My HouSecCon presentation on android applications security and arm exploitation mkeith@exploitscience.org

1. Better watch your apps! November 4 ,2010 MJ Keith GCIA, GCIH Alert Logic - Security Researcher

5. Size doesn't matter

10. Target app profile WEB API Attacker

14. Checks POST /cloud/ HTTP/1.1 X-Requested-With: XMLHttpRequest User-Agent: Content-Length: 65 Content-Type: application/x-www-form-urlencoded Host: checks.linein.org Connection: Keep-Alive json=%7B%22user_id%22%3A%22680%22%2C%22action%22%3A%22import%22%7D HTTP/1.1 200 OK Date: Sat, 28 Aug 2010 01:41:26 GMT Server: Apache/1.3.41 Ben-SSL/1.59 X-Powered-By: PHP/5.2.14 Keep-Alive: timeout=2, max=200 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html 193 {"message":"imported successfully","cloud_data":"[{amp;quot;idamp;quot;:amp;quot;1amp;quot;,amp;quot;amountamp;quot;:amp;quot;222amp;quot;,amp;quot;clearedamp;quot;:null,amp;quot;descamp;quot;:amp;quot;qqqamp;quot;,amp;quot;check_dateamp;quot;:amp;quot;1282959385amp;quot;,amp;quot;dateaddedamp;quot;:null},{amp;quot;idamp;quot;:amp;quot;2amp;quot;,amp;quot;amountamp;quot;:amp;quot;333amp;quot;,amp;quot;clearedamp;quot;:null,amp;quot;descamp;quot;:amp;quot;pppamp;quot;,amp;quot;check_dateamp;quot;:amp;quot;1282959385amp;quot;,amp;quot;dateaddedamp;quot;:null},{amp;quot;idamp;quot;:amp;quot;3amp;quot;,amp;quot;amountamp;quot;:amp;quot;111amp;quot;,amp;quot;clearedamp;quot;:null,amp;quot;descamp;quot;:amp;quot;oooamp;quot;,amp;quot;check_dateamp;quot;:amp;quot;1282959385amp;quot;,amp;quot;dateaddedamp;quot;:null}]"} 0

16. Addressbook PRO POST /apofasyncaddressbook.php HTTP/1.1 content-type: application/x-www-form-urlencoded content-length: 10 cache-control: no-store,no-cache User-Agent: Dalvik/1.1.0 (Linux; U; Android 2.0.1; Droid Build/ESD56) Host: www.apofa.com Accept: *, */* Connection: Keep-Alive &n=test HTTP/1.1 200 OK Date: Fri, 27 Aug 2010 16:38:12 GMT Server: Apache/2.2.16 (CentOS) mod_ssl/2.2.16 0.9.8l DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.13 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 193 {"address":[{"id":"164","db_id":"2","title":"test","address":"blah.;'amp;quot;;:)*&=%","picon":"null","visit":"0","category":"Family","userid":"test","createdDate":"1282925803271","deviceid":"A00000555553"},{"id":"163","db_id":"1","title":"narf","address":"gggg gfggggg","picon":"null","visit":"0","category":"Family","userid":"test","createdDate":"1282925678434","deviceid":"A00000555553"}]}

21. Speedx – the hacks What is really there.. {"alltime":{"new":{"place":1,"percents":99},"table":[{"aid":"22a0000015s079eb","name":"narf","comment":"narf","date":"1270335048557","score":"999999"},{"aid":"22a1030007c697eb","name":"Justin","comment":"for kat","date":"1268933296866","score":"102835"},{"aid":"200149694edadfc","name":"guilou","comment":"au calme...","date":"1268771950965","score":"97028"},{"aid":"22a1500007c697eb","name":"Justin","comment":"for kat","date":"1267511769050","score":"83541"},{"aid":"20016203ca460ead","name":"Fred","comment":"013a0093008e~~~~~~","date":"1267684428484","score":"71843"},{"aid":"2006659695197d84","name":"cjd313","comment":"0107008300a8!00e7017c0165010702db009f00e90087008c010700ad016500e4015f0086010300800082My QQ:502202","date":"1267113644819","score":"70690"},{"aid":"200145969662417e","name":"John Black","date":"1267368779421","score":"63475"},{"aid":"200145969662710","name":"Hans_97","comment":"alles gut","date":"1268503563353","score":"58040"},{"aid":"2001455554fea233","name":"prophetu","comment":"salutare..!","date":"1267806544079","score":"52352"},{"aid":"200145966534e904","name":"Ecloud.ShangHai","comment":"83496ce59a6c","date":"1270101863661","score":"48931"},{"aid":"null","name":"shanghai min","comment":"shanghai min","date":"1269935680096","score":"48399"},{"aid":"2001459964de306a","name":"dantist","comment":"Russian Federation 4pda :)","date":"1267518905207","score":"46980"},{"aid":"200145eee4fea233","name":"prophetu","comment":"salutare..!","date":"1267458383257","score":"46896"},{"aid":"2001459554de306a","name":"dantist","comment":"Russian Federation 4pda :)","date":"1267614148830","score":"46455"},{"aid":"null","name":"David","comment":"7ffb6c9f91cc2026","date":"1269871815973","score":"46374"},{"aid":"22a00666rd5f502","name":"jeff","comment":"aaaaaaaah! i died!","date":"1270272256156","score":"44884"},{"aid":"20014666c29b96a","name":"egi","date":"1267711523732","score":"42208"},{"aid":"null","name":"8d8597e68d859038662f5c0f7acb76847238","comment":"97e68d859038662f59275927795e","date":"1269335458359","score":"41503"},{"aid":"2044441f4a86b8e65","name":"Soaa-","comment":"omai!","date":"1267660861088","score":"40826"},{"aid":"22a5550007c697eb","name":"Justin","comment":"for kat","date":"1268320628749","score":"40505"},{"aid":"2006669694f24ea3","name":"RMB","comment":"HTC Hero","date":"1270246209401","score":"40360"},

35. Bump server

36. Bump Bump Sent Status ok Status check Bump matched Confirm + data Other user confirms Status check Other user data Status check

39. Paypal Bump

43. VZ apps

49. Breaking Android's Arm R1 gets over-written with a value of our choosing. I chose “0000b33f” just for an example. I/DEBUG ( 28): Build fingerprint: 'generic/sdk/generic/:2.0.1/ESD54/20723:eng/test-keys' I/DEBUG ( 28): pid: 702, tid: 714 >>> com.android.browser <<< I/DEBUG ( 28): signal 11 (SIGSEGV), fault addr 00000030 I/DEBUG ( 28): r0 00000000 r1 0000b33f r2 45d320a0 r3 fffffffe I/DEBUG ( 28): r4 aa413738 r5 45357c10 r6 45d320a0 r7 0039bda0 I/DEBUG ( 28): r8 45358d88 r9 426f6ed8 10 426f6ec0 fp 002e9150 I/DEBUG ( 28): ip 00000006 sp 45357bd8 lr aa0479eb pc aa00c142 cpsr 60000030 I/DEBUG ( 28): #00 pc 0000c142 /system/lib/libwebcore.so I/DEBUG ( 28): #01 pc 000479e6 /system/lib/libwebcore.so I/DEBUG ( 28): #02 pc 002b9d70 /system/lib/libwebcore.so I/DEBUG ( 28): #03 pc 002ba95a /system/lib/libwebcore.so I/DEBUG ( 28): #04 pc 002bad8a /system/lib/libwebcore.so I/DEBUG ( 28): #05 pc 002badba /system/lib/libwebcore.so I/DEBUG ( 28): #06 pc 002b8a2c /system/lib/libwebcore.so I/DEBUG ( 28): #07 pc 002b8a46 /system/lib/libwebcore.so I/DEBUG ( 28): #08 pc 001cba26 /system/lib/libwebcore.so I/DEBUG ( 28): #09 pc 001d22b4 /system/lib/libwebcore.so

50. Breaking Android's Arm Using other registers to track pc : I/DEBUG ( 28): Build fingerprint: 'generic/sdk/generic/:2.0.1/ESD54/20723:eng/test-keys' I/DEBUG ( 28): pid: 737, tid: 749 >>> com.android.browser <<< I/DEBUG ( 28): signal 4 (SIGILL), fault addr 0057817c I/DEBUG ( 28): r0 0057814c r1 00578150 r2 00578154 r3 00578158 I/DEBUG ( 28): r4 0057815c r5 00578160 r6 45c170f8 r7 0067c950 I/DEBUG ( 28): r8 45458d80 r9 426f9ee0 10 426f9ec8 fp 002eaf68 I/DEBUG ( 28): ip 00000006 sp 45457b10 lr aa00c149 pc 0057817c cpsr 00000010 I/DEBUG ( 28): #00 pc 0057817c [heap] I/DEBUG ( 28): #01 pc 0000c146 /system/lib/libwebcore.so I/DEBUG ( 28): #02 pc 000479e6 /system/lib/libwebcore.so I/DEBUG ( 28): #03 pc 002b9d70 /system/lib/libwebcore.so I/DEBUG ( 28): #04 pc 002ba95a /system/lib/libwebcore.so I/DEBUG ( 28): #05 pc 002bad8a /system/lib/libwebcore.so I/DEBUG ( 28): #06 pc 002badba /system/lib/libwebcore.so

51. Demo 2: http://www.youtube.com/watch?v=czx_AKdj8ug

53. Better watch you apps! Thank you