Mobile Systems and Smartphone Security�(MOBISEC)
Prof: Yanick Fratantonio�EURECOM
1
Advanced Topics on Android System & Security�Part 2
Today
2
WebViews�&�Mobile Web Browsers
3
WebView
4
WebView & JavaScript
5
WebView myWebView = (WebView) findViewById(R.id.webview);
WebSettings webSettings = myWebView.getSettings();
webSettings.setJavaScriptEnabled(true);
Example of WebView + Javascript ⇔ Java (doc)
6
WebView webView = (WebView) findViewById(R.id.webview);
webView.addJavascriptInterface(new WebAppInterface(this), "Android");
public class WebAppInterface {
...
@JavascriptInterface
public void showToast(String toast) {
Toast.makeText(mContext, toast, Toast.LENGTH_SHORT).show();
}
}
<input type="button" value="hello" onClick="showAndroidToast('Hello!')" />
<script type="text/javascript">
function showAndroidToast(toast) { Android.showToast(toast); }
</script>
Security problems with Javascript / Java
7
In the past, it was even worse
8
<script>
function execute(cmdArgs)
{
return SomeObject.getClass().forName("java.lang.Runtime") \ � .getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);
}
execute(["echo","bam"]);
</script>
Javascript bridge bugs can lead to RCE vulns
9
Security of WebView
10
Security Updates to WebViews
11
WebView ~> Start the browser
12
INTERNET permission bypass
13
Concept: "Confused Deputy Problem"
14
Web Browsers
15
Web Browsers on Mobile
16
Accessibility Service
17
Accessibility Service - a11y
18
Accessibility Service - a11y
19
Security Mechanism #1
Security Mechanism #2
“Since an event contains the text of its source privacy can be compromised by leaking sensitive information such as passwords. To address this issue any event fired in response to manipulation of a PASSWORD field does NOT CONTAIN the text of the password.”
Accessibility Service - a11y
22
Disclosure of a11y bugs (August 22nd 2016)
a11y documentation “patch”
Password Managers�&�Autofill Framework
25
Mobile Password Managers
Three Technologies
Autofill Framework
28
Three Technologies
OpenYOLO Diagram
30
Three Technologies
In all cases, an app’s package name is�the starting point to map app ↔ website!
Mobile Password Managers
How can a password manager know that this app is really linked to facebook.com???
This step is trivial for�browser password managers,�but not on Android...
Package Names Can’t Be Trusted
Real-World Password Managers
Dashlane
“xxx.face.yyy”→”facebook.com”
“com.inst.lin.ube”→�”instagram.com”, “linkedin.com”, “uber.com”
LastPass
“com.facebook.evil”→”facebook.com”
Keeper
Hidden Fields
ACM Conference on Computer and Communications Security (CCS '18)
Instant Apps
42
Instant Apps
43
Instant Apps Flow
FULL UI
CONTROL!!!
End-to-end attack: phishing with few clicks
com.paypal.evil
The Right Way™
The Right Way™
{� "relation":� ["delegate_permission/common.get_login_creds"],� "target": {� "namespace": "android_app",� "package_name": "com.facebook.katana",� "sha256_cert_fingerprints": [� "E3:F9:E1:E0:CF:99:D0:E5:6A:05:5B:..."� ]� }
}
Only ~2% of domain names support this*
ACM Conference on Computer and Communications Security (CCS '18)
*as of late 2018
Notifications
48
Notifications
49
NotificationListenerService
Intent intent = new Intent(� "android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS");
startActivity(intent);
50
NotificationListenerService
<service android:name=".NotificationListener"
android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE">
<intent-filter>
<action android:name="android.service.notification.NotificationListenerService" />
</intent-filter>
</service>
The app is NOT requesting a permission,�it's defending itself from other apps!
51
Notifications Creation (doc)
NotificationCompat.Builder mBuilder = new� NotificationCompat.Builder(this, CHANNEL_ID)
.setSmallIcon(R.drawable.notification_icon)
.setContentTitle("My notification")
.setContentText("Much longer text...")
.setStyle(new NotificationCompat.BigTextStyle()
.bigText("Much longer text..."))
.setPriority(NotificationCompat.PRIORITY_DEFAULT);
NotificationManagerCompat notificationManager = NotificationManagerCompat.from(this);
notificationManager.notify(notificationId, mBuilder.build());
52
Unique ID identifying the notification
Notifications Creation - Tap Action
NotificationCompat.Builder mBuilder = new� NotificationCompat.Builder(this, CHANNEL_ID)
.setSmallIcon(R.drawable.notification_icon)
.setContentTitle("My notification")
.setContentText("Much longer text...")
.setStyle(new NotificationCompat.BigTextStyle()
.bigText("Much longer text..."))
.setPriority(NotificationCompat.PRIORITY_DEFAULT)
.setContentIntent(pendingIntent);
Intent intent = new Intent(this, TargetActivity.class);
PendingIntent pend = PendingIntent.getActivity(this, 0, intent, 0);
53
Pending Intent (doc)
54
Pending Intent
Intent intent = new Intent(this, TargetActivity.class);
PendingIntent pend = PendingIntent.getActivity(this, 0, intent, 0);
55
Pending Intent
56
Pending Intent
57
Pending Intent
Example taken from PIAnalyzer, ESORICS18 (paper)
58
Powerful pending intent
Leaked around
Leaked around
Man-In-The-Middle Attack (MITM)
59
60
User
website.com
???
MITM
61
Attacker
User
website.com
Attacker
MITM: passive vs. active
62
MITM for reversing
63
Proxy vs. gateway vs. VPN
64
Proxy / Gateway in practice
65
Proxy / Gateway in practice
66
HTTP / HTTPS / Pinning
67
Demystifying HTTP vs HTTPS
68
Demystifying HTTP vs HTTPS
69
HTTPS does not imply "it's trusted"!
70
HTTPS Certificates
71
HTTPS Certificates
72
HTTPS MITM?
73
HTTPS MITM
74
HTTPS MITM
75
HTTPS MITM on mobile (more info here)
URL url = new URL("https://wikipedia.org");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);
76
That's enough to�use HTTPS!
App counter trick: SSL Pinning (more info here)
77
HTTPS-related protection mechanisms
78
Image from here
Cleartext network policy
79
Android Network Security Policy (guide)
80
Network Security Policy (default for API [24, 27])
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>
81
Network Security Policy (default for API [28, -))
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="false">
<trust-anchors>
<certificates src="system" />
</trust-anchors>
</base-config>
</network-security-config>
82
Network Security Policy (default for API (-, 23])
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
83
"Towards HTTPS Everywhere on Android: We Are Not There Yet"�USENIX Security 2020