qark defcon 23

22
QARK

Upload: tony-trummer

Post on 15-Jan-2017

5.705 views

Category:

Software


2 download

TRANSCRIPT

QARK

WHO are we?

PENETRATION TESTERS AT LINKEDIN

• STAFF INFORMATION SECURITY ENGINEER

TONY TRUMMER

• SENIOR INFORMATION SECURITY ENGINEER

TUSHAR DALVI

WHAT IS QARK?

QUICK ANDROID REVIEW KIT

AN AUDITING AND ATTACK FRAMEWORK

A PROGRESSION OF OTHER TOOLS/IDEAS

A PINCH OF INNOVATION

LOTS OF (HORRIBLY WRITTEN) PYTHON

QARK’s mission

RAISE THE BAR

SHARE KNOWLEDGE

COMMUNITY INVOLVMENT

MOTIVATE OTHERS

ANDROID ISSUES

FRAGMENTATION

USERS DON’T UPDATE

IMPROPER TLS, IF ANY

NUMEROUS TAINTED SOURCES

CLIENT SIDE FAIL – NO ONE WILL KNOW

MOTIVATION

WE’RE LAZY OUR BOSS IS CRAZY

WE HAVE LOTS OF APPS TO

PROTECT

DEVELOPERS ARE EVEN

LAZIER THAN US

WE HATE REPEATING

BUGS

LOTS OF SMALL DEV SHOPS

(AKA NO SECURITY)

UNDER THE HOOD PARSING: PLYJ, BEAUTIFULSOUP, MINIDOM

REVERSING: PROCYON, JD-CORE, CFR, DEX2JAR, APKTOOL

CODE: PYTHON

TOOLS & BUILDING: ANDROID SDK

APK STRUCTURE

APKRESOURCES

.ARSC

/RES

ANDROID

MANIFEST.XML

CLASSES�.DEX

/META-INF

/LIB

/ASSETS

REVERSING APKs GET

MANIFEST • APKTOOL D FOO.APK

UNZIP APK • APK TO ZIP; UNZIP

DALVIK BYTECODE • DEX2JAR CLASSES.DEX

JAVA BYTECODE

•  JD-GUI

RAW JAVA FILES

ACQUISITION SIMPLIFIES APK RETRIEVAL FROM DEVICES

DECOMPRESSES APK

CONVERTS ANDROIDMANIFEST.XML TO TEXT

PARSES ANDROIDMANIFEST.XML

FINDS PERMISSIONS ISSUES

FINDS EXPORTED COMPONENTS, SUPPORTED VERSIONS, ETC.

COMMUNICATION

SOURCES

WEBVIEWS

INTENTS NETWORK REQUESTS

DEEPLINK URLSAIDL

MESSAGES

ACTIVITY

ONCREATE()

ONSTART()

ONRESUME()

ONPAUSE()

ONSTOP()

ONDESTROY()

ONRESTART()

SERVICE

ONCREATE()

ONBIND()

ONSTARTCOMMAND()

ONUNBIND()

ONDESTROY()

PROVIDER

ONCREATE()

RECEIVER

ONRECEIVE()

COMPONENTS

PARSE STRUCTURE

MAPS MANIFEST TO CLASSES

PARSES JAVA CLASSES

LOCATES “ENTRY POINT” METHODS

SOURCE TO SINK

FINDS SOURCES OF TAINTED INPUT

TRACKS POTENTIALLY TAINTED INPUT

RECORDS ANY “SINKS” ENCOUNTERED

STORES INFORMATION GATHERED ALONG WITH MANIFEST DETAILS FOR LATER USE

SECURITY MAGIC

QARK CHECKS EXAMINES WEBVIEW CONFIGURATIONS AND

PROVIDES TEMPLATED HTML FILES FOR VALIDATION OF VULNERABILITIES

LOOKS FOR COMMON X.509 CERTIFICATE VALIDATION ISSUES

LOOKS FOR VULNERABILITIES ORIGINATING FROM WITHIN THE APP, INSPECTING

BROADCAST, STICKY AND PENDING INTENTS

LOOKS FOR EMBEDDED PRIVATE KEYS AND INCORRECTLY IMPLEMENTED CRYPTO ISSUES

LOOKS FOR WORLDREADABLE AND WORLDWRITEABLE FILES

DEMO TIME !!

UNIQUE FEATURES USES MULTIPLE DECOMPILERS TO PROVIDE

BETTER RESULTS

BUILDS AN APK FOR MANUAL TESTING

CONTAINS SWISS-ARMY KNIFE STYLE SET OF FUNCTIONALITIES

CREATES ADB COMMANDS TO EXPLOIT DISCOVERED VULNERABILITIES

CREATES CUSTOM EXPLOIT APK FOR POINT-AND-CLICK PWNAGE

QARK Is NOT (YET)

A FORENSICS TOOL

A DYNAMIC ANALYSIS TOOL

PERFECT

FINISHED

FUTURE PLANS DYNAMIC ANALYSIS FUNCTIONALITY

SMALI INSPECTION

NON-ANDROID SPECIFIC JAVA VULNS

ODEX SUPPORT

IMPROVE EXTENSIBILITY

ASK FOR YOUR HELP

ACKNOWLEDGEMENTS MWR LABS: DROZER�

RAFAY BLALOCH, ET AL, FOR THE WEBVIEW EXPLOITS

NVISIUM: TAPJACKING CODE

THE AUTHORS AND MAINTAINERS OF ALL THE OPENSOURCE PROJECTS USED IN QARK

JASON HADDIX, SAM BOWNE, ET AL, FOR SUPPLYING SOME VULNERABLE APKS

CONTACT INFO

WWW.SECBRO.COM

•  WWW.LINKEDIN.COM/IN/TONYTRUMMER@SECBRO1

TONY TRUMMER

•  WWW.LINKEDIN.COM/IN/TDALVI@TUSHARDALVI

TUSHAR DALVI

WHERE TO GET QARK?

LINKEDIN’S GIT REPO

HTTPS://GITHUB.COM/LINKEDIN/QARK