Keep it Like a Secret: When Android Apps Contain Private Keys

[Music]

thank you very much without further ado skip past the legal mumbo-jumbo so just a little bit of background about this project that I've been working on for a bit since the past the since August I would say I'm sure has a lot of folks here we follow people on Twitter and we find out about certain sorts of things and this is a particular journalist and security researcher who basically at some point a time he called out a scenario where some application was distributing a private key so there's a Cisco app and they had a private key and then he says someone should search for these things in a systematic way and somebody who can crawl the web and I

started to think that basically planted the seed of a little project I started a few years ago I did a presentation at the some trade show that involved talking about Android apps and I was basically looking at Android applications that were not validating SSL Certificates so I basically had this pile of just over a million Android apps and I figured well I can now take a look at this and get an idea of are there any Android apps that include private keys so just did a quick quick little search and decided this this would be something interesting so why do people really care about private keys you know so this person on Twitter said that this was a

particulars interest a private key can be used for a number of different things and it kind of depends on what the key is used for the whole impact of it one of the things that you do when you distribute a an Android application is you actually signed that Android app so a particular private key could be a signing key for Android apps you could also do the same thing with iOS apps I've also seen private keys that are used for encrypting HTTPS traffic so when you're on your favorite banking website the reason the way that they're able to protect the traffic to that site is because they have a key so there's really a wide range of uses for private

keys and so I decided to dig into Android apps that include them so the thing about the million apps that I had those are from about 20 2014 so I you know I came up with a number of private keys and I decided that this would be something worth a little bit more research so this is really the general aspect of how I'm downloading Android apps now obviously apk Spyder is a script that does some of the the nitty-gritty but if you can see here what I'm doing is I'm picking out random words from dictionary files I picked a number of different languages to not limit my search to just English language things I'm really just picking

a word by random and I'm searching for it the library that's being used there's a library called G play CLI which is a command-line interface for the Google Play Store which you can do is you can search for that term that you've picked from the dictionary and what it'll do is it'll tell you what are the apps that match that search term and it'll tell you the app name and it also include version numbers you get a quick question correct yes this is only free so any of the paid apps will also have similar issues this is the same thing I ran into in the past with SSL research the problem is I've currently downloaded

about 1.8 million apps and so even if those are $0.99 apps I'm not paying for that so basically what it's doing is it's downloading these I've just kind of have a throwaway Google account that I've been downloading apps since August from and they still haven't turned it off so good for me and then what I'm doing is I'm using a library called and row guard there used to be a script in it called Andrew apk info I think they've removed it but I ended up re-implementing it but basically what it's doing is it's telling you what files are included in an android app and it'll also include information about mime types and also what the signing

certificate is for that app so I'm looking for key files just to do a little bit of housekeeping I'm deleting old apps and then repeat so this is basically it it's a relatively straightforward process of searching for a term looking at the metadata of that apk and going from there and these are the two links they're both on github both G play CLI which allows you to search and download apps and and regard which gives you a little bit of ability to look into an apk to see what's inside of it one of the things that I that happened when in my first research back I hate these the term research my first little experiment back in 2014 is I just

started downloading things and I put them in a file or put them in a directory which is kind of neat to start out with and it's like okay I can actually download an app but eventually you get a million apps and then for every one of those apps you have associated meta file so basically I had a directory with with too many files in it the strategy this time around is for every APK that's downloaded you do a sha-256 hash of it and then you put it in a directory structure based on that hash so with that kind of insures is you'll never have a directory that has like more than 256 sub directories in it

and then the other thing that I did is early on if I have to like crawl a directory tree in order to look for a particular app it takes way too long even if you have a fast file server so I'm just using sequel Lite I've got a sequel Lite database that has my apks I have a separate one for the files that are contained within the apks and then a separate one for the keys the reason I did separate files was basically so I could do concurrent operations sequel Lite is kind of like a single user sort of thing so now that I've got these pile of Android apps I've got over two billion files what do I look at how do I

know which ones are private Keys the fact that I'm actually using sequel Lite gives me the ability to leverage that capability and if you look here I'm really do looking at file extensions and then the very last search term there is the mime type of the file so that would pick up like java key store or anything that has the word key in it so that's cast a little bit of a wide net the other files it's really just based on the file extension so that's it's kind of if somebody used a file type that doesn't have a mime type that andrew guard is aware of I might not see it but in the end I'm still able to see a lot of key

files this part I'm in as if they're a little bit I just wanted to get this information into the slide deck I'm not gonna talk to every slide but as you start downloading key files you'll see different key types pkcs1 is not encrypted it's RSA only then you can actually have an encrypted version of that which has a password associated with it pkcs gives you ability to do things other than RSA the other thing about the keys that you download is that those prior examples were PEM encoded which is basically base64 you can also have key files that are der encoded and the way that I can tell if a file is der encoded is I can actually leverage open SSL

which comes with an asn.1 parser and I can basically say parse this particular file as if it were a SN 1 and then if I see like an on-air exit status and I see a particular match in the results I know that I've got adder encoded file so basically you end up with a lot of different formatted key files and you kind of have to treat them all differently the one that I'll focus on just a little bit here is pkcs12 and this kind of explains some of the things that I've been doing later on in the project and that pkcs12 is a container for whatever you want to put inside of it key related which could be a public

key a private key certificate the password protection is all is optional but generally speaking every pkcs12 has a password in some cases it's a null password but it's still a password the password causes container level encryption so what that means is I don't know what's in a p12 file until I decrypt it so if I don't have the password for that key store I don't know if it's just the certificate or it might be something a little bit more sensitive so this leads me to cracking a number of files related to pkcs12 is I've got Java key stores very similar to the pkcs12 except for a Java key store I only realized this recently there's no container level encryption

for a Java key store so that means I might have a Java key store that has some sensitive goods in it but the container is not encrypted so what that means is I know the contents of that and I will know out of any Java key store if I want to bother to crack it or not by default the private keys are indeed encrypted I picture it kind of like a zip encryption where you can tell what's inside of a zip file without knowing the password but in order to actually extract the sensitive stuff you need it and then bouncy castle is a very similar sort of container format no encryption no container level encryption is used

private keys share the same password there is I thought I had an epiphany with this bouncy castle format in that I ended up with like accidentally finding password hash collisions with it and it turns out it only uses 16 bits for the container level password but because a bouncy castle just like Java key store is not encrypted at the container level it really doesn't matter so it was a little bit of a little bit of a dead-end quick yep yep you can tell what's inside of it so I'll know if it's a certificate or a private key and if it is a certificate I know the details of it I'm gonna be a little bit tight for time

here so I'm gonna try to maybe hold off questions if you have a question take note of it and if we have time at the end we'll get back to it sorry but thirty minutes is not enough to really talk about this stuff so one of the things that I realized as I'm looking at these apps is certain app developers try to hide the fact that they're including a private key in their app so they know what they're doing but because I'm able to leverage the mimetype I'm able to not really care about the filename so here's in something / key store / comment alright it's in a directory called key store here's key to text it's

actually a Java key store which is a binary format but they call it a text this one has spaces in the file names this one's a little bit better you know ten thirty four ten 305 dot bin if I was not looking at mime types I would not know that that's actually a key store this one is odd and that they call it an apk here's this developer is exceptionally tricky here so they're putting something in slash fonts slash data TTFN and it is indeed a key store file finally at the end here we got somebody that put it in a ping file I that they realized that they're doing something that they shouldn't but they're just

trying to kind of hide a little bit by by using clever file names but when you look at mine pipes it doesn't matter so I kind of touched on this earlier why are we cracking passwords well if I have a pkcs12 file for example I don't know if there's a private key in it until I crack it and so the impact of the fact you know let's say I come across a PL file and it has a private key in it if it has a trivially crackable password in it that's a higher impact when it comes to cracking passwords this might be all like repeat for you but we're able to whenever possible leverage GPU hardware

if you just look at the architecture of a CPU in general you could see you've got a handful of arithmetic logic units here and it's an all-purpose sort of piece of hardware where I can tell it to do whatever at once but if we were to compare that to the architecture of a GPU I can see I've got a lot more units at my disposal so anytime I'm doing something massively parallel GPUs are great when it comes to the cracking software and basically using john the ripper and hash cat those seem to be the the most popular password cracking tools both of those support different sets of keys but they generally both have GPU capabilities depending on the

file format you might not be able to leverage a GPU so as I start cracking some of the passwords I started to look into what makes a strong password or not and it becomes very quick quickly or it quickly becomes clear that the strength of a password has to do with the number of characters that you're using so for example if I have a password that only uses lowercase ASCII characters that's not as good as something that uses mixed case or if I have something that has symbols in it as well so basically it's a factor of the two aspects of the size of the password or excuse me the character set size which is the number

of different symbols that you use and also the length so just to help you realize that very simply if I have just the digits 0 through 9 and if I have a password of length 1 how many passwords do I have total any one 10 all right 10 to the 1 a 5 password of length to 0 through 99 I end up with a hundred so on so forth what you end up seeing is that the lengths exponentially influences the strength of the password if I just look at the exponent here it is indeed mapping 1 and 1 1 2 1 2 the length of the password so basically what I ended up doing is I did an experiment of

randomly generated passwords and then also cracking them just with a CPU it's a 64 core system and it's an md5 and you can kind of get an idea of the very sort of password strength so at the very top here I've got a 4 character or I've got a 4 length password of character set size or sorry care set size of 26 being that it's just single case ASCII and it took one second so that worthless you can see as you go on I'm kind of towards the end here 5 an eighth length password of character set size 36 it took about three hours so we're getting better this is about as far as I went at some point

I stopped it in this this is yeah this is running John the Ripper an incremental I could see at the very in here my best password on the screen is one that is eight characters long and it has a character set size of 52 that is because I'm using both uppercase and lowercase which is generally not a good password but you see using CPU it took about 22 days so this part is is perhaps interactive depending on how interactive the audience is feeling here but we've got a game and this is given a particular password I'm going to show you I would like to know if you think it's a strong password or a weak

password weak very good why is that well it's actually in the RockYou password list anything that's in a password list is worthless you don't have to brute-force you know when you're talking about cracking passwords if it's in a password list so you can go through a password list in a relatively short amount of time that's pretty good it looks pretty good right weak why it's also in the RockYou password list but why is that in the password list ah clever so people like to do keyboard walks and they think they're using a good password because it's both numbers and letters but because that's happened enough times people have included it in password lists that are found in the wild weaker

strong weak why it is weak this was actually one that was cracked by hash cat and there's a utility called naive hash cat and it basically just runs through some of the hash cat techniques that have been known to work pretty well and what we'll notice here is it's a pretty good length and it has mixed case and it has symbols and everything but there's actually human nature that puts you at risk when you're choosing a password humans love to capitalize the first letter of things and they like to put numbers at the end because he typing your password and it's like oh wait you need to have a number in it okay I'll put the number one at the end

or maybe I'll put an exclamation point at the end it's it's terrible so this is actually determined through brute force it didn't actually find it it didn't use a dictionary based attack on it but it basically used some of the human-being sorts of attributes of passwords that people choose so hash cat takes advantage of that because when people choose passwords using their brain they're also putting themselves at a disadvantage because the folks doing password cracking they realize that and they take advantage of that so here's one weaker strong it's got it doesn't look like it's a dictionary word this one is weak but the reason is a little bit different because in this case the author left us a note

so if I go ahead and look at this file code app sign in credentials dot text I can see right here's the password this is a file that is in the app that they have distributed this is publicly available in the Google Play Store they left the text file there so that's kind of bad this one's better I like this one this one's got mixed case it's got your bang at the end so pretty strong it's also weak why is that like author again left a note in this case they have a file called readme text so they're not really trying to hide anything when I look at the contents of that file I could say okay your Apple developer

credentials are this is your email address this is your password we'll also get my Google Play credentials and then also the password for the Pete's well file so they basically left everything all in the app that they've published to the Google Play Store now we're getting better right these are good passwords right can you see where I'm going with this game it's also weak why is this this one is not from like a note left with the app but the password is in the app if I look at this file strings.xml I can see well here's the actual password in there sorry is it pass it quickly but you can see right in that XML file so

all it's taking somebody looking at the app to determine are there's a password here's a better one this one is also weak this one is in application as well I sanitized it just because I don't want anybody to be sad that I'm talking about how horrible their code is but this one the app developer took a little bit of an extra step and that they didn't have it as a string right so nobody would ever be able to know what that password is except I'll yeah so these are all real world application passwords or sees me private key passwords that I've seen this one's pretty good in that it actually looks like it's memorable because you know it's it's complicated

but there's there's parts to it this one is also weak it's in the app but in a different form this one is in a dot Esso file if you have an Android app it's mostly Java like code but you can also have compiled code and I can see here decompile it in Ida and I could see right we've got our pasture right there finally any guesses on this one I mean have you caught on to my game yet ah I got you why is this one strong it is long it is one that I randomly generated it uses a good selection of both capital lowercase symbols and it doesn't have any patterns that are recognizable by a cracker just

don't use that password because this is now actually weak because I told you all what it is so what I quickly realize is like people go through various like ways of trying to protect private keys and they use passwords that are really horrible and also good passwords but if it's in the app it doesn't matter you can make it as strong as you want you could have it be 64 characters long but it doesn't matter if the app uses the key I came across a particular case study that I wanted to do a little bit of a deep dive into and this is Samsung smart home I have reached out the Samsung and they begrudgingly are okay

with me talking about it sanitize the little of it but it's worth looking into what as I'm downloading Android apps one of the things that I'm looking at are like the install counts right so if I've got something that's got between one and five million installs it might be worth looking into a little bit deeper here I'm leveraging my sequel Lite database it's pretty straightforward but basically got my keys database and I noticed that there were a number of apps that had this file in it common 14k underscore and Prive you know the fact that it has the word prevent is a pretty good tell but one of the things that I looked at is is the key used by the app

and I can see out of these four applications one of the apps uses the key this is where we dig into it a little bit deeper now if I were to try to brute-force this and it's not used by the app I have to make some guesses as to maybe it's in a password list maybe I'm gonna try to use hash cat naive which it didn't or excuse me I think this particular key format wasn't supported by hash ket so I couldn't leverage hash ket but what we have here is we have one application which is your smart home refrigerator because everybody definitely needs a refrigerator that has like a full-blown OS in it because yeah helps keep your

food cool so let's just grep to see what uses that particular file name and I can see in this particular case I'm using apk tool to get the the smally code I'm also using a tool called Jeb to get the Java which is a little bit more human readable not necessarily recompile belen to an Android app but I can see here I've got this thing called smart home launcher activity dot Java so that gives me something to look into a little bit deeper and I can see we've got this thing here that says set password so it looks like a base64 based on the character said and the the trailing equals on it so I basics mm-hmm that's

not right if I ever decode a password and it has like a line feed in it something has definitely gone wrong well if I dig into this a little bit deeper I can see well what's the set password could look like so I could see here's a function called set password here's a function that that calls and it passes the argument to it so I can look at that here I've got a function called decrypt PDE it's actually very complicated i sanitized a lot out of this it's a very complicated decryption function but it doesn't matter why I have the code right in front of me so what I can do is I can basically write a

patch here that gives me a main function that I call I'm just gonna call this function myself given the the password string that I saw earlier I'll compile it I'll run it and now I can see I've got my password and it says pretty good password i sanitize it at 16 characters long and complicated ways that I can now decrypt that keys I can use open SSL and I can get the private key out of it in every private key of this particular format there is a public key inside of it so I can actually extract a public key from that private key so here I now have the public key information from that key given the password that I got

out of it I can get a hash for that particular key there's a website called CR TSH which leverages the certificate transparency project it's looking for you know keys that have been seen in the wild in this particular case I don't see it what I can actually do is I can now compare the private key and the public key modulus is to see is it the same so I have a certificate file and I have a private key if I look here I can see the modulus of the private key matches the modulus of the certificate so I know it's a match we have a win so I can look at the x.509 details of this particular

certificate and I can see that this is a key for a certificate authority it's not something that's trusted by my browser so I don't really care but it's also something that can represent Samsung com so yeah we got that but like I said all of that stuff now this is the part that I'm going to skip over it's in the slide deck Samsung says it's not a big deal because you have to be there in person yada yada I'm at a time so little section here of I'm now emailing every app author that is included a private key in their app I don't understand what do I do I left this private key in to try to

confuse potential hackers this guy says well I've got an HTTP web server and the app is a honeypot app that's legit here's somebody that's concerned that their app is going to be removed from the Play Store and I just used PhoneGap here's one somebody used an app tool called App Inventor and it turns out every app that is created with App Inventor includes a private key that is used to sign the app inside of app so basically you know they make it easier for the developer but they've also given people anybody that wrote an app with App Inventor they've now distributed their signing key to the world here's one with an ssh server they say it's

used for so that you don't have to change the the key this is a good one how much bounty you want because obviously why would people do security research without a bounty it's my job I can't accept the bounty and then finally the part that makes me feel warm and fuzzy thank you very much sorry I'm gonna step ahead of myself it made me warm and fuzzy to start with and then he says good luck with your outdated initiatives so I don't know if that's like a dig like why are you doing this thing like that's stupid and then finally this guy says thank you so much and good job little bit of Statistics I'm gonna have to skim over cuz I got

about a minute and a half left I got currently I'm up to like 1.8 million apps it's something that's currently running so these numbers are going higher there's different key formats in there OpenVPN 64 those OpenVPN keys are unique which makes me wonder like when somebody installs a VPN app on their phone is it really private or is it just shared with every single person that is using that VPN I've also seen PGP pride keys why would somebody include a PGP private key in the Android app it's there we also got some statistics I've got 60 180 private keys that means that I have emailed about 60 180 people I regret doing that that's not pleasant I

don't lie you know only one small fraction of people actually get back to me you've seen a subset of the answers I get about 2,000 google play signing keys I've also seen Apple push private keys I've seen iPhone developer private keys at some point years ago I paid 100 bucks out of pocket so I could be an iPhone developer to write a test app well I can just pick I only got 21 private keys here we also have enterprise private keys which are used for signing multiple applications I can now push out I can provision my iPhones to accept anything signed by those enterprise keys some of the cracking statistics both between the rokkyo password lists and strings from

the app code I get about 70 what is that 76 77 % 76% that's pretty good that's people are using pretty bad path it's good from a crackers perspective it's bad from a password use perspective finally Java key stores a little bit less hash Kat naive that's a pretty good job if you haven't looked at it I would check into it conclusions finally 5 seconds to spare if your app has a private key in it it might be an accident by such as people zipping up a directory that has a private key in it it also just might be an app that's not designed in the best way and the impact depends on what the key is used for I've

reached out both to Google and Apple I'm doing this as an independent researcher we are a non-profit I'm spidering and pulling in apps from the Play Store it would be nice if somebody submits a app to their store warned the developer don't block it but at least tell the developer hey you got a private key in here and then the general result is fewer mistakes everybody's happier yada yada that's it thank you I might have seconds I don't do I have time for any questions I'm all out thank you very much for attending this is track 3 with will doorman from cert CC we will be switching out for our next speaker