Full Disclosure: Re: "Data-Clone" -- a new way to attack android apps

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Re: "Data-Clone" -- a new way to attack android apps

From: Jann Horn <jannhorn () googlemail com>
Date: Sun, 17 Mar 2013 19:18:30 +0100

On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote:

"Data-Clone" -- a new way to attack android apps

Author: SuperHei () www knownsec com [Email:5up3rh3i#gmail.com]
Release Date: 2013/03/16
References: http://www.80vul.com/android/data-clone.txt
Chinese Version:
http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/

--[ I - Introduction

This is a new way to attack android apps t,and i call it "Data-Clone
Attack". it can bypass password authentication ,when user login the
app and set "remember password"(some apps is define).

[...]

--[ III - How to exploit

"How to get the contents of data" is key to the completion of the
attack. some like this:

1. Already have super privileges

under the root shell like the demo,u can bypass password
authentication used "Data-Clone Attack".

2. apps install on SDcard

the others have read  permissions to obtain the app's data.


I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The
crypto is flawed, but not so flawed that this kind of attack would
be possible. Also, apps on the device even need an exploit just to be
able to read the encrypted data.

3. Cross-site scripting on android

app + webview + xss(or webkit xcs vul) = "Data-Clone"

On older version of android , android app's xss or webkit xcs  vul can
read the loacl file's contents :
http://www.80vul.com/android/android-0days.txt

So the app's webview have the file read permissions to the app's data.
when a app user visit a URL link,the data will Be cloned。

--[ IV - Disclosure Timeline

2012/03/   - Found this
2012/12/10 - Report it to security () android com

......For a long time has passed......

2013/03/16 - security () android com do not have any response
(maybe,because Google was not andriod's biological mother)
2013/03/16 －Public Disclosure


Or maybe because it's not exactly interesting that you can read an app's
data if you can execute code in its context?

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

"Data-Clone" -- a new way to attack android apps IEhrepus (Mar 17)
- Re: "Data-Clone" -- a new way to attack android apps Jann Horn (Mar 17)
  - Re: "Data-Clone" -- a new way to attack android apps IEhrepus (Mar 18)
    - Re: "Data-Clone" -- a new way to attack android apps IEhrepus (Mar 18)