Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability in an Android App I Found last November - Attack and Countermeasure - Ken Okuyama<Ken.Okuyama@jp.sony.com> Sony Digital Network Applications.

Published by知管 高 Modified over 5 years ago

Similar presentations

Presentation on theme: "Vulnerability in an Android App I Found last November - Attack and Countermeasure - Ken Okuyama<Ken.Okuyama@jp.sony.com> Sony Digital Network Applications."— Presentation transcript:

1 Vulnerability in an Android App I Found last November - Attack and Countermeasure -
Ken Sony Digital Network Applications

2 My Works Secure Development Policy/Guideline in Sony
Consultation for Secure Development (in/out of Sony) Android Secure Coding Guideline

3 Cautions The vulnerability, which I’ll talk of today, has been patched and the revised version app has already been released. I greatly appreciate the developer of the app. They quickly responded to my bug report and fixed the app in a few days. It’s an awesome work. But, other apps might still have similar vulnerabilities. You MUST NOT abuse the vulnerabilities.

4 Agenda What was the Vulnerability I found in an Android App
Mechanism of the Vulnerability (Attack Mechanism) Countermeasure (and Useful Security Guidebook)

5 What was the Vulnerability I found in an Android App

6 Android Security Report : 2015
Before coming to the today's point. Android Security Report : 2015 We researched top 500 apps (by download numbers) in each category. from Aug to Sep We had done the same research in 2013. Number of targets : 11,686 apps Number of targets in : 6,170 apps Copyright 2016 Sony Digital Network Applications, Inc.

7 Copyright 2016 Sony Digital Network Applications, Inc.
Results : The percentage of apps that contain vulnerabilities has decreased since 2013, but majority of apps still do have vulnerability risks. Copyright 2016 Sony Digital Network Applications, Inc.

8 The Vulnerability was in
today's main topic The Vulnerability was in Details are in the Next Slide

9 Description Security researcher Ken Okuyama reported an issue on Firefox for Android where a previously installed malicious application can access content provider permissions for Firefox in order to read data. This data includes browser history and locally saved passwords. This issue occurs when a list of permissions is defined to match those that Firefox uses for content providers and bypasses signature protections. This issue does not occur on Android 5.0 or later versions of Android. This issue only affects Firefox for Android. Other versions and operating systems are unaffected.

10 Impact Some sensitive data (browser history, password, etc.) can be leaked to any installed apps. An attacker can spoof the user on the web site related to the stolen password. Mal app Firefox Pass word

11 Mechanism of the Vulnerability (and Attack Mechanism)

12 Custom Permission Behavior
Any apps can declare some custom permissions by themselves. Each permission has the attribute of protection_level. Signature Level Permission can be used by the same developer (strictly, by the app which signed with same key)

13 Insides app : Provider is with signature permission
Content Provider (in Firefox app) requires a signature level permission to access it. The signature level permission is defined by Firefox, so other apps can’t access the provider. Mal app Requiring signature permission permission Firefox Pass word

14 Insides app : but, pre-defined permission is prioritized
Custom permissions can be defined by any app. Pre-defined permission is only enabled (and others are ignored). If malware define same name permission and installed before Firefox app, the permission is prioritized. Mal app permission Pre-defined permission is prioritized permission Firefox Pass word

15 Insides app : Firefox misuse malformed permission and malware can access protected data.
After that, if Firefox app is installed, it uses the permission defined by the malware. Then, Provider protected itself with malformed permission. And the malware can access all data in the provider. Mal app permission Malware can read/write password permission Firefox Pass word

16 Countermeasure (and Useful Security Guidebook)

17 Countermeasure for the vulnerability
The easiest way Set “exported=false” in the provider But, this approach can be used only when the provider doesn’t intend to communicate other apps. <provider android:name=".PrivateProvider" android:authorities=“com.example.android.privateprovider" android:exported="false" />

18 Countermeasure for the vulnerability
If you want to communicate other app You have to check who defines the permission you use. To prevent spoofing, you should check the hash value of app of permission (not name). PackageManager pm = ctx.getPackageManager(); PackageInfo pkginfo = pm.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES); if (pkginfo.signatures.length != 1) return null; // Will not handle multiple signatures. Signature sig = pkginfo.signatures[0]; byte[] cert = sig.toByteArray(); //Check the certificate hash value of the app which declares a permission is valid byte[] sha256 = MessageDigest.getInstance("SHA-256").digest(cert); correctHash.equals(sha256);

19 And more, Secure Coding Guide for you
Collection of know-hows on Android app security (issued by a security association in Japan named JSSEC). Available for free in PDF from public site De-facto standard guideline in Japan Recommended by the Ministry of Internal Affairs and Communications The guidebook has Countermeasures I talked toady. Please check it.

20 Copyright 2016 Sony Digital Network Applications, Inc.
Detects Android-specific vulnerabilities in an app within a minute, just by analyzing the apk file. No source code is necessary. 100% compliant with “Secure Design/Secure Coding Guidebook” from JSSEC. Already been used by a hundred major software developers and publishers in Japan. Released Secure Coding Checker in the US Copyright 2016 Sony Digital Network Applications, Inc.

21 Now offering free 2-week trials
How to contact us Now offering free 2-week trials Product website: Android Security Report YouTube Sony Digital Network Applications, Inc. Secure Coding Checker Department And, Please contact me (Ken Okuyama)

22 Results Could you develop secure apps with the secure coding tools? and You may get a bug bounty with the secure coding tools, too.

Download ppt "Vulnerability in an Android App I Found last November - Attack and Countermeasure - Ken Okuyama<Ken.Okuyama@jp.sony.com> Sony Digital Network Applications."

Similar presentations

Plug-in and Automatic update security Presented by Maxamed Hilowle.

Plug-in and Automatic update security Presented by Maxamed Hilowle.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Security Issues Steve Lovaas, ACNS IAC, 22 April 2008 Colorado State University1.

Security Issues Steve Lovaas, ACNS IAC, 22 April 2008 Colorado State University1.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Computer & Network Security

Computer & Network Security
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.

Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.

MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
Foundation year Lec.4: Lec.4: Communication Software Internet & Security Lecturer: Dalia Mirghani Year : 2014/2015.

Foundation year Lec.4: Lec.4: Communication Software Internet & Security Lecturer: Dalia Mirghani Year : 2014/2015.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Vulnerabilities in Operating Systems Michael Gaydeski COSC 432 8 December 2008.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.

THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID # 0435738.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security Keeping you and your computer safe in the digital world.

Computer Security Keeping you and your computer safe in the digital world.
Final Project: Advanced Security Blade IPS and DLP blades.

Final Project: Advanced Security Blade IPS and DLP blades.

Similar presentations

Ads by Google