Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: "Data-Clone" -- a new way to attack android apps
From: IEhrepus <5up3rh3i () gmail com>
Date: Mon, 18 Mar 2013 11:19:29 +0800

http://www.80vul.com/android/data-clone.txt update

thx jonn Horn(jannhorn () googlemail com)




hitest


2013/3/18 IEhrepus <5up3rh3i () gmail com>

“I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The

crypto is flawed, but not so flawed that this kind of attack would
be possible. Also, apps on the device even need an exploit just to be
able to read the encrypted data.”

yes,"apps install on SDcard" is wrong :( apps install on sdcard ,but the
data  on /data/data/xxx , like "Already have super privileges"

thank u :), i will change it .

hitest


2013/3/18 Jann Horn <jannhorn () googlemail com>

On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote:
"Data-Clone" -- a new way to attack android apps

Author: SuperHei () www knownsec com [Email:5up3rh3i#gmail.com]
Release Date: 2013/03/16
References: http://www.80vul.com/android/data-clone.txt
Chinese Version:
http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/

--[ I - Introduction

This is a new way to attack android apps t,and i call it "Data-Clone
Attack". it can bypass password authentication ,when user login the
app and set "remember password"(some apps is define).
[...]
--[ III - How to exploit

"How to get the contents of data" is key to the completion of the
attack. some like this:

1. Already have super privileges

under the root shell like the demo,u can bypass password
authentication used "Data-Clone Attack".

2. apps install on SDcard

the others have read  permissions to obtain the app's data.

I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The
crypto is flawed, but not so flawed that this kind of attack would
be possible. Also, apps on the device even need an exploit just to be
able to read the encrypted data.


3. Cross-site scripting on android

app + webview + xss(or webkit xcs vul) = "Data-Clone"

On older version of android , android app's xss or webkit xcs  vul can
read the loacl file's contents :
http://www.80vul.com/android/android-0days.txt

So the app's webview have the file read permissions to the app's data.
when a app user visit a URL link,the data will Be cloned。

--[ IV - Disclosure Timeline

2012/03/   - Found this
2012/12/10 - Report it to security () android com

......For a long time has passed......

2013/03/16 - security () android com do not have any response
(maybe,because Google was not andriod's biological mother)
2013/03/16 -Public Disclosure

Or maybe because it's not exactly interesting that you can read an app's
data if you can execute code in its context?



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault