PG - Pwn All The Mobile Porn Apps - Ben Actis

Piru thank you my name is Ben actus this is pono for naps thanks for having me at besides Vegas I'm super stoked to be here a little bit about me I started my career at mitre which is a federal research lab I did a lot of mobile security there I also did a lot of network sensor work as well then I went to Lookout where I reversed thousands of Android malware samples and some iOS ones as well then I spent a year and a half at syn/ack where I helped build their mobile attacking tool chain so how do you at scale reverse apps statically look for Vons dynamically look for bones I also did a lot of mobile pen test

there - all of the work today has done under my side business cyber merchants of death where I do a lot of bug bounties and training in this area - so a little bit out line we'll go through the motivation a little bit of Android 101 so you understand some of the bones if you kind of a novice then we'll go through three vulnerabilities and apps and easy fixes so motivation here we're all humans at the end of the day some of us have you know sexual urges and some of us choose to use adult content or pornography apps to meet those urges but the privacy these apps are pretty important right and there can be some

serious consequences if our usage of these apps are inadvertently leaked to others right one such example is this from the New York Post users were targeted with a malicious application the idea was users would be tricked to installing like a video kodak or an adult content app what this app would really do would film the user without their consent right and then a video would be used to blackmail them and say basically pay me $500 or I share this with a bunch of people right so as you can imagine this would be really damaging to relationships professional ones and you name it but in addition to the privacy violation there's also an actual physical human impact here Egypt

actually leveraged improper implementation some of the GPS functionality of Grindr to actually track gay people and those people are actually injured and killed in some cases so there's big impact here so are these apps secured now before I go forward I have to cover a few little Android things here by default your Android app has a little protected storage area that only that application can access if you ask for the external storage permission you can write - typically it's the SD card and that storage is world readable and world writable what I have up over here is the actual screenshot from the API Docs and they actually say there in the first paragraph do not store any private

information here right so anything that could identify a user photos etc they also go out of their way that says you should never write executable code here because any other application on the phone could read that code modify that code or delete that code the other important thing I want to cover is on Android it's really simple to do HTTP now as long as your back-end supports it it's as simple as just doing HTTP and your domain right it actually says it right there in the docs yes it can really be that simple now this isn't going to do your certificate pinning or your key validation but at least it's something so the problem is if your

pornography app you're banned from Google Play so you can't leverage that update mechanism so you have to roll your own the problem is if you go to stack overflow and search like how to update nan Google Play app you get this example here as the top one and this is a poor implementation because it says oh just write to the SD card right and we just saw from the other slide Google tells you in the api's you should never do this so let's look at some vaults here the first one is known as planet prom according to their website they have a million satisfied users 200,000 video and picture sets 400 professional partners 30 plus amateur partners as

well it says one Millett which is funny because if you look at the tokens later like the unique user IDs or not at a million so anyway it's true right now maybe that changed since I reversed it but anyway Android central says the quality is there in the app and the content Android Authority gave them good reviews and also flush bought too so volume number one this is men in the middle proxy in case you're not familiar with it it's most commonly used for intercepting and viewing HTTP traffic but in this case it's HTTP so a few things here you can see my username and password also there's this T value which is the integer I was alluding to earlier the

reason why that's a problem is if you actually look at how the app does its change password or change email field it doesn't check your user name or password you just need that token value so you if you knew that you could change people's passwords so the other problem is this application because it's all in plain text communication anything you search for any private messages to other users on the site anyone could see that all right so that's not good the other problem which is more interesting in my opinion is can we replace their update app because they can't be in Google Play and how this works is I some decompiled Java code up here is in this red

rectangle basically you got a string and it's getting this string from the Android manifest for those of you that don't know the Android manifest is kind of like the table of contents in an android app and all this is doing is saying hey look at this version name store it in the string so in this case it's 2.07 then what it's doing is calling this check for updates method and how that works it goes out again over HTTP it's a planet prawn comm slash app slash version gets a connection and returns a numeric value and here's what it looks like again HTTP now if we're network capable adversary we can modify these things right and I'll step through that

oops so at this point what you're doing is just comparing right like if the clients outdated compared to what the server tells us then go through this update path and how this works is again it's going over HTTP it goes to just planet prawn comm slash pranic prawn APK and then it just installs the apk there so here's a little proof-of-concept video man-in-the-middle proxy in the back Android it video on the front and if you see the orange font that I've set up a printer Sept filter so basically says pause this traffic if it matches this expression so it goes out to planet prom gets the version I allow the request and now I'm going to modify this right so the server

saying hey my latest version is 2.7 I'm gonna say no it's actually 2.9 save it now I'm gonna allow this modified response back to the client at this point says update available and I zoomed in here because I added out a lot of the adult content yeah sorry guys I had to get it through PR yeah yes so anyway so now it's going out to the server alright so this point you can do a few things the easiest one for me is I'm just gonna change to you or eligos - but you could do DNS poisoning you can actually modify the zip or the apk file it comes in at this point but I'm just changing it to a subnet in my

local IP and I'm calling it planet prana apk which is not the real one at this point it's being downloaded I'm saying hey open it open the top one and this point the icon is different right installing I open it and boom not the pool and you're looking for yeah so obviously this is not the legit app right so if I was an adversary I could do a lot of things at this point right worst case I could replace it with a rooted version of the app right where I try to root your phone with an exploit and persist that way I could add additional permissions like camera and things like that and just kind of shove

it into the binary so it looks like the real one but I'm actually doing other things in the background in even worse case if I don't any have any new permissions I still have read external storage so I could like kind of peruse external storage looking for embarrassing photos or something third boom they're storing this update file in a world readable world writable location right so if I'm a malicious app I could just watch this directory and swap it out that way - so the vendor is actually really positive they basically thanked me they said we're gonna fix it ASAP and he replied I don't know what Andy's role is but he wanted to fix it

so cool disclosure timeline I emailed them end of the month they actually responded I think within an hour which is great it still hasn't been fixed yet but um maybe this morning they did so we'll see so they're doing in secure communication there's no integrity check of that update file and they're saving that update file on external storage so next one perfect girls this one's kind of funny so if you go to their website they're mimicking google play but this is actually not google play which is really funny second thing is they have fake reviews and if you go in the source code it's just like hard-coded values in here just also a really funny it gets

better they were afforded the app is porn droid which is not the name of the app and this was actually a piece of Android malware from like two years ago the other funny thing is they have like fake reviews I don't know why they put like a fake can you help me reset my password review I don't know I thought that was funny so little number one for perfect girls this one have this one works the client sends its version out to the server and then the server replies so this one's saying hey I'm running version 2.0 nine the server responds with two things this time one a boolean value true or false that says is there

an update available into a version number so here's how this works so the first check is that boolean right you know is an update available true or false and I'm gonna go through a little bit of Android assembly here just because we're gonna be bug in a couple slides so this if statement becomes three lines right there so it's basically get a boolean and then if that is equal to zero go down one path if not go down the other path then there's the second check that numeric one and this one is this values actually hard-coded as a string in the app it's not in that manifest file and it's just saying hey if my client version is outdated from

the server one then go ahead and do an update and again this one if statement comes about four lines because we're comparing floats and then it does a difference and if that difference is equal to zero or less than equal to zero go down one path otherwise go through another path so this should be super easy right because like the apps the clients apps already outdated or outdated so I'm like okay cool it's going out Klein saying it's 2.09 server says the new on is like 2.10 or something like that I'm like great this should be the most easy POC ever so I'm allowing it allowing a bunch of other things and it failed which is really weird so I start

changing and decrement incrementing and decrementing everything on the client and everything on the server end and it still wasn't happening so I'm like this is really weird right because I told my mentor for this talk like this will work right so I start going through it like this is weird this is really strange that second check I'm getting the same value twice so their update mechanism is actually wrong they compare the client version twice and so the server one so they're actually never update which is hilarious so we got a pro so we can patch their binary so if they fix this conditional check they do update which is great so here's we can also do debugging and

ida pro with android because you guys aren't familiar with that so i'm doing i'm basically saying start debugging any of those red lines or breakpoints so I basically set a bunch of breakpoints right where that first boolean check is and then where that numeric check is what you'll see and a blue line will indicate that's like the current line we're executing on and don't worry zoom in Ida when it's funny values and stuff so it takes a second that's launching okay so gets the client version correctly the first time for the boolean now it's getting values from the server end in the background we're at the first boolean check right now true value everything's coded correctly here it's

getting the new values from their server all right and we're gonna go to the left of execution over here because we got the right boolean value it's gonna pop over here gets the client version and now this is where the mistake is because it gets this value twice right one of those should be 2.1 so all I did was Ida I just said okay you're now 1 and it's gonna go down the update path so boom hit continue execution here

it's gonna run and there you go - that one is available so go ahead hit download new version and pow and I'm gonna zoom in on a second here you can see what I'm doing so similar kind of attack here instead of going to the legitimate update server which is also HTTP I'm just gonna go to a server I control I think I call it evil that apk here and download it now you could also again like I said change that apk in transit so you won't even see a change in address could do it that way and also DNS poison and do a bunch of other stuff here too so at this point the app pops up and I

had to edit out a bunch adult content here so enjoy kittens so now it's running it kind of relaunches and then the update prompt comes and boom not the porn you're looking for so now this one also writes the SD card which is bad so disclosure I emailed the company and I haven't heard anything and even checked my spam folder this morning so I know so perfect girls HTTP usage they're not hashing any kind of any kind of integrity check and they're also writing to external storage so pornhub most of you probably familiar with this one the good news is they are using HTTPS right yeah they have puppy videos on it and they are doing a hash of the apk being

downloaded the problem is as you'll see here how it works is it goes that URL says hey what's the latest version and then it's going to reply back if it's out of date the new apk the link to it and then an md5 with that files md5 of the new apk and a file size the problem with is you're sending the new file size and hash in a mechanism which is as an attacker I can see so it's trivial to change at this point this file is written to external storage and then there's going to compare them and if that matches then we're good so I'm modifying so what I did was I put a fraudulent cert on the device so I can

intercept traffic right and what I ended up doing was just change it to a value or server I control I'm changing the file size and md5 pretty easy so here's an example here I'm sorry for the potato quality in this video my screen recorder binary crashed so I'm going out it's talking to pornhub right now now at this point I've deleted the legitimate values and I'm putting my evil ones right so put in my evil md5 hash here the new file size and an evil URL which I control and because these are the values the client checks it assumes everything's good and at this point it's updating now it's going to my evil URL to get the new

update apk OOP download and should pop up in a second here now you could do all this just with scripting man-in-the-middle proxy or a little bit of Python you none of these attacks would require my human intervention hit install

and open cool right so pornhub is a bug bounty I'm like awesome this is really cool and get paid for finding these bones so I submit it and they're like hey cyber operations to death thank you but your update URL is actually not in scope so we're not going to reward you and I was like ah sucks but okay right but then I was like wait a minute they're still riding to the SD card I wonder if there's a race condition there so what I did here was there's that check that I mentioned this I called it checksum check what this is doing is going into this bit of code and all it's doing is getting the file size

and the checksum so it's pretty easy then if that condition is met then it goes ahead and installs the apk that's downloaded so if I'm an attacker adversary this is kind of a period of time where I have a race condition right so let's do this so I did it with a debugger just so I could extend that race condition to an unlimited period of time so I'm doing debugger start the bugging and startup in a second here now on Android you can debug in a few different ways if you want to cheat you can take the app do you compile it add a single flag and then Reese I knit that's one way but your signers are not going

to match because it's public private key crypto the other way is you can have a rooted device and you can launch anything as a root and then attach or if you really want to get savvy you can actually recompile android from source and change some stuff so you know so right now it's running it's doing the update and I set a breakpoint right where that check the curse right here so at this point the app is validated the apk on external storage it inherently trusts it and what I'm doing here is I'm just removing there legit app and I'm copying the name of my like jokey app to the same name that the client is

expecting right and then I'm gonna enable execution ago

and boom it's updating cool installing and also by the way you can change the little app icons and shortcuts I was just being lazy pool all right so I submit this one right so the vendor kinda went back and forth for a while I think two or three months eventually I ended up talking to a nasty Nick who was their main Android dev I think and he basically said hey thank you we're aware we're storing things in common ground where other applications can hijack the apk sadly there's little we can do to resolve this issue because the nature of how we distribute and I was like hey I'm sorry that Google is being unfair to you

but have you considered using these protected storage internal api's the difference being like instead of get external dirts get dirt it's actually pretty easy change at this point there bug bounty triage person replied to me and you mind if we close this as informative and I replied yeah I do I'm a little confused here because it gave you proof of concept video I gave you an Ida Pro database file and I cite like mobile guide saying you really shouldn't write to external storage I'm confused why this doesn't count at this point I think a legal person on their team or someone wrote me back that said we since you're quoting are you let me do as well

we reserve the right to pay whoever we want we don't think this is a bone there's gonna be no further negotiation so I told my girlfriend all right I will give it besides Vegas taco so okay yeah yeah I joke but like these are like really bad flaws and they really should fix up right but anyway so disclosure first of all comes out 12:10 then on 12:20 yep they mark is not at scope then I submit the new bone then we actually go back and forth for a bit which was actually fun 12 February first dev says it can't fix week later they said sorry go away and then 628 I said hey I'm gonna go

public about it so the other question is could we do this without a debugger right so this is a really neat app file observer who knows about inotify in the audience some of you yeah okay so one of my old school like graveyard UNIX mentors taught me about inotify and it's super cool basically it leverages the kernel and you can base say watch a directory for a file change and you can watch for a lot of different things here's all some examples so you can say like tell me when a new file is created such as update apk tell me when something is written to a file tell me when a file is closed so what you could

do as an evil app you could get external permission and then just watch the SD card and you would watch for one the writing of it and then reading of it because it remember it reads file size and does a hash and then you just do like a symlink really quick so that's how you do without a debugger so pornhub the arguing HTTP which is awesome they use yeah it's our HTTP thank you they are doing an integrity check which is good there's improvement on both of these but it's something but they are still writing to external storage so the fixes for these are super easy use HTTP ideally you know doing key pinning and

checking your certs and do not write files to external shared storage you could write it internally and there's an allow installed apps or installation of other apps permission you want to get really crazy you could use some native code and patch this stuff in memory if you wanted there's a lot of things you could do here so I also want to thank my mentor Brandon for a lot of help and mentoring on this and yeah let me know if you have any questions my email is Ben at cyber merchants at def calm or you can follow me on Twitter at Ben wrong yes question the great well thanks so you said that the like each app has

its own special place where it can store things yeah how big can that space be as big as you want right so the original idea was like a lot of Android phones had a really really tiny like protected storage and you had big storage for like other things mostly the phones now even like the $50 Amazon funds you have like 40 gigs available for internal right yeah gentleman and with regard to installing your evilly apk isn't that getting installed side by side with the existing app because you're not able to spoof their signature on their apk right otherwise it would like if you try to use the same bundle identifier yeah but they don't check the signature right so

what's really cool about Android though right is it's public private key crypto right so unless they lose their private key I can't masquerade as them right right so smart developers right like the ideal way of doing it is you would check for that right instead of doing like that the hashes over-the-air that'd be a better way of doing it so you are able to overwrite their apk when you install your evil one no both would exist right you could probably delete things in such a way where that wouldn't work right okay great question now by the way thanks any other questions okay thank you hey thanks for coming [Applause]