Having fun with secure messengers and Android Wear (and Android Auto)

Artem Chaykin

Positive Technologies

CanSecWest’16

Who I am? •  Russian hacker / Putin’s agent •  Mobile application security team lead •  SCADA Strangelove Team •  RDot.Org team member

Android IPC basics •  Private memory for each process •  Data is passed through kernel module – Binder •  Intent-based

Intents •  Intent is an object •  App1 can send intents to exported components of App2

Intent

Packagename

Componentname

Ac0on Data

Android IPC basics

Binder

App1

AppN

App2

Android IPC basics

App1

Binder

IAc/vityManager

Android IPC basics

App1

Binder

IAc/vityManager

App2

Example 0x1: MobiDM

Example 0x1: MobiDM

Example 0x1: MobiDM

PendingIntent

Intent

Iden/ty Permissions

•  getActivity() •  getService() •  getBroadcast()

PendingIntent App1

PendingIntent App1

App2

pIntent

PendingIntent App1

App2pIntent

PendingIntent App1

App2pIntent

PendingIntent

•  AlarmManager •  NotificationManager •  Identity confirmation

Example 0x2 – PendingIntent hijacking

•  3rd party push services •  Identity confirmation

Victims:

Example 0x2 – Victim:

Example 0x2 – Victim:

•  Exploit:

Android Wear & Android Auto •  Remote Input class is based on PendingIntent

Android Wear & Android Auto •  Remote Input class is based on PendingIntent

Android Wear & Android Auto

Android Wear & Android Auto

Android Wear & Android Auto

Voicereply

Example 0x3: Spam Victim:

•  Bug:

Example 0x3: Spam Victim:

•  Bug:

Example 0x3: Spam Victim:

•  Exploit:

Example 0x3: Spam Victim:

•  Result:

Example 0x3: Spam •  Victims:

Example 0x3: Intercepting Victim: •  Bug:

Example 0x3: Intercepting Victim: •  Exploit:

Example 0x3: Intercepting

•  Android Auto victims:

•  Android Wear victims:

Detecting with Xposed module

Fixes Still no thanks

•  Signal – emailed Moxie – fixed same day – got “thanks” •  Telegram – emailed security@ - partial fix after ~ 45 days -

Microsoft

Microsoft

Fin! Questions?