Android 5 security updates

Android 5.x Application-Security-related updates

Hi

I just copied and summarized the security-related changed in Android 4.4, 5.0 and 5.1. Enjoy guys!

  

Custom permission

Android 5.0 prevents the installation of apps if they define a custom permission that is already defined by an existing resident app.

 

Web view

The WebView default behavior was changed to block mixed content. Please do not use: setMixedContentMode..

 

SSL default configuration

Android 5.0 introduces changes to the default TLS/SSL configuration used by apps for HTTPS and other TLS/SSL traffic:

  • TLSv1.2 and TLSv1.1 protocols are now enabled
  • AES-GCM (AEAD) cipher suites are now enabled
  • MD5, 3DES, export, and static key ECDH cipher suites are now disabled
  • Forward Secrecy cipher suites (ECDHE and DHE) are preferred

 

HTTP classes

The org.apache.http classes and the AndroidHttpClient class have been deprecated in Android 5.1.

 

getRecentTasks()

The ActivityManager.getRecentTasks() method is now deprecated to improve user privacy. You have getAppTasks to retrieve your own tasks.

 

Managed profile

Device administrators can add a managed profile to a device. This profile is owned by the administrator, giving the administrator control over the managed profile while leaving the user’s personal profile and its storage space, under the user’s control. This change can affect the behavior of your existing app in the following ways:

 

Sharing files across profiles

Each profile has its own file storage. Since a file URI refers to a specific location in the file storage, this means that a file URI that is valid on one profile is not valid on the other one. This is not ordinarily a problem for an app, which usually just accesses the files it creates. However, if an app attaches a file to an intent, it is not safe to attach a file URI, since in some circumstances, the intent might be handled on the other profile. For example, a device administrator might specify that image capture events should be handled by the camera app on the personal profile. If the intent is fired by an app on the managed profile, the camera needs to be able to write the image to a location where the managed profile’s apps can read it.

To be safe, when you need to attach a file to an intent that might cross from one profile to the other, you should create and use a content URI for the file. For more information about sharing files with content URIs, see Sharing Files. For example, the device administrator might whitelist ACTION_IMAGE_CAPTURE to be handled by the camera in the personal profile. The firing intent’s EXTRA_OUTPUT should contain a content URI specifying where the photo should be stored. The camera app can write the image to the location specified by that URI, and the app that fired the intent would be able to read that file, even if the app is on the other profile.

Read more:

https://developer.android.com/training/secure-file-sharing/index.html

https://developer.android.com/reference/android/support/v4/content/FileProvider.html#getUriForFile(android.content.Context, java.lang.String, java.io.File)

 

Android 4.4 security-related news:

The new method getExternalFilesDirs() works the same as the existing getExternalFilesDir() method, except it returns an array of File objects.

Other methods for accessing your app-specific cache directory and OBB directory also now have corresponding versions that provide access to secondary storage devices: getExternalCacheDirs() and getObbDirs(), respectively.

Note: Beginning with Android 4.4, the platform no longer requires that your app acquire the WRITE_EXTERNAL_STORAGE or READ_EXTERNAL_STORAGE when you need to access only your app-specific regions of the external storage using the methods above. However, the permissions are required if you want to access the shareable regions of the external storage, provided by getExternalStoragePublicDirectory().

 

References

https://developer.android.com/about/versions/android-5.0-changes.html

https://developer.android.com/about/versions/android-5.1.html

https://developer.android.com/about/versions/android-4.4.html

 

SSL FREAK Vulnerablity

As security experts, AppSec Labs can help you protect against SSL based attacks as well as keeping our website, www.appsec-labs.com safe from these attacks.

SSL/TLS is a transport encryption protocol which is used by most applications and infrastructure to provide confidentiality and integrity for safe communication between a client and a server.

Read more

10_30_21_v_1

Online ClickJacking/UI redressing PoC Tester

AppSec Labs is proud to introduce the ClickJacking Tester – a tool which is designed to allow information security specialists around the world to easily check online whether their websites are vulnerable to ClickJacking/UI redressing attack:

http://online.attacker-site.com/html5/ClickjackingTester/

Untitled

How to Use:

  1. Open the tool in your browser.
  2. Enter your website’s URL in the text box.
  3. Check “add allow-forms to Iframe” box in order to add the ‘allow-forms in the sandbox’ attribute in case it is necessary.
  4. Hit ‘enter’ or click submit button.
  5. If the page is vulnerable, it will be displayed in the window on the left side of the testing page.
  6. Take a screenshot for your PoC and enjoy!

Read more

7

AppUse and Server-Side Attacks on Android Applications

Introduction

We all know our smartphones contain a lot of sensitive information about us, from credit card details through WhatsApp correspondence, our location, pictures and more.

Today we see serious development of the telephony field; banks and credit card companies are developing account management telephone applications, chat applications which hold a history of our conversations, and much more important information of ours is managed by the smartphone.

The Android operating system (OS) architecture allows the programmer to broadly manage the information; to create components which are accessible to other applications on the device, to save data in dangerous locations and so information can easily be managed incorrectly. In addition, many programmers who have always developed server-side applications are now faced with the need to develop client-side applications and are not aware of the possible risk – which, in turn, increases the known attacking surface available to the attacker.

When a tester performs a penetration test to an Android application, it is divided into to two main areas:

  • Client-Side Attacks – include client-side vulnerabilities such as saving sensitive information in a dangerous manner, saving passwords in the code, manipulation of activities, broadcast receivers, etc.
  • Server-Side Attacks – include applicative server-side vulnerabilities such as XSS, SQLi, Authorization Bypass, Authentication Bypass, etc.

Read more

The Truth Behind the Sony Cyber Attack

In recent years, Sony Pictures Entertainment has been one of the most highly targeted companies by cyber crime groups.

aaaaaaaaa

The last months of the year 2014 were very tough on Sony, after a cybercriminal group which identifies itself as GOP (Guardians of Peace) performed the biggest cyber-attack on Sony Pictures Entertainment. In this article I will make a short summary of the attack:

When Sony Pictures employees came into the office on Monday, November 24th 2014, they discovered that their corporate network had been hacked. The attackers had left messages threatening to release sensitive information if Sony didn’t comply with the attackers’ demands; All Sony employees found the same message on their computer screens (see the above picture)

 

The GOP hacker group claimed responsibility for the hack and had apparently stolen reams of internal corporate data as well. GOP leaked the movies AnnieFuryStill AliceMr. Turner and To Write Love on Her Arms to the internet on Black Friday.

The massive data breach at Sony appeared to have exposed more sensitive documents, revealing the US Social Security Numbers of more than 47,000 celebrities as well as freelancers, current and former Sony employees. Employees at Sony Pictures Entertainment were sent a threatening email by the GOP. The e-mail was written in English and asked the company employees:

“Please sign your name to object the false (sic) of the company at the email address below, if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.”

A number of DDOS attacks (Distributed Denial-of-Service attack is an attempt to make a machine or network resource unavailable to its intended users) were launched against Sony servers by several hackers groups.

  Read more

screen-shot-2014-09-30-at-8-56-25-pm

iOS: “I just snapshotted your credit card… I did it for you!”

Does your application have a page containing sensitive data such as personal or business information? Credit card numbers? Any financial or legal information? You should be aware that when the user presses the iPhone’s home button, and your application performs backgrounding, iOS takes a snapshot of the current page and stores it insecurely on the device. Why? To create an “animation” when the application shrinks into the background and to expand back to the screen, when the user selects it again. If the last page contained sensitive information, this information could be easily stolen. Violation of the user’s privacy and business information leakage are just two of the security impacts it may cause.

This is how its done:
1. The user launches your app, and goes to a page containing sensitive information.
2. The user receives a call, or decided himself to press the home button, and send your app into the background.
3. iOS takes a snapshot of the last pages, for animation… this is how it looks:

stage1 stage2 stage3

Now, lets take a look at the application folder on the device. We’ll go to:
{YOUR_APP_UUID}/Library/Caches/Snapshots/
There we can see the file: UIApplicationAutomaticSnapshotDefault-Portrait@2x.png.
Opening it, will reveal all the data that appeared on the last page visited in our app, before going into background.

What can we do about it?

Well… I’m glad you asked! There are a few ways to deal with this issue. Here,I will explain four of them:
Read more

AliBaBa-AliExpress-Data-Breach

AliExpress hacked – the entire story

Introduction

As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the vulnerability, I would like to take this opportunity to discuss the vulnerability I detected in this blog post.

A few months ago, I purchased a few items from the AliExpress website. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert in AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally and without, of course, harming the system or its users.

After a short investigation, I had concluded that any buyer in the website can browse to any item and can send a message to the seller using the “Contact Now” feature; this feature can be abused by a malicious buyer who could send a message to the seller containing a malicious payload.
Read more

Protecting a Windows application from premature termination

Have you ever written a Windows app that works on a specific and very important task that must be completed, but then someone force-closes it?

One solution would be to send a request to the user that asks the user not to force-close the app. Unfortunately, this doesn’t usually work.

There is a cool “trick” you can do to make sure no one will close that important app, or get a BSOD (Blue Screen Of Death), that is unknown to most programmers. This cool trick is called NtSetInformationProcess.

Some OS (Operating System) processes, such as Csrss.exe (Client Server Runtime Process), are considered critical for the normal function of the OS and closing them would crash the system in order to avoid any abnormal behavior.
Read more

password

Auto Complete Vulnerabilities and Chrome workaround

Today’s post will discuss auto-complete vulnerabilities that Chrome does not support or manage properly. The good news is there is a workaround method and we’ll go over how to do it step by step. Read on for the details.

What are the Auto Complete Vulnerabilities?

There are two main security issues we need to discuss:

  1. Auto complete for text fields

Credit card fields (always considered text fields) are always vulnerable. If you do not employ methods for protection, then after the user sends the form, the credit card number will be automatically saved by the browser’s auto-complete feature, as demonstrated in the following image:

auto_complete_1

The next person to use the computer will be able to browse to the same page andsee the saved cc number.

 

  1. Auto complete for password fields

For example, in Login forms.  After the login form is sent, Chrome suggests the user to save his password. In sensitive systems, It is recommended to prevent the browser from suggest it.

auto_complete_2

 

Now let’s go over the details on how to follow these recommendations.

Auto complete mitigation for text fields

The mitigation for AutoComplete on text fields is easy. Add the following attribute autocomplete=”off” to the relevant text fields. For example:

<input type=”text” name=”cc” autocomplete=”off” />

With this attribute, the browser will not save the data that the user entered into these fields in its AutoComplete feature.

 

Auto complete mitigation for password fields

The mitigation for password fields differs depending on the browser and its version.

In short, some browsers support the AutoComplete attribute into the password field just like in the text field:

<input type=”password” name=”pass” autocomplete=”off” />

Some browsers require the autocomplete being in the form of a tag:

<form action=”/xyz” method=”post” autocomplete=”off”>

But… Chrome does not support either.

 

Chrome and AutoComplete for password fields

The workaround that we found for Google Chrome is detailed here: (found by Simon: http://stackoverflow.com/a/22694173). What must be done is to add a hidden password field before the real password field. Chrome detects that the first password field (the hidden one) is empty, and processes it as the user having left a blank open field in the password and does not suggest that he saves his password.

Code snippet:

auto_complete_3

So, those are the nitty gritty details. Now it’s your turn to test your own forms with multiple options in our online lab environment: http://online.attacker-site.com/pages/autocomplete/autocomplete.php

 

I hope this helps you, and please feel free to leave comments below. If you have ideas for our next blog post, just let us know.

Talk to you next time, Israel

oie_transparent (77)

Directory Listing

Description

Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory.

Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all.

For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or subdirectories. The improper configuration of this task might result in the unexpected and unintended enabling of listing of directories which contain sensitive information.

See how to fix it!

Read more