AdSense
Saturday, December 24, 2016
ANDROID PT / Backup Vulnerability
BACKUP VULNERABILITY
- Layout for this exercise:
- Connecting Santoku to Nexus 5:
- Backup and restoration processes in some Android applications are vulnerable because the backup contents can be altered and later restore back without root privileges.
- Some of these vulnerabilities were discovered and investigated by Chris John Riley and Aditya Gutpa.
- In this exercise the Android Backup Extractor (abe) will be used:
https://sourceforge.net/projects/adbextractor/
- Once downloaded to Santoku, let's unzip abe:
- On the other hand, to test the backup vulnerability, the application box.apk will be used:
- Installing box.apk to the mobile device:
- Going to Settings, a passcode is introduced:
- From now, to access the application a passcode is needed after 1 minute of timeout:
- Detecting the name of the package used by the application:
- ADB helps to backup the application, from box.apk, creating the new file box.ab. The extension .ab means "android backup":
- The user is prompted to perform the backup at the mobile device:
- The backup process is successful:
- hexdump shows the hexadecimal content of box.ab, checking that it is actually an Android backup:
- It is important to notice that an Android Backup (*.ab) file is actually a compressed tar file, that can be created with the Android Backup Extractor, so unpacking box.ab to box.tar:
- Extracting with tar, all the files of box.tar are displayed:
- Listing the files of box.tar to a file box.list:
- Now, the whole package com.box.android is available to be analyzed:
- Going deeper into the folder's structure down to sp (shared preferences):
- Looking up into apps:
- A hardcoded encrypted pin is found at the file myPreference.xml:
- Opening myPreference.xml, the line with the encrypted pin is detected:
- With the purpose of altering the application, the line corresponding to the encrypted pin is just removed:
- Now, to rebuild the application once it has been altered, the pax command is used:
- Redirecting the list of files of box.list (altered) to a new file box1.tar:
- The Android Backup Extractor does the reverse process than before, now packing instead of unpacking, and creating a file box1.ab from the altered box1.tar:
- hexdump shows the hexadecimal content of box1.ab, checking that it is actually an Android backup:
- Restoring the backup with ADB:
- The user is prompted to perform the restoration (notice that neither passcode nor pin is requested):
- The restoration of data is eventually successful:
- We can also verify that the alteration is effective, by checking that now the Settings configuration says Require passcode = Never, although we set previously a required passcode:
Subscribe to:
Posts (Atom)