abusing web apis through scripted android applications
play

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL - PowerPoint PPT Presentation

Sep 19, 2022 •113 likes •879 views

ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS DANIEL PECK Barracuda Labs Principle Researcher Studying Malicious Messaging (Email/Social Networks/etc) Data/Trend Analysis in Security @ramblinpeck @barracudalabs Past Lives SCADA,

  1. ABUSING WEB APIS THROUGH SCRIPTED ANDROID APPLICATIONS

  3. DANIEL PECK Barracuda Labs Principle Researcher Studying Malicious Messaging (Email/Social Networks/etc) Data/Trend Analysis in Security @ramblinpeck @barracudalabs Past Lives SCADA, Snort Jockey, Reverser (not so past?), Assessment Work

  4. SESSION ROADMAP Brief overview of android/dalvik vm Reversing an apk Disassembly and static analysis Dynamic Analysis Control/scripting for our own usage Do the dumb thing first and build on the work of smarter people.

  5. Hot social app that I want tospambe a part of Great web interface, great api once we have a few hundred thousand accounts, but protected

  6. SOLUTION People are too worried about “friction” to put many safeguard/throttling into mobile apps Create our own client that mimics mobile app for api purposes. Lets target android

  7. ASSUMPTIONS AND HOPES Twacebook has a well documented API thats protected using Oauth We'll probably need to extract some keys They probably use their own api for android app

  8. BUILD ON EXISTING TOOLS

  9. INTERCEPTING APP COMMUNICATIONS Need to MitM to be able to view tx/rx Proxydroid https://github.com/madeye/proxydroid (https://github.com/madeye/proxydroid) Run all/some of android traffic through our proxy SSL The developers at Twacebook aren't idiots

  11. Create and add a cert to your testing device Easy, and writeups all over so won't detail, basics for 2.x devices: $ adb pull /system/etc/security/cacerts.bks $ keytool … $ adb push cacerts.bks /system/etc/security Gotchas Make sure you have the right version of bouncycastle otherwise things break in not­fun ways Different/easier procedures on Android 4.0+ devices

  12. BURP PROXY Invisible proxying, generates cert on demand, but you have to provide hostname Look at dns requests/guess hostnames to tell burp to use for generated certs Done automatically in 1.4.12 release http://releases.portswigger.net/2012/08/v1412.html (http://releases.portswigger.net/2012/08/v1412.html)

  13. INTERCEPTED TRAFFIC POST /create_account HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 296 Accept-Encoding: gzip,deflate User-Agent: TwacebookAndroidApp(build 6294, v1.8.64) Host: mobileapi.twacebook.com Connection: Keep-Alive Cache-Control: no-cache auth_consumer_key=40iqOgCcXqfwwqoa02D7nQ oauth_nonce=0437A32D733151CABA3A06A12243CD0A oauth_signature_method=HMAC-SHA1 oauth_timestamp=1340141019 oauth_version=1.0 x_auth_mode=client_auth x_auth_password=f00bar%24

  14. x_auth_username=jimbo oauth_signature=v%2FVnCJrssg9D07Zdy%2F8dPSapv8s%3D

  15. OAUTH Consumers requests a consumer key and consumer secret from provider End users allow provider to grant a token and token secret to consumer to make requests on their behalf Signs requests (HMAC­SHA1 usually) with consumer secret & token secret

  16. MORE OAUTH Users don't have to give their password to third party apps Thats good Providers get to restrict apps accessing their api to only (honest) approved ones, essentially DRM Thats bad Designed and works well for server ← → server Thats good

  17. Used extensively for mobile/desktop apps Thats just everyone fooling themselves

  20. DISASSEMBLY AND DECOMPILATION Apktool http://code.google.com/p/android­apktool/ (http://code.google.com/p/android­apktool/) Decodes apks Nice wrapper for smali/baksmali In theory should allow for some nice debugging.. JD­GUI http://java.decompiler.free.fr/?q=jdgui (http://java.decompiler.free.fr/?q=jdgui) dex2jar first not compilable source, sometimes misleading, good for general idea

  21. ABOUT ANDROID Runs within a Dalvik application virtual machine

  22. DALVIK Register based machine Optimized for low memory environments Runs dex files Deduped Dalvik instruction set instead of standard JVM Smali bytecode

  24. SMALI class public final Lcd; super Ljava/lang/Object; # static fields .field public static final a:Lcd; .method constructor init ()V .locals 2 const/4 v1, 0x0 const/4 v0, 0x0 invoke-direct {p0, v1, v0, v1}, Lcd;- init (Laa;ILjava/lang/String;)V return-void .end method

  25. DECIPHERING SMALI Register based machine Parameters are stored in p0...pX Local registers v0...vY where Last X local registers are identical to paramer registers Registers store 32­bit values 64­bit values (J, long, and D, double primitives) are stored in 2 registers

  26. PRIMITIVES V void ­ can only be used for return types Z boolean B byte S short C char I int

  27. J long (64 bits) F float D double (64 bits) L objects. You'll see in the form of “Lpackage/name/ObjectName”

  28. FUNCTION DECLARATIONS method private static a ( Lorg/apache/http/client/methods/HttpRequestBase; Laa; J Ljava/lang/String; Ljava/lang/String; )Ljava/lang/String;

  29. FUNCTION DECLARATIONS method private static a #name and type ( Lorg/apache/http/client/methods/HttpRequestBase; #p0 Laa; #p1 J #p2 + #p3 Ljava/lang/String; #p4 Ljava/lang/String; #p5 )Ljava/lang/String; #return type

  30. OPCODES move­result vx return­object vx invoke­direct parameters , methodtocall invoke­static parameters , methodtocall …

  31. Many more, great reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html (http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)

  33. BACK TO TARGETED CODE const-string p1, "OAuth realm=\"%s\", oauth_version=\"%s\", oauth_nonce=\"%s\", oauth_timestamp=\"%s\", oauth_signature=\"%s\", oauth_consumer_key=\"%s\", oauth_signature_method=\"%s\"" new-array p3, p3, [Ljava/lang/Object; … const/4 p2, 0x4 aput-object p0, p3, p2 const/4 p0, 0x5 aput-object p4, p3, p0 … invoke-static {p1, p3}, Ljava/lang/String;- >format(Ljava/lang/String; [Ljava/lang/Object;)Ljava/lang/String; move-result-object p0

  35. BACK TO TARGETED CODE const-string p1, "OAuth realm=\"%s\", oauth_version=\"%s\", oauth_nonce=\"%s\", oauth_timestamp=\"%s\", oauth_signature=\"%s\", oauth_consumer_key=\"%s\", oauth_signature_method=\"%s\"" new-array p3, p3, [Ljava/lang/Object; #create array … const/4 p2, 0x4 aput-object p0, p3, p2 #filling array const/4 p0, 0x5 aput-object p4, p3, p0 … invoke-static {p1, p3}, Ljava/lang/String;- >format(Ljava/lang/String; [Ljava/lang/Object;)Ljava/lang/String; #filling in string move-result-object p0

  36. invoke-static {p0, p5, v0}, Lcd;-> a( Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String; move-result-object p0

  37. invoke-virtual {v0, v1}, Ljava/lang/String;- >getBytes(Ljava/lang/String;)[B move-result-object v0 new-instance v1, Ljavax/crypto/spec/SecretKeySpec; const-string v2, "HmacSHA1" invoke-direct {v1, v0, v2}, Ljavax/crypto/spec/SecretKeySpec;-><init> ([BLjava/lang/String;)V invoke-static {v0}, Ljavax/crypto/Mac;- >getInstance(Ljava/lang/String;)Ljavax/crypto/Mac; ... invoke-virtual {v0, v1}, Ljavax/crypto/Mac;- >init(Ljava/security/Key;)V const-string v1, "UTF8" invoke-virtual {p0, v1}, Ljava/lang/String;- >getBytes(Ljava/lang/String;)[B move-result-object v1 invoke-virtual {v0, v1}, Ljavax/crypto/Mac;-

  38. >doFinal([B)[B move-result-object v0

  39. AND FROM JD­GUI private static String a(String paramString1, String paramString2, String paramString3) { if (paramString3 == null); while (true) { try { str1 = ""; SecretKeySpec localSecretKeySpec = new SecretKeySpec((ch.a(paramString2) + "&" + ch.a(str1)).getBytes("UTF8"), "HmacSHA1"); Mac localMac = Mac.getInstance("HmacSHA1"); localMac.init(localSecretKeySpec); String str3 = ch.a(new String(cc.a(localMac.doFinal(paramString1.getBytes("UTF8"))),

  40. "UTF8")); str2 = str3; return str2; } catch (InvalidKeyException localInvalidKeyException) { str2 = ""; continue; } catch (NoSuchAlgorithmException localNoSuchAlgorithmException) { str2 = ""; continue; } catch (UnsupportedEncodingException localUnsupportedEncodingException) { String str2 = ""; continue; } String str1 = paramString3;

  41. } }

  42. LOOK SIMILAR?

  43. AGAIN, DUMB THING FIRST Printf debugging const-string v2, "SECRETKEY , v0" invoke-static {v2, v0}, Landroid/util/Log;- >d(Ljava/lang/String;Ljava/lang/String;)I invoke-virtual {v0, v1}, Ljava/lang/String;- >getBytes(Ljava/lang/String;)[B move-result-object v0 new-instance v1, Ljavax/crypto/spec/SecretKeySpec; const-string v2, "HmacSHA1" invoke-direct {v1, v0, v2}, Ljavax/crypto/spec/SecretKeySpec;- init ([BLjava/lang/String;)V

  44. Rebuild the apk and run it $ apktool b twacebook.apk twacebook_new.apk

  45. EXAMING THE LOGS $ adb shell $ adb logcat … "SECRETKEY , v0 - I7PW5lgEkgMrqPOdxIj1o6llAbFdXHhVjFnvUsg1g"

  46. SUCESS?

  47. ERROR, INVALID SIGNATURE Sadness → Confusion → Realization Twacebook devs have been especially sneaky, passing the returned signatured to another method Custom hash/encoding? No clue but its ugly

Recommend

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for

CS 528 Mobile and Ubiquitous Computing Lecture 6a: Other Android UbiComp Components, Tech Talk, Final Project Proposal &amp; Smartphone Sensing Emmanuel Agu What other Android APIs may be useful for Mobile/ubicomp? Speaking to Android

887 views • 50 slides
Android For Game Developoers Ove verview Limited APIs Window Management Input

Android For Game Developoers Ove verview Limited APIs Window Management Input

Android For Game Developoers Ove verview Limited APIs Window Management Input File I/O Audio Graphics Define a e an n Android A App pplication Activities Services Content providers Intents

305 views • 9 slides
Android APIs 2.0, 2.1 &amp; 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010

Android APIs 2.0, 2.1 &amp; 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010

Android APIs 2.0, 2.1 &amp; 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010 Outline Bluetooth Quick Contacts Multitouch Live Wallpaper External Storage Cloud-to-device service Data backup JIT &amp;

749 views • 34 slides
Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications

Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications

Pride and Prejudice in Progressive Web Apps : Abusing Native App-like Features in Web Applications Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, Sooel Son School of Computing, Graduate School of Information Security 1 Limitations of Web

1.03k views • 57 slides
Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar SAPM Spring 2012: Scripted Components 1 Scripted Components: Problem (Cf. Reuse-Oriented Development; Sommerville 2004 Chapter 4, 18) A

495 views • 21 slides
Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk

Scripted Components Dr. James A. Bednar jbednar@inf.ed.ac.uk http://homepages.inf.ed.ac.uk/jbednar SEOC2 Spring 2005: Scripted Components 1 Scripted Components: Problem (Cf. Reuse-Oriented Development; Sommerville 2004 Chapter 4, 18) A

419 views • 19 slides
APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system

APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system

ANDROID AND ANDROID APPLICATIONS UDAY LINGALA CSCI 5448, Fall 2012 Content Introduction to Android system What is android? History Android Market Why Android Design philosophy System Architecture Features

802 views • 40 slides
The medium to enable AllJoyn applications to communicate via published APIs

The medium to enable AllJoyn applications to communicate via published APIs

Any questions please contact winhectpe@microsoft.com The medium to enable AllJoyn applications to communicate via published APIs Communication is via messages that map directly to APIs in high-level programming languages Based on

588 views • 30 slides
CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and Cool Location Aware Apps Emmanuel Agu Google Places Place: physical space that has a name (e.g. local businesses, points of interest,

690 views • 24 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger,

SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger,

S C I E N C E P A S S I O N T E C H N O L O G Y SCAnDroid: Automated Side-Channel Analysis of Android APIs Raphael Spreitzer, Gerald Palfinger, Stefan Mangard IAIK, Graz University of Technology, Austria WiSec 2018,

723 views • 17 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * ,

Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * ,

Dr. Android and Mr. Hide: Fine-grained Permissions in Android Applications Jinseong Jeon * , Kristopher K. Micinski * , Jeffrey A. Vaughan # , Ari Fogel + , Nikhilesh Reddy + , Jeffrey S. Foster * , and Todd Millstein + . * University of Maryland,

536 views • 26 slides
How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas

How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas

Java's SSLSocket: How Bad APIs Compromise Security Tale of a Frustrated Android Developer Dr. Georg Lukas &lt;lukas@rt-solutions.de&gt; About the Speaker IT Consultant at rt-solutions.de (ITSec, Smartphone Payment) Open Source developer

905 views • 32 slides
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC Is the permission model working? Are users making good decisions? Most Popular Android App Demo App abusing permissions Demo explained Permissions:

819 views • 43 slides
TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING

TACKYDROID Pentesting Android Applications in Style THIS TALK IS ABOUT AN APP WE ARE MAKING This talk IS NOT about Android platform itself This talk IS about how we want to contribute auditing apps that run on Android systems With

975 views • 74 slides
rian sanderson sensor platforms, inc. you have an android board, you have a sensor board, you

rian sanderson sensor platforms, inc. you have an android board, you have a sensor board, you

rian sanderson sensor platforms, inc. you have an android board, you have a sensor board, you want them to work together make external sensors available through standard Androidd.SensorManager APIs google this: integrating android sensor

536 views • 28 slides
St Statistical De Deobfuscati tion fo for Android Applications Benjamin Veselin Petar

St Statistical De Deobfuscati tion fo for Android Applications Benjamin Veselin Petar

St Statistical De Deobfuscati tion fo for Android Applications Benjamin Veselin Petar Martin Bichsel Raychev Tsankov Vechev Department of Computer Science Why De-obfuscate? Android binaries (APKs) (no code available) Number of APKs

520 views • 31 slides
Programming Android applications: an incomplete introduction J. Serrat Software Design December

Programming Android applications: an incomplete introduction J. Serrat Software Design December

Programming Android applications: an incomplete introduction J. Serrat Software Design December 2013 Preliminaries : Goals Introduce basic programming Android concepts Examine code for some simple examples Limited to those relevant

1.44k views • 98 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware T aint Analysis for Android Apps From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried

620 views • 45 slides
Qt-Based Google APIs Integrated Computer Solutions (ICS) Qt Developer Days 2012 www.ics.com

Qt-Based Google APIs Integrated Computer Solutions (ICS) Qt Developer Days 2012 www.ics.com

Qt-Based Google APIs Integrated Computer Solutions (ICS) Qt Developer Days 2012 www.ics.com What Are the Google APIs? Interface to Google services to help programmers develop applications. Offers a variety of APIs, mostly aimed at

819 views • 43 slides

More recommend