2. Agenda
1. When it’s public - people WILL use it
2. SSL and its problems
3. And how to fix these problems
3. When it’s public - people WILL use it
Bad things are always going to happen
in life. People will hurt you…
… By exploiting vulnerabilities in you
applications!
4. When it’s public - people WILL use it
Bad things are always going to happen
in life. People will hurt you…
… By exploiting vulnerabilities in you
applications!
5. Update Data Service
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.epam.itweek.commonsensesecurity.downloader" >
...
<service
android:name=".UpdateDataIntentService" >
<intent-filter>
<action android:name=
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA"/>
</intent-filter>
</service>
...
</manifest>
6. Update Data Service
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.epam.itweek.commonsensesecurity.downloader" >
...
<service
android:name=".UpdateDataIntentService" >
<intent-filter>
<action android:name=
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA"/>
</intent-filter>
</service>
...
</manifest>
7. Update Data Service
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.epam.itweek.commonsensesecurity.downloader" >
...
<service
android:name=".UpdateDataIntentService" >
<intent-filter>
<action android:name=
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA"/>
</intent-filter>
</service>
...
</manifest>
8. Update Data Service
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.epam.itweek.commonsensesecurity.downloader" >
...
<service
android:name=".UpdateDataIntentService" >
<intent-filter>
<action android:name=
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA"/>
</intent-filter>
</service>
...
</manifest>
9. Update Data Service
public class UpdateDataIntentService extends IntentService {
private static final String ACTION_UPDATE_DATA =
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA";
private static final String EXTRA_URL =
"com.epam.itweek.commonsensesecurity.extra.URL";
public static void startDataUpdate(Context context, String url) {
Intent intent = new Intent(context, UpdateDataIntentService.class);
intent.setAction(ACTION_UPDATE_DATA);
intent.putExtra(EXTRA_URL, url);
context.startService(intent);
}
@Override
protected void onHandleIntent(Intent intent) {
...
if (ACTION_UPDATE_DATA.equals(action)) {
final String url = intent.getStringExtra(EXTRA_URL);
performDataUpdate(url);
}
...
}
}
10. Update Data Service
public class UpdateDataIntentService extends IntentService {
private static final String ACTION_UPDATE_DATA =
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA";
private static final String EXTRA_URL =
"com.epam.itweek.commonsensesecurity.extra.URL";
public static void startDataUpdate(Context context, String url) {
Intent intent = new Intent(context, UpdateDataIntentService.class);
intent.setAction(ACTION_UPDATE_DATA);
intent.putExtra(EXTRA_URL, url);
context.startService(intent);
}
@Override
protected void onHandleIntent(Intent intent) {
...
if (ACTION_UPDATE_DATA.equals(action)) {
final String url = intent.getStringExtra(EXTRA_URL);
performDataUpdate(url);
}
...
}
}
11. Update Data Service
public class UpdateDataIntentService extends IntentService {
private static final String ACTION_UPDATE_DATA =
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA";
private static final String EXTRA_URL =
"com.epam.itweek.commonsensesecurity.extra.URL";
public static void startDataUpdate(Context context, String url) {
Intent intent = new Intent(context, UpdateDataIntentService.class);
intent.setAction(ACTION_UPDATE_DATA);
intent.putExtra(EXTRA_URL, url);
context.startService(intent);
}
@Override
protected void onHandleIntent(Intent intent) {
...
if (ACTION_UPDATE_DATA.equals(action)) {
final String url = intent.getStringExtra(EXTRA_URL);
performDataUpdate(url);
}
...
}
}
12. Update Data Service
public class UpdateDataIntentService extends IntentService {
private static final String ACTION_UPDATE_DATA =
"com.epam.itweek.commonsensesecurity.action.UPDATE_DATA";
private static final String EXTRA_URL =
"com.epam.itweek.commonsensesecurity.extra.URL";
public static void startDataUpdate(Context context, String url) {
Intent intent = new Intent(context, UpdateDataIntentService.class);
intent.setAction(ACTION_UPDATE_DATA);
intent.putExtra(EXTRA_URL, url);
context.startService(intent);
}
@Override
protected void onHandleIntent(Intent intent) {
...
if (ACTION_UPDATE_DATA.equals(action)) {
final String url = intent.getStringExtra(EXTRA_URL);
performDataUpdate(url);
}
...
}
}
13. Update Data Service
public class UpdateDataIntentService extends IntentService {
...
private void performDataUpdate(String url) {
Request request = new Request.Builder()
.url(url)
.addHeader(TOKEN, AuthManager.getInstance().getToken())
.build();
OkHttpClient client = new OkHttpClient();
Response response = client.newCall(request).execute();
String newData = response.body().string();
storeDataInDb(newData);
}
...
}
14. Update Data Service
public class UpdateDataIntentService extends IntentService {
...
private void performDataUpdate(String url) {
Request request = new Request.Builder()
.url(url)
.addHeader(TOKEN, AuthManager.getInstance().getToken())
.build();
OkHttpClient client = new OkHttpClient();
Response response = client.newCall(request).execute();
String newData = response.body().string();
storeDataInDb(newData);
}
...
}
15. Update Data Service
public class UpdateDataIntentService extends IntentService {
...
private void performDataUpdate(String url) {
Request request = new Request.Builder()
.url(url)
.addHeader(TOKEN, AuthManager.getInstance().getToken())
.build();
OkHttpClient client = new OkHttpClient();
Response response = client.newCall(request).execute();
String newData = response.body().string();
storeDataInDb(newData);
}
...
}
16. Update Data Service
public class UpdateDataIntentService extends IntentService {
...
private void performDataUpdate(String url) {
Request request = new Request.Builder()
.url(url)
.addHeader(TOKEN, AuthManager.getInstance().getToken())
.build();
OkHttpClient client = new OkHttpClient();
Response response = client.newCall(request).execute();
String newData = response.body().string();
storeDataInDb(newData);
}
...
}
17. Update Data Service
public class RegularDataActivity extends Activity {
private static final String URL_PRODUCTION_BACKEND = "http://google.com";
...
@OnClick(R.id.update) void onUpdateDataClick() {
UpdateDataIntentService.startDataUpdate(this, URL_PRODUCTION_BACKEND);
}
}
18. Update Data Service
public class RegularDataActivity extends Activity {
private static final String URL_PRODUCTION_BACKEND = "http://google.com";
...
@OnClick(R.id.update) void onUpdateDataClick() {
UpdateDataIntentService.startDataUpdate(this, URL_PRODUCTION_BACKEND);
}
}
19. Update Data Service
public class RegularDataActivity extends Activity {
private static final String URL_PRODUCTION_BACKEND = "http://google.com";
...
@OnClick(R.id.update) void onUpdateDataClick() {
UpdateDataIntentService.startDataUpdate(this, URL_PRODUCTION_BACKEND);
}
}
34. Do Not Export Update Data Service
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.epam.itweek.commonsensesecurity.downloader" >
...
<service
android:name=".UpdateDataIntentService"
android:exported="false" />
...
</manifest>
35. Do Not Export Update Data Service
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.epam.itweek.commonsensesecurity.downloader" >
...
<service
android:name=".UpdateDataIntentService"
android:exported="false" />
...
</manifest>
36. Do Not Export Update Data Service
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.epam.itweek.commonsensesecurity.downloader" >
...
<service
android:name=".UpdateDataIntentService"
android:exported="false" />
...
</manifest>
37. Attack Not Exported Update Data
Service
08-02 17:22:00.720 11702-11702/
com.epam.itweek.commonsensesecurity.downloaderattaccker.notexported
E/AndroidRuntime﹕ FATAL EXCEPTION: main
Process:
com.epam.itweek.commonsensesecurity.downloaderattaccker.notexported,
PID: 11702
java.lang.SecurityException: Not allowed to start service Intent {
act=com.epam.itweek.commonsensesecurity.action.UPDATE_DATA
cmp=com.epam.itweek.commonsensesecurity.downloader.notexported/com.epam.itw
eek.commonsensesecurity.downloader.UpdateDataIntentService (has extras) }
without permission not exported from uid 10191
at
android.app.ContextImpl.startServiceCommon(ContextImpl.java:1639)
at android.app.ContextImpl.startService(ContextImpl.java:1616)
at
android.content.ContextWrapper.startService(ContextWrapper.java:505)
at
com.epam.itweek.commonsensesecurity.downloaderattaccker.AttackDownloaderAct
ivity.onAttackClicked(AttackDownloaderActivity.java:30)
...
42. Attack Update Data Service With
Permission
08-02 17:26:08.350 12460-12460/
com.epam.itweek.commonsensesecurity.downloaderattaccker.withpermission
E/AndroidRuntime﹕ FATAL EXCEPTION: main
Process:
com.epam.itweek.commonsensesecurity.downloaderattaccker.withpermission,
PID: 12460
java.lang.SecurityException: Not allowed to start service Intent {
act=com.epam.itweek.commonsensesecurity.action.UPDATE_DATA
cmp=com.epam.itweek.commonsensesecurity.downloader.withpermission/com.epam.
itweek.commonsensesecurity.downloader.UpdateDataIntentService (has extras)
} without permission
com.epam.itweek.commonsensesecurity.downloader.permission.UPDATE
at
android.app.ContextImpl.startServiceCommon(ContextImpl.java:1639)
at android.app.ContextImpl.startService(ContextImpl.java:1616)
at
android.content.ContextWrapper.startService(ContextWrapper.java:505)
at
com.epam.itweek.commonsensesecurity.downloaderattaccker.AttackDownloaderAct
ivity.onAttackClicked(AttackDownloaderActivity.java:30)
...
43. Reference: Real-life vulnerabilities
● Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation
o academic paper - http://goo.gl/4wAO93
o Ars Technica article on the topic - http://goo.gl/3KXUVD
o Developer’s point of view - http://goo.gl/X2tETV
● Android OEM’s applications (in)security and backdoors without permission
o http://goo.gl/0eHVnx
o by Andr´e Moulu from QuarksLab
o interesting starts at slide #75
o read from beginning if you want to know why Samsung software is crap low quality
44. SSL and its problems
There are 3 types of software:
data producers, data consumers and
bad guys in between them
45. SSL
● Encrypts network communication
● with a generated session secret
● using server’s X.509 certificate
● relies on Certificate Authorities for certificate validity
Designed for use in general purpose network communication tools:
● Browsers
● Email clients
● IM clients
46. SSL
● Encrypts network communication
● with a generated session secret
● using server’s X.509 certificate
● relies on Certificate Authorities for certificate validity
Designed for use in general purpose network communication tools:
● Browsers
● Email clients
● IM clients
47. SSL
Client makes sure that certificate:
● has a verifiable chain of trust back to a trusted (root) certificate
● matches the requested hostname
And this is good!
Browsers verify website's identity via trusted CAs because they simply don’t
know whom they will be communicating with the other day.
But this is also bad!
Client does not check if it is your certificate, the one you uploaded to your
server.
48. SSL and its problems
● Man In The Middle (MITM) Attacks
○ Hacked CAs (Comodo, DigiNotar, TurkTrust)
○ Social engineering ("Free wifi! Just add this root cert to your device!")
○ NSA
● Complex nature, so implementations are sometimes buggy
● Others?
53. Google Play Services
The Security API allows you to easily install a dynamic security provider.
New versions of Google Play Services will keep the security provider up-to-date with the latest
security fixes as those become available.
54. Google Play Services - Security API
ProviderInstaller.installIfNeeded(getApplicationContext())
56. Pinning
A pin is a hex-encoded hash of a X.509 certificate's SubjectPublicKeyInfo.
Library is available for your needs:
dependencies {
compile 'org.thoughtcrime.ssl.pinning:AndroidPinning:1.0.0'}