Presentation is loading. Please wait.

Presentation is loading. Please wait.

One Root To Own Them All Black Hat US 2013 Jeff Bluebox 1.

Published byShanon Long Modified over 9 years ago

Similar presentations

Presentation on theme: "One Root To Own Them All Black Hat US 2013 Jeff Bluebox 1."— Presentation transcript:

1 One Root To Own Them All Black Hat US 2013 Jeff Forristal @ Bluebox 1

2 Outline Introduction Android APK Overview Jar and Jar Signer Exploit Analyze APK Install Process – Normal Case – Abnormal Case Vulnerability Point Patch Similar Approach Conclusion Reference 2

3 Introduction 3

4 Vulnerability Description 4

5 Attack Surface 5

6 Android APK Overview 6

7 Android APK APK stands for Android application package file. Just a Jar file with some other new files that Android need. 7

8 Android APK Content Package resource files: – Android Manifest – Some Pictures, Audio files…. – Etc… classes.dex META-INF/Manifest.MF 8

9 Compile Android APK What we usually do: – 1. writing code in Eclipse/ Android Studio – 2. press compile button – Simple and Easy 9

10 Compile Android APK 10

11 Compile Android APK 1. aapt will create R.java according to the following files: – Android Manifest – Recourses – Assets 2. use javac to compile source code with some libraries -> generate many *.class files. 3. use dx to transform Java bytecode into Dalvik bytecode -> many *.class files will be merged into 1 classes.dex 4. use apkbuilder to generate unsigned APK with following files: – classes.dex – Package Resources Files 5. use jarsigner to signed the unsigned APK into signed APK – E(unsigned APK, Key) = signed APK 11

12 Jar and JarSigner 12

13 Jar Jar stands for Java Archive Jar File Format is Same as Zip file File Contents: – *.classes – Resources – META-INF/Manifest.MF 13

14 Jar 14 Android APK

15 JarSigner Generate Signature for JAR (Java Archive) Verify Signature for Signed JAR file. Two Additional file placed in META-INF directory: – signature file with.SF as extension – signature block file with.DSA extension 15

16 JarSigner - Signing 16 aapt jarsigner

17 JarSigner - Signing 17 Integrity

18 JarSigner - Signing 18 Integrity

19 JarSigner - Signing 19 Identity

20 JarSigner - Signing 20 Identity

21 JarSigner - Signing 21 Certificate

22 22 Public Key Digital Signature for the Certificate

23 Attempts 23

24 Attempts 24

25 Attempts 25

26 APK Install Process 26

27 Overview 27

28 PackageManager 28 PackageParser Installer PackageHandler Parsing Package And Verify Sending Command to installd Handle Event

29 Overview Parsing Verify Install 29

30 Parsing 30 JarFile.Class JarEntry.Class Android APK File 1 File 2 File 3 File 4 Central Directory

31 Parsing 31 JarFile.Class JarEntry.Class Android APK File 1 File 2 File 3 File 4 Central Directory File 1 Meta-Data File 2 Meta-Data File 3 Meta-Data File 4 Meta-Data End of Central Directory

32 Parsing, Verify and Install 1. Get entries list from Central Directory. 2. Create JarEntry object for each entry and put into mEntries HashMap. – The index is calculate by : secondHash(String entry name) 4. JarVerifier will verify each entries according to the mEntries. 5. After Verify, find classes.dex entry and install it. 32

33 Parsing, Verify and Install 1. Get entries list from Central Directory. 2. Create JarEntry object for each entry and put into mEntries HashMap. – The index is calculate by : secondHash(String entry name) 4. JarVerifier will verify each entries according to the mEntries. 5. After Verify, find classes.dex entry and install it. 33

34 Parsing, Verify and Install 1. Get entries list from Central Directory. 2. Create JarEntry object for each entry and put into mEntries HashMap. – The index is calculate by : secondHash(String entry name) 4. JarVerifier will verify each entries according to the mEntries. 5. After Verify, find classes.dex entry and install it. 34

35 Parsing, Verify and Install 1. Get entries list from Central Directory. 2. Create JarEntry object for each entry and put into mEntries HashMap. – The index is calculate by : secondHash(String entry name) 4. JarVerifier will verify each entries according to the mEntries. 5. After Verify, find classes.dex entry and install it. 35

36 Normal Case 36

37 37 Manife st.xml ZipEntry object Classes.dex META- INF res …….. mEntries 1. Manifest.xml Meta-Data 2. META-INF Meta-Data 3. classes.dex Meta-Data 4. res Meta-Data End of Central Directory Android APK Manifest.xml META-INF res Central Directory classes.dex Parsing

38 38 Manife st.xml ZipEntry object Classes.dex META- INF res …….. mEntries Verify

39 Install 39 1. Manifest.xml Meta-Data 2. META-INF Meta-Data 3. classes.dex Meta-Data 4. res Meta-Data End of Central Directory Android APK Manifest.xml META-INF res Central Directory installd classes.dex

40 What If … 40 Android APK Manifest.xml META-INF res Central Directory classes.dex res Central Directory Manifest.xml META-INF classes.dex

41 41 Manife st.xml ZipEntry object Classes.dex META- INF res …….. mEntries Parsing classes.dex res Central Directory Manifest.xml META-INF classes.dex 1. Manifest.xml Meta-Data 2. META-INF Meta-Data 3. classes.dex Meta-Data 5. res Meta-Data End of Central Directory 4. classes.dex Meta-Data Classes.dex

42 42 Manife st.xml ZipEntry object Classes.dex META- INF res …….. mEntries Classes.dex Verify !!!!!!

43 Install 43 classes.dex res Central Directory Manifest.xml META-INF classes.dex 1. Manifest.xml Meta-Data 2. META-INF Meta-Data 3. classes.dex Meta-Data 5. res Meta-Data End of Central Directory 4. classes.dex Meta-Data installd !!!!!!

44 44

Download ppt "One Root To Own Them All Black Hat US 2013 Jeff Bluebox 1."

Similar presentations

Introduction to Java 2 Programming Lecture 4 Writing Java Applications, Java Development Tools.

Introduction to Java 2 Programming Lecture 4 Writing Java Applications, Java Development Tools.
Introduction to Java 2 Programming Lecture 3 Writing Java Applications, Java Development Tools.

Introduction to Java 2 Programming Lecture 3 Writing Java Applications, Java Development Tools.
1 G54PRG Programming Lecture 1 Amadeo Ascó Adam Moore 29 Organising Code: Packages & Archives.

1 G54PRG Programming Lecture 1 Amadeo Ascó Adam Moore 29 Organising Code: Packages & Archives.
Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.

Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)

Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication (Part B)
Creating Jar Files Jin Hung, Gregory Olds, George Blank, Sun Java Web Site.

Creating Jar Files Jin Hung, Gregory Olds, George Blank, Sun Java Web Site.
DEPARTMENT OF COMPUTER ENGINEERING

DEPARTMENT OF COMPUTER ENGINEERING
Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.

Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.
This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit

This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit
Basic, Basic, Basic Android. What are Packages? Page 346 in text Package statement goes before any import statements Indicates that the class declared.

Basic, Basic, Basic Android. What are Packages? Page 346 in text Package statement goes before any import statements Indicates that the class declared.
Android Programming Beomjoo Seo Sep., 12 CS5248 Fall 2012.

Android Programming Beomjoo Seo Sep., 12 CS5248 Fall 2012.
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
Android Programming Day 1. 25 best Android Apps Lzo&feature=fvwrel.

Android Programming Day best Android Apps Lzo&feature=fvwrel.
Android Programming. Outline Preparation Create new project Build and Run a project Debug a project Deploy on devices.

Android Programming. Outline Preparation Create new project Build and Run a project Debug a project Deploy on devices.
Android Introduction Platform Overview.

Android Introduction Platform Overview.
Chapter 3 Navigating a Project Goals & Objectives 1.Get familiar with the navigation of the project. How is everything structured? What settings can you.

Chapter 3 Navigating a Project Goals & Objectives 1.Get familiar with the navigation of the project. How is everything structured? What settings can you.
Introduction to Android Swapnil Pathak www.SecurityXploded.com Advanced Malware Analysis Training Series.

Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.
© Keren Kalif Intro to Android Development Written by Keren Kalif, Edited by Liron Blecher Contains slides from Google I/O presentation.

© Keren Kalif Intro to Android Development Written by Keren Kalif, Edited by Liron Blecher Contains slides from Google I/O presentation.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Creating.NET Add-ins.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Creating.NET Add-ins.
Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.

Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.

Similar presentations

Ads by Google