google gms(google mobile services) 분석[2] · 2011-03-13 · 7th kandroid conference - 3 one of...

www.kandroid.org 운영자 : 양정수 (yangjeongsoo at gmail.com), 닉네임: 들풀

The passion is not speed, but Direction !

2011. 3. 11.

Google GMS(Google Mobile Services) 분석 [2]

7th Kandroid Conference

1. 서론 : Why GMS?

2. 분석환경 Setup- How to get GMS Apps?- Application Code Reverse Engineering- MITM(Man In The Middle) Attack- Network Protocol Guessing & Testing- Summary

3. GMS 기술- GSF(Google Service Framework)- Google Services- Service Integration Technology

4. GMS 이슈- Network Traffic- Battery- Privacy

5. 결론 : What is Android? and then…


37th Kandroid Conference - www.kandroid.org

One of the things you’re gonna witness is how Google’s cloud services tie together all these different applications and all these different companies that are making devices in all these different segments.

What is the killer apps ?

서론 : Why GMS?


Android SDKAPI Level

Open HandsetAlliance (OHA)

AOSPBranch

Android NDKRevision

MobileOperators

2008 2009 2010 20112007

87654321E

1 2 3 4

M M1 C D E F

SemiconductorCompanies

HandsetManufacturers

G1 G2 G3 N1

T-Mobile USA

QualcommMSM7201a

QualcommSnapdragon

KTSKT LGT

LGE/SEC

SamsungS5PC110

SECGalaxy-S

G

5

9

http://www.google.com/phone/

NS

MPCore Issue

Network Traffic Issue

CTS & Standard Issue

GoogleAdd-on API

GMS

New Technology

?

?

서론 : Why GMS? To the best of Our Knowledge, this is the killer app.

10

5b

11


분석환경 Setup - 1 : How to get Google GMS?

• Partnership with Google Inc.GMS / Document / Build Configuration

• Deodexing from Real Devicehttp://kwangwoo.blogspot.com/2010/08/build-boot-and-system-images-for-nexus.html

• Unyaffs from Unknown Sourcehttp://www.kandroid.org/board/board.php?board=HTCDream&command=body&no=123

Add-onSite URL : http://www.kandroid.org/android/repository/kandroid_adp_api8r2.xml


Java(classes)

Resources

Dalvik(.dex)

Manifest

Ref. Libs

XML Res. Compilation

+Other Res.

Pre-process

UnsignedAndroid

Application(.apk)

∥

Zip Compressed

File

Key(Debug Key

Custom Key)

jarsigner(keytool)

adb(pm)install

amstart

zipalign

http://code.google.com/p/android-apktool/

http://code.google.com/p/dex2jar/

http://java.decompiler.free.fr/

Dex2Jar

ApkTool

JAD GMSApps

GMSApps

Sources

분석환경 Setup - 2 : Application Code Reverse Engineering


Error 발생한 이유? : Java Decompiler



fake

GoogleConnection

Server

mtalk.google.comTLS/SSL

GoogleConnection

Server

mtalk.google.com

fakemtalk.

google.com

MITM attack(Man In The Middle)

TLS/SSL TLS/SSL

분석환경 Setup - 3 : MITM(Man In The Middle) Attack


> openssl genrsa -des3 -out MYCA.key 2040> openssl req -new -key MYCA.key -x509 -days 1095 -out MYCA.crt


> openssl genrsa -des3 -out fake_mtalk_cert.key> openssl req -new -key fake_mtalk_cert.key -out fake_mtalk_cert.csr

=> 매우중요 : subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mtalk.google.com

> openssl x509 -req -days 365 -in fake_mtalk_cert.csr -CA MYCA.crt -CAkey MYCA.key \-CAcreateserial -out fake_mtalk_cert.crt

> cat fake_mtalk_cert.crt fake_mtalk_cert.key > fake_mtalk_cert.pem

1

2

3



void mtalk_gw_serv_ssl_init(void){

SSLeay_add_ssl_algorithms ();if((serv_ctx = SSL_CTX_new (SSLv23_server_method())) == NULL) {

exit(1);}SSL_CTX_set_quiet_shutdown (serv_ctx,1);SSL_CTX_set_session_cache_mode (serv_ctx,SSL_SESS_CACHE_OFF);

if (!SSL_CTX_use_RSAPrivateKey_file (serv_ctx, PEM_FILE, SSL_FILETYPE_PEM)) {fprintf(stderr, "could not load RSA private key from [%s]\n", PEM_FILE); exit(1);

}if (!SSL_CTX_use_certificate_file (serv_ctx, PEM_FILE, SSL_FILETYPE_PEM)) {

fprintf(stderr, "could not load certificate from [%s]\n", PEM_FILE); exit(1);}

}

void mtalk_gw_cli_ssl_init(void){

SSLeay_add_ssl_algorithms ();if((cli_ctx = SSL_CTX_new (SSLv3_client_method())) == NULL) {

fprintf (stderr, "could not initialize SSL_CTX structure\n"); exit(0);}

SSL_CTX_set_quiet_shutdown (cli_ctx, 1);}

4


분석환경 Setup - 4 : Network Protocol Guessing & Testing


Example : mtalk.proto file

message LoginRequest {required string id = 1;required string domain = 2;required string user = 3;required string resource = 4;required string token = 5;optional string deviceId = 6;optional int64 lastRmqId = 7;repeated Setting settings = 8;optional int32 compress = 9;repeated string persistentIds = 10;optional bool useRmq = 11;optional bool adaptiveHeartbeat = 12;optional HeartbeatStat heartbeatStat = 13;optional bool useRmq2 = 14;

}

…..



Source : http://code.google.com/p/protobuf/

1. Download Protocol Buffer Library

2. Install Protocol Buffer> tar xvfz protobuf-2.3.0.tar.gz> cd protobuf-2.3.0> ./configure> make install> cd python> python setup.py install

3. Sample Code Usage- sample proto file create (ex, mtalk.proto)- protoc --python_out=. mtalk.proto (result : mtalk_pb2.py)

- write your testing code…



fakefakemtalk.

google.com


at Internet

TLS/SSL

TLS/SSL

fake

GoogleConnection

Server

mtalk.google.com

fakemtalk.

google.com


at Ethernet

TLS/SSL

TLS/SSL

fakeCA

Server

fakeCertDigital

Signing

CustomAndroidImage

Packet Log

Packet Report

CustomProtocolBuffer

Deserialzer

/system/etc/hosts/system/etc/security/cacerts.bks

분석환경 Setup : Summary


GMS 기술분석 - 2 : GSF(Google Service Framework)

Package : GoogleServicesFramework.apk

Process : com.google.android.gapps

Activity : 39개

ContentProvider : 4개

Service : 8개

IncludeDalvik VM

GSF Total Components : 60(+8)개

Intent : Bundle of Informations• Explicit : Call Class• Implicit : IntentFilter : 26(+8)개

Action, Data, Category

BroadcastReceiver : 9(+8)개

permission-tree : 1개

permission : 54개

uses-permission : 55개

android:permission : 2개

android:readPermission : 4개

android:writePermission : 4개

path-permission : 1개

android:grantUriPermissions : 1개


Package Name A R CP S 비고

com+ android.common (+1) NetworkConnectivityListener, OperationScheduler

+ google+ android

+ common gdata,http,Cvs,GoogleWebContentHelper,LoggingThreadedSyncAdapter

+ gsf+ checkin 4 2

+ gservices 1 1

+ gtalkservice 1 1(+2) 2

+ service (+2)

+ login 26 (+2)

+ loginservice 8 1 1

+ settings 2 1

+ subscribedfeeds 1 1 2

+ talk 1

+ update 2 1(+1) 1

+ gtalkservice+ common base,collect,io.protocol

+ wireless.gdata client,data,parser,serializer,subscribedfeeds,GDataException

+ net.oauth signature,OAuth....

+ org.jivsoftware smack,smackx

Sub Total : 60(+8) 39 9(+8) 4 8



GSF : ContentProvider (4)

VoiceSearchGoogleFeedbackGoogleQuickSearchBoxSetupWidzardTalk / GmailGoogleBackupTransportGoogleContactsSyncAdapterMediaUploaderNetworkLocation / VendingGoogleCalendarSyncAdapter

content://com.google.android.gsf.gservicescontent://com.google.android.gsf.gservices/prefixcontent://com.google.android.gsf.gservices/maincontent://com.google.android.gsf.gservices/override

GSF Externals

Talk

content://com.google.android.providers.talk/<path>

content://com.google.settings/partner VoiceSearch / GenieWidgetGoogleQuickSearchBoxGooglePartnerSetupMapLibrary / StreetMediaUploaderNetworkLocation / Vending

GmailGoogleContactsSyncAdapterGoogleCalendarSyncAdapter

content://subscribedfeeds/feedscontent://subscribedfeeds/deleted_feeds


1

2

3

4

GService

Talk

Setting

Feeds


GSF : Service (8)

SetupWizardB: IGoogleLoginService

GSF Externals

TalkVending

A: com.google.android.gsf.action.GET_GLS

C: IGTalkService.class.getName()

B: IGTalkService

S: ServiceAutoStarterB: ConnectionAuthErrorDialog

NetworkMonitor

A: android.intent.action.START_RESTORES:B: LoginActivityTask$4

DataMessageManager A: com.google.android.c2dm.intent.UNREGISTERS: .gtalkservice.PushMessagingRegistrar

CheckinService EventLogService SystemUpdateService

SubscribedFeedsSyncAdapterService SubscribedFeedsIntentService

GTalkService PushMessagingRegistrar GoogleLoginService


1

2

4 5 7

7 8

3

12 3


Package Name A R CP Scom+ android.common (+1)

+ google+ android

+ common+ gsf

+ checkin 4 2

+ gservices 1 1

+ gtalkservice 1 1(+2) 2

+ service (+2)

+ login 26 (+2)

+ loginservice 8 1 1

+ settings 2 1

+ subscribedfeeds 1 1 2

+ talk 1

+ update 2 1(+1) 1

+ gtalkservice+ common+ wireless.gdata

+ net.oauth+ org.jivsoftware

Sub Total : 60(+8) 39 9(+8) 4 8

A:android.accounts.LOGIN_ACCOUNTS_CHANGED

ACTION_BATTERY_CHANGEDACTION_DEVICE_STORAGE_LOWACTION_DEVICE_STORAGE_OK

ACTION_BOOT_COMPLETEDACTION_PRE_BOOT_COMPLETEDACTION_DOWNLOAD_COMPLETEDACTION_DOWNLOAD_NOTIFICATION_CLICKED

ACTION_SCREEN_OFF;ACTION_TIME_SETACTION_USER_PRESENT

A:android.net.conn.BACKGROUND_DATA_SETTING_CHANGEDA:android.net.conn.CONNECTIVITY_CHANGEA:android.net.wifi.STATE_CHANGEA:android.provider.Telephony.SECRET_CODEA:android.server.checkin.CHECKINA:com.android.sync.SYNC_CONN_STATUS_CHANGEDA:com.google.android.GTalkService.NOTIFICATION_DELETED_ACTIONA:com.google.android.c2dm.intent.RECEIVEA:com.google.android.intent.action.GTALK_HEARTBEATA:com.google.android.intent.action.GTALK_RECONNECTA:com.google.gservices.intent.action.GSERVICES_CHANGEDA:com.google.gservices.intent.action.GSERVICES_OVERRIDE

C:android.server.checkin.CHECKINC:com.google.android.gsf.subscribedfeedsD:android:scheme="android_secret_code" android:host="2432546"D:android:scheme="android_secret_code" android:host="46"D:android:scheme="android_secret_code" android:host="7867"




setup_wizard_title

gls_ui_activity___


Google API Service nameGoogle Analytics Data APIs analyticsGoogle Apps APIs(Domain Information & Management) apps

Google Base Data API gbaseGoogle Sites Data API jotspotBlogger Data API bloggerBook Search Data API printCalendar Data API clGoogle Code Search Data API codesearchContacts Data API cpDocuments List Data API writelyFinance Data API financeGmail Atom feed mail

Health Data API healthweaver (H9 sandbox)

Maps Data APIs localPicasa Web Albums Data API lh2Sidewiki Data API annotatewebSpreadsheets Data API wiseWebmaster Tools API sitemapsYouTube Data API Youtube

Google App Engine ah

Source : http://code.google.com/apis/gdata/faq.html#clientlogin

GMS 기술분석 - 3 : Google Services Overview


MobileProxy

8.relay 9.relay

No CAPTCHA

GMS 기술분석 - 3 : Google Services Architecture


Response Code Description & Solution

200 OK

403 Authentication Error ⇒Create New AuthToken with ClientLogin

503

Service Available⇒Use multiple AuthToken⇒Use Cache⇒Stopping your request / sleep / retry request⇒appropriate sleep time : 10 seconds x 503 error count

400

Bad request⇒Set Request Property with correct values⇒Send Request data with base64.urlsafe_b64encode

instead of base64.encodestring

RequestBlocking

Blocking accountBlocking IP Address

No Response Black Hole Technology

GMS 기술분석 - 3 : Google Services QoS


GMS(Google Mobile Services)

GSFGoogle

Mobile Connection Servermtalk.google.com 5228

Google Cloud

Google Account Server(Authentication & Authorization)

www.google.com/accouts/

Web Based

Mobile(Android) Based Google Services• cl• cp• mail• …

Google Mobile Services• market• c2dm• …

heartbeat

GMS 기술분석 - 4 : Service Integration Architecture


TLS/SSL based Packet Encryption

Gtalk Core Message Types

Non-StandardProtocol BufferHeader

1. Tag : 13개 (1 byte)2. Length : (1 or 5(?) byte)

Gtalk Extensions Message Types

0 : HEARTBEAT_PING1 : HEARTBEAT_ACK2 : LOGIN_REQUEST3 : LOGIN_RESPONSE4 : CLOSE5 : MESSAGE_STANZA6 : PRESENCE_STANZA7 : IQ_STANZA8 : DATA_MESSAGE_STANZA9 : BATCH_PRESENCE_STANZA10 : STREAM_ERROR_STANZA11 : HTTP_REQUEST12 : HTTP_RESPONSE

1 : ROSTER_QUERY2 : RMQ_LAST_ID3 : RMQ_ACK4 : VCARD5 : SHARED_STATUS6 : CHAT_READ7 : CHAT_CLOSED8 : CAPABILITIES9 : OTR_QUERY10 : IDLE 11 : POST_AUTH_BATCH_QUERY12 : SELECTIVE_ACK13 : STREAM_ACK

Non-Standard Protocol Message Link : Extension Tag

Google Mobile Connection Server

mtalk.google.com 5228

heartbeat

GMS 기술분석 - 4 : Service Integration Heartbeat


Android Market Client Update Issues

• Security problem• Async application installation hacked• Protocol buffer reverse engineering

GMS 기술분석 - 4 : Service Integration Case Study #1


APP

C2DMSignup

Create NewGmail Account

Gmail

C2DM Signup

Register Your App. to C2DM Server

ReceiveRegistration ID

SendRegistration ID

Request Auth Tokenfor C2DM (ac2dm)

Receive Auth Token

Sendmessage

1 2

0

PublishYour Application

3

4

5

6

7

8

9

GMS 기술분석 - 4 : Service Integration Case Study #2


GMS 이슈 - 5 : Network Traffic


Type Sub TypePacket

Count Count(%) Size(%)

connection heartbeat 22 9 % 0 %

login 27 12 % 12 %

data message GSYNC_TICKLE 45 20 % 13 %

INSTALL_ASSET 1 0 % 1 %

talk chat 1 0 % 0 %

iq 87 39 % 25 %

presence 21 9 % 46 %

<receiver android:name="GTalkDiagnosticsBroadcastReceiver"><intent-filter><action android:name="android.provider.Telephony.SECRET_CODE" /><data android:scheme="android_secret_code" android:host="8255" /></intent-filter></receiver>



0

50

100

150

200

250

300

350

400

450

500

1 11 21 31 41 51 61 71 81 91 101

111

121

131

141

151

161

171

181

191

201

211

221

231

241

251

261

271

281

291

301

311

321

331

341

351

361

371

381

391

401

411

421

431

Packet Size (Byte) : after SSL strip

Packet Traffic Sequence

Env : Emulator, New Gmail Account, 2 BuddyList

Heartbeat Data Traffic Threshold



0

50

100

150

200

250

300

350

400

450

1 7 13 19 25 31 37 43 49 55 61 67 73 79 85 91 97 103

109

115

121

127

133

139

145

151

157

163

169

175

181

187

193

199

205

211

217

223

229

235

Packet Size (Byte) : after SSL strip

Packet Traffic Sequence

Env : Real Device, Exist Gmail Account, many BuddyList

Heartbeat Data Traffic Threshold



GMS 이슈 - 5 : Battery


GMS 이슈 - 5 : Battery

What costs the most?

• Waking up in the background• Bulk data transfer

Takeaways

• Use an efficient parser and GZIP• Use <receiver> and AlarmManager (not daemon)• Wait for better network/battery for bulk transfers

출처 : GoogleIO 2009


GMS 이슈 - 5 : Privacy

message CheckinRequest {optional bytes deviceId = 1;optional int64 cr2 = 2;optional bytes cr3 = 3;required Checkin checkin = 4;optional bytes cr5 = 5; optional bytes locale = 6;optional int64 id = 7;optional bytes cr8 = 8;optional bytes macaddress = 9;optional bytes cr10 = 10;repeated bytes accountInfo = 11 ;optional bytes timezone = 12;optional int64 cr13 = 13;optional int32 cr14 = 14;repeated bytes cr15 = 15;

}

message Checkin {optional Build build = 1;optional int64 check2 = 2;repeated Event event = 3;repeated Statistic statistics = 4;repeated bytes check5 = 5;optional bytes networkOperator = 6;optional bytes simOperator = 7;optional bytes networkInfo = 8;

}

message Build { optional bytes fingerprint = 1;optional bytes hardware = 2;optional bytes brand = 3;optional bytes radio = 4;optional bytes bootloader = 5;optional bytes client_id = 6;optional int64 time = 7;optional int32 version = 8;optional bytes device = 9;

}

message Event {required bytes evnet1 = 1;optional bytes evnet2 = 2;optional int64 evnet3 = 3;

}

message Statistic {required bytes stat1 = 1;optional int32 stat2 = 2;optional float stat3 = 3;

}

Next Page


Steve Jobs : What is this?

… <중략> …

Bill Gates :Get real, will you?You and I are both like guys that have this rich neighbor......Xerox...That left the door open all the time.

실리콘 밸리의 신화 vs. 실리콘 밸리의 해적들“Pirates Of Silicon Valley”, 1999

Alan Kay

결론 : What is Android? and then….


www.kandroid.org

Q & A