android one root to own them all
play

Android: One Root to Own Them All Jeff Forristal / Bluebox Image - PowerPoint PPT Presentation

Oct 08, 2022 •129 likes •985 views

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Please Complete Speaker Feedback Survey Or else ANDROID: ONE

  1. Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com

  2. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Please Complete Speaker Feedback Survey Or else…

  3. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Logos Graphs Marketshare Ecosystem Android Overview What is Android? Google Vendors Wikipedia Quotes History Past Problems Charts

  4. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 If you haven’t heard of Android… …you’ve been living under a rock (And you’re probably in the wrong briefing)

  5. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Once Upon A Time, in a security lab not so far away

  6. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 “Let’s take an Android app, and modify it, to spoof the GPS coordinates” Challenge

  7. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Smali & Baksmali (decompiler & recompiler) Solution

  8. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Why I can haz no maps?!? Uh-Oh

  9. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Maps API is licensed … API key is tied to app signature … Changing the code breaks the signature … We need a way to change code but not change the signature Analysis

  10. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Challenge Accepted!

  11. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Where Do Sigs Come From? Time for birds & bees talk…

  12. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Where do apps get signatures? PackageManager provides them Where does PackageManager get them? Copy of signer certificate Where do those come from? Loaded after successful verified app install, from APK How does verification work? All entries in the APK are cryptographically verified against signed hashes Digging

  13. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 ZipFile & JarVerifier (java.util.zip & java.util.jar) JarSigner / SignAPK (BTW, APK = Jar = Zip)

  14. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Zip File Particulars <3 Phil Katz, RIP

  15. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 Central Directory Anatomy

  16. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 File 1 Meta-Data File 2 Meta-Data Central File 3 Meta-Data Directory File 4 Meta-Data End Of Central Directory Anatomy

  17. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Anatomy

  18. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Anatomy

  19. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 ZipFile.java “ AndroidManifest.xml ” HashMap “ classes.dex ” AndroidManifest.xml Central classes.dex “ resources.arsc ” resources.arsc Directory META-INF/Manifest.MF “META -INF/Manifest.MF ” End Of Central Directory Parsing

  20. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Parsing

  21. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Parsing

  22. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 File 2 File 3 File 4 “ AndroidManifest.xml ” “ classes.dex ” Central “ resources.arsc ” Directory “META -INF/Manifest.MF ” End Of Central Directory Parsing

  23. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF File 2 File 3 File 1: Hash File 2: Hash File 3: Hash File 4 File 4: Hash Central Directory Verifying

  24. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF *.SF File 2 File 3 File 1: Hash File 1: Hash File 2: Hash File 2: Hash File 3: Hash File 3: Hash File 4 File 4: Hash File 4: Hash Central Directory Verifying

  25. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF *.SF *.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash Central Directory Verifying

  26. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF *.SF *.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash Central Directory Verifying

  27. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Verification failure: jeff$ adb install evil.apk 3063 KB/s (7776463 bytes in 2.479s) pkg: /data/local/tmp/evil.apk Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES] File 1 MANIFEST.MF *.SF *.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash File 5 Central Directory Verifying

  28. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Verification failure: jeff$ adb install evil.apk 3063 KB/s (7776463 bytes in 2.479s) pkg: /data/local/tmp/evil.apk Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES] File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 3 File 1: Hash File 1: Hash E/PackageParser( 440): Package com.victim.app has no PKCS7 File 2: Hash File 2: Hash certificates at entry extra_file.bin; ignoring! Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash File 5 Central Directory Verifying

  29. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 1: Hash File 3 File 1: Hash File 2: Hash PKCS7 File 2: Hash File 3: Hash Pub Cert File 3: Hash File 4 File 4: Hash Signed Hash File 4: Hash File 5: Hash Central Directory Verifying

  30. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 1: Hash W/PackageParser( 440): java.lang.SecurityException: File 3 File 1: Hash File 2: Hash PKCS7 META-INF/CERT.SF has invalid digest for some-file.bin File 2: Hash File 3: Hash Pub Cert in /data/app/vmdl-2023482334.tmp File 3: Hash File 4 File 4: Hash Signed Hash File 4: Hash File 5: Hash Central Directory Verifying

  31. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 1: Hash File 3 File 1: Hash File 2: Hash PKCS7 File 2: Hash File 3: Hash Pub Cert File 3: Hash File 4 File 4: Hash Signed Hash File 4: Hash File 5: Hash Central Directory Verifying

  32. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 File 1 MANIFEST.MF SIGN.SF SIGN.RSA File 2 File 3 File 1: Hash File 1: Hash PKCS7 File 2: Hash File 2: Hash Pub Cert File 3: Hash File 3: Hash File 4 Signed Hash File 4: Hash File 4: Hash Central Directory (I manually tried all of these variations) Verifying

  33. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 But then I tried something else (and I didn’t get a verification error!) Surprise

  34. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Android liked it! jeff$ adb install doublefile.apk 4167 KB/s (7776562 bytes in 2.478s) pkg: /data/local/tmp/doublefile.apk File 1 Success File 2 Hmmmm …… File 3 File 4 File 4 … … Central … Directory “ classes.dex ” “ classes.dex ” Surprise

  35. ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Jarsigner is happy… jeff$ jarsigner – verify evil.apk jar verified. File 1 Android, not so much… File 2 jeff$ adb install evil.apk 3063 KB/s (7776463 bytes in 2.479s) pkg: /data/local/tmp/evil.apk File 3 Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES] File 4A File 4B … … Central … Directory “ classes.dex ” “ classes.dex ” Attempt

Recommend

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com QooBee1993@gmail.com Keen Team Usenix Woot 15' 1 About Me Security research intern at Keen Team Mobile vulnerability research Android Rooting

785 views • 34 slides
Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation

Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation

Dana Geist &amp; Marat Nigmatullin Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation Compromised (rooted/jailbroken) devices are a major issue in the mobile security field. Security and business

718 views • 28 slides
Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT 2 Stephan Siegfried Mobile Security Researcher at Head of Department Secure Fraunhofer SIT Software Engineering

948 views • 58 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
THttpServer for ROOT Bertrand Bellenot, CERN Sergey Linev, GSI Darmstadt 28.02.2014 JSRootIO

THttpServer for ROOT Bertrand Bellenot, CERN Sergey Linev, GSI Darmstadt 28.02.2014 JSRootIO

THttpServer for ROOT Bertrand Bellenot, CERN Sergey Linev, GSI Darmstadt 28.02.2014 JSRootIO Written on JavaScript, works in all major browsers IE, Firefox, Opera, Safari, Android, Allows to draw many kinds of ROOT objects

808 views • 23 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot; package=&quot;net.cserna.bence.colorguess

201 views • 3 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan &amp; Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle Emmanuel Agu Android UI Design Example GeoQuiz App Reference: Android Nerd Ranch, pgs 1 32 App presents questions to test users knowledge

1k views • 96 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
Services Android Services A Service is an application component that runs in the background, not

Services Android Services A Service is an application component that runs in the background, not

Lesson 22 Lesson 22 Android Android Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work

692 views • 26 slides
Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working install of Android Studio Make sure it works by running Hello, world App On emulator

666 views • 24 slides
Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware Software Development Tools Basics Debugging/Emulator Location Demo Android And Me Why I like Android Blend of Linux

1.01k views • 25 slides
CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Open source (https://source.android.com/setup/) Google: Owns Android,

652 views • 43 slides
CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android

388 views • 38 slides
CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android OS,

589 views • 35 slides

More recommend