Identifying Rogue Android Devices: The World Of Android Attestation by James Stevenson

hey everyone can you all hear me okay great awesome so I normally start talks off with a question so the question I thought I'd ask today is just to see how many people share own and actively use an Android device so I know I do okay so that's that's a good like 90 of the room if that so all the techniques that we talked about today all the accusation techniques the root detection techniques have probably been used on 90 of your devices within the past 24 hours let's say either with or without you knowing and we'll go into detail on what that means in a minute so what are we actually going to talk about today well I bring it down to three main areas but primarily we're going to be talking about Android annotation Android and temp protection right how blue team is or how software Engineers protect Android applications I've broken it down into three main areas and primarily those are three different examples the first example we're going to look at is a window into the world of Android organization this is an open source tool I've created which is basically going to set the scene for the later demonstrations we're then going to look at a fairly popular Android game and we're going to have a look at how they Implement root detection and then finally we're going to look at things in a much grander scale right we're going to have a look at how organizations like Google and Huawei Implement atization on Android devices physics system who actually am I my name is James Stevenson and we're about six years ago now I entered the computer security field I've been enrolled from software engineering to penetration testing and vulnerability research I've also released a few books on similar topics and I occasionally talk at conferences like this jump into Android adization so what is Android organization right let's talk is about but what actually is it as I said it's about software Engineers application developers having assurance that their applications are secure and we can generally break that down into three main pillars we have device Integrity application integrity and user Integrity the physical we have is about having an unmodified Android application right as a software engineer we want to ensure that our Android application hasn't been modified or tampered with in some way hasn't been patched or hooked or anything to that extent as an example maybe we're a game developer and we want to ensure that our Android application our game someone hasn't added a thousand points or score whatever the case may be the next pillar we have is about having Integrity on our device we want to ensure that the application our device is running on is legitimate but it's not rooted or tampered with or compromised in some way a good example of this is as a bank right if we create a banking application we want to make sure that our application is running on a non-compromised device so that our users don't become compromised in turn and then finally about user Integrity right we want to ensure that who are using who are using who is using our device is an actual human being we want to make sure that machines aren't using it examples of this are things like bot farms and things like that and we're going to be focusing on those top two today device and application integrity so let's have a look at some examples right so here we have four Android applications all running on a rooted Android device and all of these applications have rightly so detected that they're running on that rooted device so they all have a little pop-up that says hey this device is rooted I'm going to limit functionality to you in one way or another and we'll see this a lot in banking applications applications that deal with financial transactions or streaming services things like that and they'll do this for a few reasons maybe they're looking to protect the user maybe they're looking to protect intellectual property or things like apis things like that so let's have a look at another example we're going to run the same application on two different devices the first device is standard normal Android device and the second device are rooted Android device this application is basically a wrapper around Google Play services we don't need to know what that does for now we just need to know that the application is going to detect if the device is rooted or not so running that application on the face twice we've run it and it comes back it's passed great exactly what we would expect right normal Android device passes the checks so now let's run that same application on a rooted Android device okay that comes back has failed again exactly what we'd expect normal device passes checks rooted device sales checks but how does the application know that the first device was legitimate and the second device was rooted well there's a few different techniques that could be at play as I said that application was using something called Google Play safetynet basically a system component on your Android device and also app developers can do proprietary means right they could write their own code they could use a third-party library to do that sort of route and tamper detection so we're going to cover all three of these areas today with each of our three examples as I said the first example we're going to look at is a tool called runic now runick is an open source tool it's created available online you can find it and it's basically for us it's going to be a window into the world of Android adization the techniques the variables things that we look at today are going to start cropping up in our other examples the way runic works is we have a little android application running on our device that reaches out to a server and it gets back a confidence song we kind of see it in a little pop-up that should show up there you go and that confidence score is between zero and a hundred zero being no integrity and 100 being complete integrity and that Integrity is relating to both the device and the application how does that work well as I said we have our device we have our application and we have our server every so often that application is going to reach out to that server and it's going to send a bunch of data and we'll cover that in a second that server then does a handful of computation including using some machine learning models and then it sends that confidence back to the device back to the application so what data is used in that computation well we can see some of it here we don't need to read everything on the screen it's just to give an example we can see things like the application signature if ADB is enabled the boot State patch level things like that and then on the server side we can see things like looking at the emulation State looking at some signatures permissions things like that and again all of that wraps into getting this Integrity score back to the device so looking at runic as I said it's kind of a window into the world of Android ideation we're going to have a look at some in the wild examples now and we should start seeing a lot of these techniques cropping up as we go through so the first example we're going to look at is the among us Android application insanely popular game insanely popular Android game and we're going to have a look at how tamper detection and Route detection is done in this application so we're going to use a tool created again open source called disintegrity and disintegrity is going to take that Android application decompile it and have a look for entry points of root detection and tamper detection checks in place and from that we get this little HTML output we can see a class here called rootchecker dot Smiley so we're going to decompile the code have a look at what that is doing and we can see a library called century.io okay or we can go to our website we can have a look at the docs and with all of that together we can build a picture on the types of root detection checks that Among Us is using and I've broken this down into four main areas to give us an idea of what's happening so the first check they're doing is they're looking for the keys that have been used to sign the kernel on the device and they're checking to see if they're test keys next they're looking at the file system they're saying okay what files exist on the device and are they related to routing in one way or another next they're checking to see if the Su user exists and finally they're checking to see if any rooted packages exist on the device All Things Considered some fairly preliminary techniques to identify if the device is rooted or not you know I fully expect among us to have additional anti-cheat mechanisms just not when it comes to root detection so if that's how a fairly popular Android game is performing root detection on a device what about root detection and attization at a much grander scale so let's have a look at how Google Play services and Huawei app gallery are doing this kind of attization with 90 of the people's share devices well two very similar names right uh Google Play services safety net and Huawei safety detect but all things considered very similar features so where there's a feature in one there's a parallel feature in the other and each of these are basically apis that developers who create applications can call to check one thing or another the first one we have is that device Integrity so this is where developer can call that API and identify for devices rooted or not then we have the URL analysis API which can be called to check if a URL is known to be malicious the captures API which can be used to identify if the user is a human or a machine and finally a really interesting one which is the app analysis API which will allow a developer to identify if there's any known malware on the same device as their application so you can probably guess we're focusing on that top one today we're focusing on device attization and device integrity and we're going to be specifically focusing on Google Play safety net so as I said right at the start right 90 of people here have Android devices and you probably have Google Play services or Huawei app gallery and that's where these attization checks start so in the case of Google Play services that will periodically run and it will download an s net.jar file now that s.jar file depends on the version of Google Play services and it turns on the version of your device primarily it's going to do the same thing it's going to aggregate a whole amount of information from your device and and send it over to a Google server that Google server is then responsible for doing an amount of computation potentially uses some machine learning models or things like that and then third-party developers on the same device can call that API that we mentioned and get back a handful of variables including a CTS profile match and a basic integrity and that will give them an idea on if the device is rooted or not so that server is closed off right we have no idea what happens on that server we can assume that it's some sort of machine learning model but what we can look at is these snet.jar files that get downloaded onto our device so that's all we're going to have a look at now we're going to have a look at one of these estimate.jar files it's from around about 2020 or so and we're going to have a look at what's actually happening in there so each of these estimate.jar files is broken down into modules each of those modules are responsible for aggregating a different type of data from the Android device so the first module we're going to look at is probably the most representative for identifying if a device is rooted it grabs things like the verifying boot State verifying mode security patch level and if OEM unlock is supported so when we look at this information which again is being sent over to that Google server we might say yeah that that makes sense right if we're looking at identifying if a device is rooted or not those variables make sense so let's jump on to another module which is a bit more left field so this is the settings finder module and it grabs things like if ADB is enabled the fingerprint status the lock screen timeout lock screen type things like if non-market apps are enabled and things on those lines as I said it's a bit more left field right if we were to look at these variables we wouldn't necessarily say well the device is rooted or not just because ADB is enabled or just because no Market apps are enabled doesn't mean one way or another if a device is rooted and this probably hints at that Google is using some sort of large machine learning model for this computation and for this analysis because at the one-off scale there's information probably doesn't hint at a device being rooted or not but on the scale of data that they have access to you can start to build those patterns so the next module we're going to look at is probably my favorite module so the SD card analyzer module well this module does is it saves an image to the external storage of the device it waits some time and then it goes back to that image and then if that image has been changed or altered in some way it Flags it takes a hash of it and sends it over to the server probably for some anti-tampering anti-immulation anti-malware technique it's a really interesting one next we have the rooting file finder this is very similar to the Among Us application that we saw earlier on basically it just has a list of files related to routing techniques and if they exist on the device it takes a hash of them sends them over to the server next we have the preferred package finder so very similar to Windows on Android you have preferred packages for things like your browser or your app store and in this case it takes a snapshot of what those are on the device and sends them over so the final module that we're going to look at today is the captive portal detector again a fairly simple one what this does is it reaches out to a known Google server takes whatever it receives back and sends it over to the analysis server presumably the analysis server knows what that initial server should be returning and so it's able to identify if there's something between the device and the internet so as I said back when I looked at this specific version of Google Play Safe net we're in about 2020 there are around about 55 different modules and variables being used across a bunch of different spectrums now Google Play safety net is actually being replaced I want to say in 2024 so kind of how this is done might slightly change but again more of a window into the types of checks that are being performed on 90 of people here's devices and again that was just a look at the snet.jar file rather than the actual computation that is happening to those variables but we have a around about 10 minutes or so left if anyone has any questions but primarily what we've covered today is a look into attization techniques tamper detection techniques root detection techniques that are happening on Android devices the same techniques that software Engineers or blue teamers need to put into place and the same techniques that red team is malicious actors need to bypass organizers for having a huge teams all the volunteers and thanks all for coming along if you have any questions ask me now come find me afterwards all right yeah go for it the procedures as in the S Note versions oh definitely yeah yeah so uh in fact on another slide pack I have a history of kind of all the different Visions I've seen and you can start to see them Implement obfuscation you can start to see them Implement additional kind of different types of modules so yeah definitely over time they've Advanced how they're doing it and I said 20 24 25 they're implanting a new version or a new system which will be completely different again yeah so it definitely depends so you know one litigation technique you know you might use Freedom or objection to get around some of these techniques that method could be the same between versions you know you might just hook a Google Play safety net call or API call in a third-party app and that could be the same in multiple Visions uh it just just depends yeah different um so there was gosh when was it now it was about three years ago um Google released hardware-based attization and that that completely destroyed a lot of the anti and the anti-root detection um and and Google are doing amazing like in the techniques that they're performing it's really good stuff um I mean I think with security as a whole right I think we'll always have that that kind of Mouse um and I think both sides are doing really good honestly yes uh let me find the slide so there you go so it's all a Google Play services API so there's a bunch of different Google service apis things like maps and stuff like that are all based in in their API and and one of their apis is this authorization framework and there are these are all different types of apis as well all based in Google Play services great yeah around instrument s so I think I missed the start what did you say sure sure so Google have another service called Google Play protect which is responsible for basically daily scanning Android devices and identifying potential malware and other bits and pieces on those devices um so that is the component that's responsible for for that side of security and I've primarily focused on on S Note any questions [Music] yeah so very similar to the cat and mouse question it really just depends how much effort you put in as a you know as a when builty researcher or if it's engineer you know if you put enough time into finding those or the estimate.java or maybe man in the middling yes net.jar file things like that you know it can definitely be done um another bit of research I did was about um seeing if I could replicate one for one.snet.jar file then I'm going to put some Alters in place and things like that um and it's also just about what control you have of the device so you know if you if you're if you have red access on the device you know you can then modify the system app of Google Play services and then you can put more things in place and things like that but again it's that kind of mouse and also depends on what access you have and things like that okay um so so both ecosystems are very different with IOS and Android primarily I focus Android I've got a bit of experience in iOS um and things are a lot more locked down on iOS so Apple controlled with the hardware and the software while in Android kind of space you only control the software for your vendor and then someone else will control the hardware um so so generally it's a lot harder to jailbreak iOS compared to to rooting Android um but yeah swings around great okay I think that's all the questions great cheers everyone thanks again for coming