On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote:
"Data-Clone" -- a new way to attack android apps
Author: SuperHei () www knownsec com [Email:5up3rh3i#gmail.com]
Release Date: 2013/03/16
--[ I - Introduction
This is a new way to attack android apps t,and i call it "Data-Clone
Attack". it can bypass password authentication ,when user login the
app and set "remember password"(some apps is define).
--[ III - How to exploit
"How to get the contents of data" is key to the completion of the
attack. some like this:
1. Already have super privileges
under the root shell like the demo,u can bypass password
authentication used "Data-Clone Attack".
2. apps install on SDcard
the others have read permissions to obtain the app's data.
I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The
crypto is flawed, but not so flawed that this kind of attack would
be possible. Also, apps on the device even need an exploit just to be
able to read the encrypted data.
3. Cross-site scripting on android
app + webview + xss(or webkit xcs vul) = "Data-Clone"
On older version of android , android app's xss or webkit xcs vul can
read the loacl file's contents :
So the app's webview have the file read permissions to the app's data.
when a app user visit a URL link,the data will Be cloned。
--[ IV - Disclosure Timeline
2012/03/ - Found this
2012/12/10 - Report it to security () android com
......For a long time has passed......
2013/03/16 - security () android com do not have any response
(maybe,because Google was not andriod's biological mother)
2013/03/16 －Public Disclosure
Or maybe because it's not exactly interesting that you can read an app's
data if you can execute code in its context?