Qark DefCon 23

  • View
    5.692

  • Download
    2

Embed Size (px)

Text of Qark DefCon 23

  • QARK

  • WHO are we?

    PENETRATION TESTERS AT LINKEDIN

    STAFF INFORMATION SECURITY ENGINEER

    TONY TRUMMER

    SENIOR INFORMATION SECURITY ENGINEER

    TUSHAR DALVI

  • WHAT IS QARK?

    QUICK ANDROID REVIEW KIT

    AN AUDITING AND ATTACK FRAMEWORK

    A PROGRESSION OF OTHER TOOLS/IDEAS

    A PINCH OF INNOVATION

    LOTS OF (HORRIBLY WRITTEN) PYTHON

  • QARKs mission

    RAISE THE BAR

    SHARE KNOWLEDGE

    COMMUNITY INVOLVMENT

    MOTIVATE OTHERS

  • ANDROID ISSUES

    FRAGMENTATION

    USERS DONT UPDATE

    IMPROPER TLS, IF ANY

    NUMEROUS TAINTED SOURCES

    CLIENT SIDE FAIL NO ONE WILL KNOW

  • MOTIVATION

    WERE LAZY OUR BOSS IS CRAZY

    WE HAVE LOTS OF APPS TO

    PROTECT

    DEVELOPERS ARE EVEN

    LAZIER THAN US

    WE HATE REPEATING

    BUGS

    LOTS OF SMALL DEV SHOPS

    (AKA NO SECURITY)

  • UNDER THE HOOD PARSING: PLYJ, BEAUTIFULSOUP, MINIDOM

    REVERSING: PROCYON, JD-CORE, CFR, DEX2JAR, APKTOOL

    CODE: PYTHON

    TOOLS & BUILDING: ANDROID SDK

  • APK STRUCTURE

    APKRESOURCES

    .ARSC

    /RES

    ANDROID

    MANIFEST.XML

    CLASSES.DEX

    /META-INF

    /LIB

    /ASSETS

  • REVERSING APKs GET

    MANIFEST APKTOOL D FOO.APK

    UNZIP APK APK TO ZIP; UNZIP

    DALVIK BYTECODE DEX2JAR CLASSES.DEX

    JAVA BYTECODE

    JD-GUI

    RAW JAVA FILES

  • ACQUISITION SIMPLIFIES APK RETRIEVAL FROM DEVICES

    DECOMPRESSES APK

    CONVERTS ANDROIDMANIFEST.XML TO TEXT

    PARSES ANDROIDMANIFEST.XML

    FINDS PERMISSIONS ISSUES

    FINDS EXPORTED COMPONENTS, SUPPORTED VERSIONS, ETC.

  • COMMUNICATION

    SOURCES

    WEBVIEWS

    INTENTS NETWORK REQUESTS

    DEEPLINK URLSAIDL

    MESSAGES

  • ACTIVITY

    ONCREATE()

    ONSTART()

    ONRESUME()

    ONPAUSE()

    ONSTOP()

    ONDESTROY()

    ONRESTART()

    SERVICE

    ONCREATE()

    ONBIND()

    ONSTARTCOMMAND()

    ONUNBIND()

    ONDESTROY()

    PROVIDER

    ONCREATE()

    RECEIVER

    ONRECEIVE()

    COMPONENTS

  • PARSE STRUCTURE

    MAPS MANIFEST TO CLASSES

    PARSES JAVA CLASSES

    LOCATES ENTRY POINT METHODS

  • SOURCE TO SINK

    FINDS SOURCES OF TAINTED INPUT

    TRACKS POTENTIALLY TAINTED INPUT

    RECORDS ANY SINKS ENCOUNTERED

    STORES INFORMATION GATHERED ALONG WITH MANIFEST DETAILS FOR LATER USE

    SECURITY MAGIC

  • QARK CHECKS EXAMINES WEBVIEW CONFIGURATIONS AND

    PROVIDES TEMPLATED HTML FILES FOR VALIDATION OF VULNERABILITIES

    LOOKS FOR COMMON X.509 CERTIFICATE VALIDATION ISSUES

    LOOKS FOR VULNERABILITIES ORIGINATING FROM WITHIN THE APP, INSPECTING

    BROADCAST, STICKY AND PENDING INTENTS

    LOOKS FOR EMBEDDED PRIVATE KEYS AND INCORRECTLY IMPLEMENTED CRYPTO ISSUES

    LOOKS FOR WORLDREADABLE AND WORLDWRITEABLE FILES

  • DEMO TIME !!

  • UNIQUE FEATURES USES MULTIPLE DECOMPILERS TO PROVIDE

    BETTER RESULTS

    BUILDS AN APK FOR MANUAL TESTING

    CONTAINS SWISS-ARMY KNIFE STYLE SET OF FUNCTIONALITIES

    CREATES ADB COMMANDS TO EXPLOIT DISCOVERED VULNERABILITIES

    CREATES CUSTOM EXPLOIT APK FOR POINT-AND-CLICK PWNAGE

  • QARK Is NOT (YET)

    A FORENSICS TOOL

    A DYNAMIC ANALYSIS TOOL

    PERFECT

    FINISHED

  • FUTURE PLANS DYNAMIC ANALYSIS FUNCTIONALITY

    SMALI INSPECTION

    NON-ANDROID SPECIFIC JAVA VULNS

    ODEX SUPPORT

    IMPROVE EXTENSIBILITY

    ASK FOR YOUR HELP

  • ACKNOWLEDGEMENTS MWR LABS: DROZER

    RAFAY BLALOCH, ET AL, FOR THE WEBVIEW EXPLOITS

    NVISIUM: TAPJACKING CODE

    THE AUTHORS AND MAINTAINERS OF ALL THE OPENSOURCE PROJECTS USED IN QARK

    JASON HADDIX, SAM BOWNE, ET AL, FOR SUPPLYING SOME VULNERABLE APKS

  • CONTACT INFO

    WWW.SECBRO.COM

    WWW.LINKEDIN.COM/IN/TONYTRUMMER@SECBRO1

    TONY TRUMMER

    WWW.LINKEDIN.COM/IN/TDALVI@TUSHARDALVI

    TUSHAR DALVI

  • WHERE TO GET QARK?

    LINKEDINS GIT REPO

    HTTPS://GITHUB.COM/LINKEDIN/QARK