!
echo "#!/bin/sh" > /data/data/com.heroic.app/bin/mybinary
echo "echo '0wned!'" >> /data/data/com.heroic.app/bin/mybinary
37. SECURITY IMPLICATIONS -
UNTRUSTED INPUT
Passing untrusted/unvalidated input to shell
Running native executables can lead to command
injections
Extremely dangerous if running as user
Extremely heroic and dangerous if running as root
Pay special attention to exported activities
other apps can call that intent
which means they can execute commands as your
app!!
38. UNTRUSTED INPUT EXAMPLE
Bundle b = getIntent().getExtras();
configFilePath = b.getString("path");
[..]
ShellExecuter exe = new ShellExecuter();
return exe.Executer("cat " + configFilePath);
<activity
android:name=".MyHeroicActivity"
....
android:exported="true" />
42. SUMMARY
Porting is quite possible
Not as easy as marketing says
You can't configure; make; make install in most cases
Expect you'll have to patch if project is bigger
Not that hard
If you know requirements upfront
Have listened to this lecture carefully
Be aware of security implications!