google gms(google mobile services) 분석[2] · 2011-03-13 · 7th kandroid conference - 3 one of...
TRANSCRIPT
www.kandroid.org 운영자 : 양정수 (yangjeongsoo at gmail.com), 닉네임: 들풀
The passion is not speed, but Direction !
2011. 3. 11.
Google GMS(Google Mobile Services) 분석 [2]
7th Kandroid Conference
1. 서론 : Why GMS?
2. 분석환경 Setup- How to get GMS Apps?- Application Code Reverse Engineering- MITM(Man In The Middle) Attack- Network Protocol Guessing & Testing- Summary
3. GMS 기술- GSF(Google Service Framework)- Google Services- Service Integration Technology
4. GMS 이슈- Network Traffic- Battery- Privacy
5. 결론 : What is Android? and then…
7th Kandroid Conference
37th Kandroid Conference - www.kandroid.org
One of the things you’re gonna witness is how Google’s cloud services tie together all these different applications and all these different companies that are making devices in all these different segments.
What is the killer apps ?
서론 : Why GMS?
47th Kandroid Conference - www.kandroid.org
Android SDKAPI Level
Open HandsetAlliance (OHA)
AOSPBranch
Android NDKRevision
MobileOperators
2008 2009 2010 20112007
87654321E
1 2 3 4
M M1 C D E F
SemiconductorCompanies
HandsetManufacturers
G1 G2 G3 N1
T-Mobile USA
QualcommMSM7201a
QualcommSnapdragon
KTSKT LGT
LGE/SEC
SamsungS5PC110
SECGalaxy-S
G
5
9
http://www.google.com/phone/
NS
MPCore Issue
Network Traffic Issue
CTS & Standard Issue
GoogleAdd-on API
GMS
New Technology
?
?
서론 : Why GMS? To the best of Our Knowledge, this is the killer app.
10
5b
11
1. 서론 : Why GMS?
2. 분석환경 Setup- How to get GMS Apps?- Application Code Reverse Engineering- MITM(Man In The Middle) Attack- Network Protocol Guessing & Testing- Summary
3. GMS 기술- GSF(Google Service Framework)- Google Services- Service Integration Technology
4. GMS 이슈- Network Traffic- Battery- Privacy
5. 결론 : What is Android? and then…
7th Kandroid Conference
67th Kandroid Conference - www.kandroid.org
분석환경 Setup - 1 : How to get Google GMS?
• Partnership with Google Inc.GMS / Document / Build Configuration
• Deodexing from Real Devicehttp://kwangwoo.blogspot.com/2010/08/build-boot-and-system-images-for-nexus.html
• Unyaffs from Unknown Sourcehttp://www.kandroid.org/board/board.php?board=HTCDream&command=body&no=123
Add-onSite URL : http://www.kandroid.org/android/repository/kandroid_adp_api8r2.xml
77th Kandroid Conference - www.kandroid.org
Java(classes)
Resources
Dalvik(.dex)
Manifest
Ref. Libs
XML Res. Compilation
+Other Res.
Pre-process
UnsignedAndroid
Application(.apk)
∥
Zip Compressed
File
Key(Debug Key
Custom Key)
jarsigner(keytool)
adb(pm)install
amstart
zipalign
http://code.google.com/p/android-apktool/
http://code.google.com/p/dex2jar/
http://java.decompiler.free.fr/
Dex2Jar
ApkTool
JAD GMSApps
GMSApps
Sources
분석환경 Setup - 2 : Application Code Reverse Engineering
87th Kandroid Conference - www.kandroid.org
Error 발생한 이유? : Java Decompiler
분석환경 Setup - 2 : Application Code Reverse Engineering
97th Kandroid Conference - www.kandroid.org
분석환경 Setup - 2 : Application Code Reverse Engineering
107th Kandroid Conference - www.kandroid.org
fake
GoogleConnection
Server
mtalk.google.comTLS/SSL
GoogleConnection
Server
mtalk.google.com
fakemtalk.
google.com
MITM attack(Man In The Middle)
TLS/SSL TLS/SSL
분석환경 Setup - 3 : MITM(Man In The Middle) Attack
117th Kandroid Conference - www.kandroid.org
> openssl genrsa -des3 -out MYCA.key 2040> openssl req -new -key MYCA.key -x509 -days 1095 -out MYCA.crt
분석환경 Setup - 3 : MITM(Man In The Middle) Attack
> openssl genrsa -des3 -out fake_mtalk_cert.key> openssl req -new -key fake_mtalk_cert.key -out fake_mtalk_cert.csr
=> 매우중요 : subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mtalk.google.com
> openssl x509 -req -days 365 -in fake_mtalk_cert.csr -CA MYCA.crt -CAkey MYCA.key \-CAcreateserial -out fake_mtalk_cert.crt
> cat fake_mtalk_cert.crt fake_mtalk_cert.key > fake_mtalk_cert.pem
1
2
3
127th Kandroid Conference - www.kandroid.org
분석환경 Setup - 3 : MITM(Man In The Middle) Attack
void mtalk_gw_serv_ssl_init(void){
SSLeay_add_ssl_algorithms ();if((serv_ctx = SSL_CTX_new (SSLv23_server_method())) == NULL) {
exit(1);}SSL_CTX_set_quiet_shutdown (serv_ctx,1);SSL_CTX_set_session_cache_mode (serv_ctx,SSL_SESS_CACHE_OFF);
if (!SSL_CTX_use_RSAPrivateKey_file (serv_ctx, PEM_FILE, SSL_FILETYPE_PEM)) {fprintf(stderr, "could not load RSA private key from [%s]\n", PEM_FILE); exit(1);
}if (!SSL_CTX_use_certificate_file (serv_ctx, PEM_FILE, SSL_FILETYPE_PEM)) {
fprintf(stderr, "could not load certificate from [%s]\n", PEM_FILE); exit(1);}
}
void mtalk_gw_cli_ssl_init(void){
SSLeay_add_ssl_algorithms ();if((cli_ctx = SSL_CTX_new (SSLv3_client_method())) == NULL) {
fprintf (stderr, "could not initialize SSL_CTX structure\n"); exit(0);}
SSL_CTX_set_quiet_shutdown (cli_ctx, 1);}
4
137th Kandroid Conference - www.kandroid.org
분석환경 Setup - 3 : MITM(Man In The Middle) Attack
147th Kandroid Conference - www.kandroid.org
분석환경 Setup - 4 : Network Protocol Guessing & Testing
157th Kandroid Conference - www.kandroid.org
Example : mtalk.proto file
message LoginRequest {required string id = 1;required string domain = 2;required string user = 3;required string resource = 4;required string token = 5;optional string deviceId = 6;optional int64 lastRmqId = 7;repeated Setting settings = 8;optional int32 compress = 9;repeated string persistentIds = 10;optional bool useRmq = 11;optional bool adaptiveHeartbeat = 12;optional HeartbeatStat heartbeatStat = 13;optional bool useRmq2 = 14;
}
…..
분석환경 Setup - 4 : Network Protocol Guessing & Testing
167th Kandroid Conference - www.kandroid.org
Source : http://code.google.com/p/protobuf/
1. Download Protocol Buffer Library
2. Install Protocol Buffer> tar xvfz protobuf-2.3.0.tar.gz> cd protobuf-2.3.0> ./configure> make install> cd python> python setup.py install
3. Sample Code Usage- sample proto file create (ex, mtalk.proto)- protoc --python_out=. mtalk.proto (result : mtalk_pb2.py)
- write your testing code…
분석환경 Setup - 4 : Network Protocol Guessing & Testing
177th Kandroid Conference - www.kandroid.org
분석환경 Setup - 4 : Network Protocol Guessing & Testing
187th Kandroid Conference - www.kandroid.org
fakefakemtalk.
google.com
MITM attack(Man In The Middle)
at Internet
TLS/SSL
TLS/SSL
fake
GoogleConnection
Server
mtalk.google.com
fakemtalk.
google.com
MITM attack(Man In The Middle)
at Ethernet
TLS/SSL
TLS/SSL
fakeCA
Server
fakeCertDigital
Signing
CustomAndroidImage
Packet Log
Packet Report
CustomProtocolBuffer
Deserialzer
/system/etc/hosts/system/etc/security/cacerts.bks
분석환경 Setup : Summary
197th Kandroid Conference - www.kandroid.org
분석환경 Setup : Summary
207th Kandroid Conference - www.kandroid.org
분석환경 Setup : Summary
1. 서론 : Why GMS?
2. 분석환경 Setup- How to get GMS Apps?- Application Code Reverse Engineering- MITM(Man In The Middle) Attack- Network Protocol Guessing & Testing- Summary
3. GMS 기술- GSF(Google Service Framework)- Google Services- Service Integration Technology
4. GMS 이슈- Network Traffic- Battery- Privacy
5. 결론 : What is Android? and then…
7th Kandroid Conference
227th Kandroid Conference - www.kandroid.org
GMS 기술분석 - 2 : GSF(Google Service Framework)
Package : GoogleServicesFramework.apk
Process : com.google.android.gapps
Activity : 39개
ContentProvider : 4개
Service : 8개
IncludeDalvik VM
GSF Total Components : 60(+8)개
Intent : Bundle of Informations• Explicit : Call Class• Implicit : IntentFilter : 26(+8)개
Action, Data, Category
BroadcastReceiver : 9(+8)개
permission-tree : 1개
permission : 54개
uses-permission : 55개
android:permission : 2개
android:readPermission : 4개
android:writePermission : 4개
path-permission : 1개
android:grantUriPermissions : 1개
237th Kandroid Conference - www.kandroid.org
Package Name A R CP S 비고
com+ android.common (+1) NetworkConnectivityListener, OperationScheduler
+ google+ android
+ common gdata,http,Cvs,GoogleWebContentHelper,LoggingThreadedSyncAdapter
+ gsf+ checkin 4 2
+ gservices 1 1
+ gtalkservice 1 1(+2) 2
+ service (+2)
+ login 26 (+2)
+ loginservice 8 1 1
+ settings 2 1
+ subscribedfeeds 1 1 2
+ talk 1
+ update 2 1(+1) 1
+ gtalkservice+ common base,collect,io.protocol
+ wireless.gdata client,data,parser,serializer,subscribedfeeds,GDataException
+ net.oauth signature,OAuth....
+ org.jivsoftware smack,smackx
Sub Total : 60(+8) 39 9(+8) 4 8
GMS 기술분석 - 2 : GSF(Google Service Framework)
247th Kandroid Conference - www.kandroid.org
GSF : ContentProvider (4)
VoiceSearchGoogleFeedbackGoogleQuickSearchBoxSetupWidzardTalk / GmailGoogleBackupTransportGoogleContactsSyncAdapterMediaUploaderNetworkLocation / VendingGoogleCalendarSyncAdapter
content://com.google.android.gsf.gservicescontent://com.google.android.gsf.gservices/prefixcontent://com.google.android.gsf.gservices/maincontent://com.google.android.gsf.gservices/override
GSF Externals
Talk
content://com.google.android.providers.talk/<path>
content://com.google.settings/partner VoiceSearch / GenieWidgetGoogleQuickSearchBoxGooglePartnerSetupMapLibrary / StreetMediaUploaderNetworkLocation / Vending
GmailGoogleContactsSyncAdapterGoogleCalendarSyncAdapter
content://subscribedfeeds/feedscontent://subscribedfeeds/deleted_feeds
GMS 기술분석 - 2 : GSF(Google Service Framework)
1
2
3
4
GService
Talk
Setting
Feeds
257th Kandroid Conference - www.kandroid.org
GSF : Service (8)
SetupWizardB: IGoogleLoginService
GSF Externals
TalkVending
A: com.google.android.gsf.action.GET_GLS
C: IGTalkService.class.getName()
B: IGTalkService
S: ServiceAutoStarterB: ConnectionAuthErrorDialog
NetworkMonitor
A: android.intent.action.START_RESTORES:B: LoginActivityTask$4
DataMessageManager A: com.google.android.c2dm.intent.UNREGISTERS: .gtalkservice.PushMessagingRegistrar
CheckinService EventLogService SystemUpdateService
SubscribedFeedsSyncAdapterService SubscribedFeedsIntentService
GTalkService PushMessagingRegistrar GoogleLoginService
GMS 기술분석 - 2 : GSF(Google Service Framework)
1
2
4 5 7
7 8
3
12 3
267th Kandroid Conference - www.kandroid.org
Package Name A R CP Scom+ android.common (+1)
+ google+ android
+ common+ gsf
+ checkin 4 2
+ gservices 1 1
+ gtalkservice 1 1(+2) 2
+ service (+2)
+ login 26 (+2)
+ loginservice 8 1 1
+ settings 2 1
+ subscribedfeeds 1 1 2
+ talk 1
+ update 2 1(+1) 1
+ gtalkservice+ common+ wireless.gdata
+ net.oauth+ org.jivsoftware
Sub Total : 60(+8) 39 9(+8) 4 8
A:android.accounts.LOGIN_ACCOUNTS_CHANGED
ACTION_BATTERY_CHANGEDACTION_DEVICE_STORAGE_LOWACTION_DEVICE_STORAGE_OK
ACTION_BOOT_COMPLETEDACTION_PRE_BOOT_COMPLETEDACTION_DOWNLOAD_COMPLETEDACTION_DOWNLOAD_NOTIFICATION_CLICKED
ACTION_SCREEN_OFF;ACTION_TIME_SETACTION_USER_PRESENT
A:android.net.conn.BACKGROUND_DATA_SETTING_CHANGEDA:android.net.conn.CONNECTIVITY_CHANGEA:android.net.wifi.STATE_CHANGEA:android.provider.Telephony.SECRET_CODEA:android.server.checkin.CHECKINA:com.android.sync.SYNC_CONN_STATUS_CHANGEDA:com.google.android.GTalkService.NOTIFICATION_DELETED_ACTIONA:com.google.android.c2dm.intent.RECEIVEA:com.google.android.intent.action.GTALK_HEARTBEATA:com.google.android.intent.action.GTALK_RECONNECTA:com.google.gservices.intent.action.GSERVICES_CHANGEDA:com.google.gservices.intent.action.GSERVICES_OVERRIDE
C:android.server.checkin.CHECKINC:com.google.android.gsf.subscribedfeedsD:android:scheme="android_secret_code" android:host="2432546"D:android:scheme="android_secret_code" android:host="46"D:android:scheme="android_secret_code" android:host="7867"
GMS 기술분석 - 2 : GSF(Google Service Framework)
277th Kandroid Conference - www.kandroid.org
GMS 기술분석 - 2 : GSF(Google Service Framework)
setup_wizard_title
gls_ui_activity___
287th Kandroid Conference - www.kandroid.org
GMS 기술분석 - 2 : GSF(Google Service Framework)
297th Kandroid Conference - www.kandroid.org
Google API Service nameGoogle Analytics Data APIs analyticsGoogle Apps APIs(Domain Information & Management) apps
Google Base Data API gbaseGoogle Sites Data API jotspotBlogger Data API bloggerBook Search Data API printCalendar Data API clGoogle Code Search Data API codesearchContacts Data API cpDocuments List Data API writelyFinance Data API financeGmail Atom feed mail
Health Data API healthweaver (H9 sandbox)
Maps Data APIs localPicasa Web Albums Data API lh2Sidewiki Data API annotatewebSpreadsheets Data API wiseWebmaster Tools API sitemapsYouTube Data API Youtube
Google App Engine ah
Source : http://code.google.com/apis/gdata/faq.html#clientlogin
GMS 기술분석 - 3 : Google Services Overview
307th Kandroid Conference - www.kandroid.org
MobileProxy
8.relay 9.relay
No CAPTCHA
GMS 기술분석 - 3 : Google Services Architecture
317th Kandroid Conference - www.kandroid.org
Response Code Description & Solution
200 OK
403 Authentication Error ⇒Create New AuthToken with ClientLogin
503
Service Available⇒Use multiple AuthToken⇒Use Cache⇒Stopping your request / sleep / retry request⇒appropriate sleep time : 10 seconds x 503 error count
400
Bad request⇒Set Request Property with correct values⇒Send Request data with base64.urlsafe_b64encode
instead of base64.encodestring
RequestBlocking
Blocking accountBlocking IP Address
No Response Black Hole Technology
GMS 기술분석 - 3 : Google Services QoS
327th Kandroid Conference - www.kandroid.org
GMS(Google Mobile Services)
GSFGoogle
Mobile Connection Servermtalk.google.com 5228
Google Cloud
Google Account Server(Authentication & Authorization)
www.google.com/accouts/
Web Based
Mobile(Android) Based Google Services• cl• cp• mail• …
Google Mobile Services• market• c2dm• …
heartbeat
GMS 기술분석 - 4 : Service Integration Architecture
337th Kandroid Conference - www.kandroid.org
TLS/SSL based Packet Encryption
Gtalk Core Message Types
Non-StandardProtocol BufferHeader
1. Tag : 13개 (1 byte)2. Length : (1 or 5(?) byte)
Gtalk Extensions Message Types
0 : HEARTBEAT_PING1 : HEARTBEAT_ACK2 : LOGIN_REQUEST3 : LOGIN_RESPONSE4 : CLOSE5 : MESSAGE_STANZA6 : PRESENCE_STANZA7 : IQ_STANZA8 : DATA_MESSAGE_STANZA9 : BATCH_PRESENCE_STANZA10 : STREAM_ERROR_STANZA11 : HTTP_REQUEST12 : HTTP_RESPONSE
1 : ROSTER_QUERY2 : RMQ_LAST_ID3 : RMQ_ACK4 : VCARD5 : SHARED_STATUS6 : CHAT_READ7 : CHAT_CLOSED8 : CAPABILITIES9 : OTR_QUERY10 : IDLE 11 : POST_AUTH_BATCH_QUERY12 : SELECTIVE_ACK13 : STREAM_ACK
Non-Standard Protocol Message Link : Extension Tag
Google Mobile Connection Server
mtalk.google.com 5228
heartbeat
GMS 기술분석 - 4 : Service Integration Heartbeat
347th Kandroid Conference - www.kandroid.org
Android Market Client Update Issues
• Security problem• Async application installation hacked• Protocol buffer reverse engineering
GMS 기술분석 - 4 : Service Integration Case Study #1
357th Kandroid Conference - www.kandroid.org
APP
C2DMSignup
Create NewGmail Account
Gmail
C2DM Signup
Register Your App. to C2DM Server
ReceiveRegistration ID
SendRegistration ID
Request Auth Tokenfor C2DM (ac2dm)
Receive Auth Token
Sendmessage
1 2
0
PublishYour Application
3
4
5
6
7
8
9
GMS 기술분석 - 4 : Service Integration Case Study #2
1. 서론 : Why GMS?
2. 분석환경 Setup- How to get GMS Apps?- Application Code Reverse Engineering- MITM(Man In The Middle) Attack- Network Protocol Guessing & Testing- Summary
3. GMS 기술- GSF(Google Service Framework)- Google Services- Service Integration Technology
4. GMS 이슈- Network Traffic- Battery- Privacy
5. 결론 : What is Android? and then…
7th Kandroid Conference
377th Kandroid Conference - www.kandroid.org
GMS 이슈 - 5 : Network Traffic
387th Kandroid Conference - www.kandroid.org
Type Sub TypePacket
Count Count(%) Size(%)
connection heartbeat 22 9 % 0 %
login 27 12 % 12 %
data message GSYNC_TICKLE 45 20 % 13 %
INSTALL_ASSET 1 0 % 1 %
talk chat 1 0 % 0 %
iq 87 39 % 25 %
presence 21 9 % 46 %
<receiver android:name="GTalkDiagnosticsBroadcastReceiver"><intent-filter><action android:name="android.provider.Telephony.SECRET_CODE" /><data android:scheme="android_secret_code" android:host="8255" /></intent-filter></receiver>
GMS 이슈 - 5 : Network Traffic
397th Kandroid Conference - www.kandroid.org
0
50
100
150
200
250
300
350
400
450
500
1 11 21 31 41 51 61 71 81 91 101
111
121
131
141
151
161
171
181
191
201
211
221
231
241
251
261
271
281
291
301
311
321
331
341
351
361
371
381
391
401
411
421
431
Packet Size (Byte) : after SSL strip
Packet Traffic Sequence
Env : Emulator, New Gmail Account, 2 BuddyList
Heartbeat Data Traffic Threshold
GMS 이슈 - 5 : Network Traffic
407th Kandroid Conference - www.kandroid.org
0
50
100
150
200
250
300
350
400
450
1 7 13 19 25 31 37 43 49 55 61 67 73 79 85 91 97 103
109
115
121
127
133
139
145
151
157
163
169
175
181
187
193
199
205
211
217
223
229
235
Packet Size (Byte) : after SSL strip
Packet Traffic Sequence
Env : Real Device, Exist Gmail Account, many BuddyList
Heartbeat Data Traffic Threshold
GMS 이슈 - 5 : Network Traffic
417th Kandroid Conference - www.kandroid.org
GMS 이슈 - 5 : Battery
427th Kandroid Conference - www.kandroid.org
GMS 이슈 - 5 : Battery
What costs the most?
• Waking up in the background• Bulk data transfer
Takeaways
• Use an efficient parser and GZIP• Use <receiver> and AlarmManager (not daemon)• Wait for better network/battery for bulk transfers
출처 : GoogleIO 2009
437th Kandroid Conference - www.kandroid.org
GMS 이슈 - 5 : Privacy
message CheckinRequest {optional bytes deviceId = 1;optional int64 cr2 = 2;optional bytes cr3 = 3;required Checkin checkin = 4;optional bytes cr5 = 5; optional bytes locale = 6;optional int64 id = 7;optional bytes cr8 = 8;optional bytes macaddress = 9;optional bytes cr10 = 10;repeated bytes accountInfo = 11 ;optional bytes timezone = 12;optional int64 cr13 = 13;optional int32 cr14 = 14;repeated bytes cr15 = 15;
}
message Checkin {optional Build build = 1;optional int64 check2 = 2;repeated Event event = 3;repeated Statistic statistics = 4;repeated bytes check5 = 5;optional bytes networkOperator = 6;optional bytes simOperator = 7;optional bytes networkInfo = 8;
}
message Build { optional bytes fingerprint = 1;optional bytes hardware = 2;optional bytes brand = 3;optional bytes radio = 4;optional bytes bootloader = 5;optional bytes client_id = 6;optional int64 time = 7;optional int32 version = 8;optional bytes device = 9;
}
message Event {required bytes evnet1 = 1;optional bytes evnet2 = 2;optional int64 evnet3 = 3;
}
message Statistic {required bytes stat1 = 1;optional int32 stat2 = 2;optional float stat3 = 3;
}
Next Page
447th Kandroid Conference - www.kandroid.org
GMS 이슈 - 5 : Privacy
457th Kandroid Conference - www.kandroid.org
GMS 이슈 - 5 : Privacy
1. 서론 : Why GMS?
2. 분석환경 Setup- How to get GMS Apps?- Application Code Reverse Engineering- MITM(Man In The Middle) Attack- Network Protocol Guessing & Testing- Summary
3. GMS 기술- GSF(Google Service Framework)- Google Services- Service Integration Technology
4. GMS 이슈- Network Traffic- Battery- Privacy
5. 결론 : What is Android? and then…
7th Kandroid Conference
477th Kandroid Conference - www.kandroid.org
Steve Jobs : What is this?
… <중략> …
Bill Gates :Get real, will you?You and I are both like guys that have this rich neighbor......Xerox...That left the door open all the time.
실리콘 밸리의 신화 vs. 실리콘 밸리의 해적들“Pirates Of Silicon Valley”, 1999
Alan Kay
결론 : What is Android? and then….
7th Kandroid Conference
www.kandroid.org
Q & A