Showing Posts About

Android

eLinkSmart - Unlocking Bluetooth LE padlocks with polite requests

A critical security analysis of eLinkSmart Bluetooth padlocks revealed multiple severe vulnerabilities. The locks have hardcoded encryption keys, an insecure web API with SQL injection flaws, and weak authentication controls. These vulnerabilities allow attackers to unlock any lock within Bluetooth range and access sensitive user information.

Faking Another Positive COVID Test

A vulnerability was discovered in the Cue Health Home COVID-19 Test that allows manipulation of Bluetooth-transmitted test results. By exploiting weaknesses in the device's Protobuf communication protocol, test results could be changed from negative to positive. A Frida script was developed to intercept and modify Bluetooth packets, successfully altering the test outcome.

Samsung S20 - RCE via Samsung Galaxy Store App

A remote code execution vulnerability was discovered in the Samsung Galaxy Store app for S20 devices. The vulnerability allowed attackers to install applications without user consent by exploiting a WebView JavaScript interface. An attack could be conducted via a man-in-the-middle attack using NFC or WiFi.

How are we doing with Android's overlay attacks in 2020?

Android's Accessibility Services (AAS) can be exploited by malicious apps to perform dangerous actions on a user's device. These actions include keylogging, auto-granting permissions, reading screen content, and performing automated interactions with other apps. The article demonstrates how a malicious app can leverage AAS to potentially steal sensitive information and perform unauthorized actions without user detection.

  • 20 Dec 2019

Opening Up the Samsung Q60 series smart TV

A technical analysis was conducted on the Samsung Q60 series smart TV, exploring its hardware, firmware, and network services through detailed reverse engineering techniques. The investigation involved board-level analysis, extracting and examining the eMMC flash memory, and investigating the proprietary VDFS filesystem. Multiple approaches were used to understand the TV's internal architecture, including examining debug ports, firmware upgrade processes, and network services.

Digital lockpicking - stealing keys to the kingdom

A security analysis of the KeyWe Smart Lock revealed critical vulnerabilities in its Bluetooth Low Energy communication protocol. The lock's in-house key exchange mechanism allows attackers to easily intercept and decrypt device communications by exploiting a predictable common key generation process. By analyzing the mobile application and BLE traffic, the vulnerability in the lock's cryptographic design was exposed.

  • 1 Nov 2019

Automating Pwn2Own with Jandroid

Jandroid is an automated tool designed to help identify potential logic bugs in Android applications. The tool uses configurable templates to analyze APK files, searching for specific patterns in Android manifests and code. By reducing manual analysis effort, Jandroid enables semi-automatic detection of exploitable vulnerabilities in mobile applications.

How Secure is your Android Keystore Authentication?

This article explores vulnerabilities in Android Keystore authentication mechanisms for local device security. Multiple security weaknesses were identified in how developers implement biometric and keystore authentication in Android applications. Frida scripts were developed to help security professionals audit and test the robustness of Android application authentication implementations.

  • 21 Dec 2018

Twinkly Twinkly Little Star

Multiple security vulnerabilities were discovered in Twinkly IoT Christmas lights. The vulnerabilities include unencrypted local network communications, trivial authentication bypass, and potential remote control through MQTT and DNS rebinding attacks. These flaws could allow attackers to manipulate or control the lights remotely, potentially affecting thousands of connected devices.

Debugging Released Xamarin Android Applications

A technical investigation revealed debugging techniques for released Xamarin Android applications. By manipulating system properties like 'debug.mono.runtime_args', method tracing can be performed on release builds. Code execution is possible through the Mono log profiler by creating a payload in the '.__override__' directory, allowing analysis of Xamarin applications without modifying the original APK.

Chainspotting: Building Exploit Chains with Logic Bugs

A presentation explores the development of an exploit chain involving 11 logic bugs across 6 Android applications. The study demonstrates how logic vulnerabilities can be chained together to achieve malicious actions like silent APK installation. Techniques for discovering and exploiting logic bugs in Android systems are discussed, highlighting the challenges of complex vulnerability chaining.

  • 3 Oct 2017

WebUSB - How a website could steal data off your phone

WebUSB is a JavaScript API in Chrome that allows websites to access USB devices with user permission. The API enables potential data theft from connected devices like Android phones by establishing unauthorized connections. Security considerations highlight risks such as file system access, installing APKs, and potential device compromise through a single user interaction.

  • 21 Apr 2017

Logic Bug Hunting in Chrome on Android

A methodology for identifying logic flaws in mobile applications is demonstrated through an analysis of Chrome for Android. The approach focuses on finding logic bugs that enable access to user files and emails without memory corruption exploits. A specific logic bug in Chrome for Android is highlighted as allowing attackers to bypass Android Nougat security mechanisms.

  • 25 Jun 2015

Set Fire to the Phone

Two security researchers from MWRLabs discovered multiple vulnerabilities in the Amazon Fire Phone's AppStore ecosystem. By chaining three distinct vulnerabilities, they achieved remote code execution without using native or memory-based attacks. The exploit allowed installation of malware, extraction of device data, and demonstrated significant application security risks in the Fire Phone's software.

Android Wear Security Analysis

A security analysis of Android Wear reveals robust security controls in WearableListenerService and WearableService. The research examined how Android Wear applications communicate and found strict checks preventing unauthorized message delivery between applications. Security mechanisms effectively block low-privileged malware from interfering with inter-application communication on wearable devices.

  • 28 Nov 2014

My NFC Remains Enabled - Reflections on Mobile Pwn2Own 2014

Mobile Pwn2Own 2014 highlighted zero-day vulnerabilities in mobile devices, particularly those involving NFC technologies. The competition demonstrated the ongoing challenges in mobile device security, emphasizing the importance of careful app store selection for users and proactive security design for developers. Despite potential NFC-related risks, most users are more likely to encounter threats through phishing and malware.

Fracking With Hybrid Mobile Applications

Dave Hartley's presentation explores the security implications of hybrid mobile applications across multiple platforms. The talk examines how hybrid apps combine web and native application features using frameworks like PhoneGap. It highlights security risks introduced by WebView and cross-platform development approaches that allow web code to access local device resources.

Native Bridge's Over Troubled Water

Mobile security research by Dave Hartley explored vulnerabilities in mobile advertising networks across multiple platforms. The study investigated cross-platform exploitation potential in Windows Phone, Android, Blackberry, and iOS operating systems. Findings focused on identifying security issues within popular mobile ad networks.

  • 12 Jun 2014

Putting JavaScript Bridges into (Android) Context

This article explores techniques for obtaining Android Context in WebView JavaScript-to-Java bridge vulnerabilities. Multiple methods for retrieving Context are investigated using reflection and Java Native Interface (JNI) techniques. The research demonstrates approaches to accessing system resources and package information during post-exploitation scenarios in Android applications.

  • 12 May 2014

HackLab 2014 - The JaegerBomber

An experimental project called the JagerBomber attempted to create a quadcopter controlled by an Android phone using OTG functionality and an Arduino. The team aimed to develop a drone capable of navigating and potentially delivering alcohol, but technical challenges prevented a successful launch. The project explored Android's capabilities for serial communication and drone control, demonstrating complex technical integration challenges.

  • 20 Dec 2013

Google AdMob Ad Library - Arbitrary Intent Activity Invocation

A vulnerability was discovered in the Google AdMob SDK for Android that allows attackers to manipulate Intent Activities by injecting JavaScript into a WebView. The vulnerability enables arbitrary activity invocation by controlling multiple parameters passed to the 'startActivity' method. Potential remote exploitation can occur by targeting exposed activities in other Android applications.

  • 29 Nov 2013

Debug All the Android Things

This blog post describes a technique for enabling debugging on Android applications using Cydia Substrate. The method involves hooking the Android process startup method to force debugging flags, allowing developers to use jdb to interact with and manipulate running Android applications, even for apps not marked as debuggable in their manifest.

  • 27 Nov 2013

Millenial Media Ad Library

A critical vulnerability was discovered in the Millenial Media SDK across mobile platforms. The SDK's WebView implementation allows attackers to perform dangerous actions like file manipulation, clipboard access, audio recording, and cross-application exploitation through malicious JavaScript injection. These security flaws could enable comprehensive mobile device compromise and unauthorized access to sensitive user information.

  • 20 Nov 2013

AppLovin Ad Library SDK: Remote Command Execution via Update Mechanism

A critical vulnerability was discovered in the AppLovin Ad Library SDK for Android that enables remote command execution through an insecure update mechanism. The vulnerability allows attackers to inject malicious code into applications by exploiting the SDK's dynamic class loading process during updates. An attacker can craft a malicious SDK update that gets automatically downloaded and executed when an application starts.

  • 24 Sep 2013

WebView addJavascriptInterface Remote Code Execution

A critical remote code execution vulnerability was discovered in Android WebViews using JavaScript interfaces. The vulnerability allows attackers to execute arbitrary system commands by injecting malicious JavaScript into applications using advertising network SDKs. Analysis revealed that a significant number of Android applications could potentially be compromised through this security flaw.

  • 4 Jul 2013

BSides Challenge Walkthrough

The BSides London 2013 challenge involved analyzing the 'Evil Planner' Android application for security vulnerabilities. Multiple critical security flaws were discovered, including directory traversal in content providers, weak PIN encryption using device ID, and SQL injection in database content providers. These vulnerabilities could allow an attacker to access sensitive user data stored within the application.

  • 11 Mar 2013

BSides Challenge

MWR Labs hosted a cybersecurity challenge focused on analyzing the "Evil Planner" Android application. The challenge invited participants to find vulnerabilities that would allow BigCorp to extract encrypted data from a potentially malicious employee's device. Multiple prizes were offered for discovering and exploiting application security weaknesses.

  • 19 Sep 2012

Mobile Pwn2Own at EuSecWest 2012

MWR Labs demonstrated a critical Android vulnerability at EuSecWest 2012 targeting a Samsung Galaxy S3 running Android 4.0.4. The exploit used NFC to upload a malicious file, enabling code execution and privilege escalation. Through multiple vulnerabilities, the team could exfiltrate user data and compromise the device's security by bypassing Android's exploit mitigation features.

  • 23 Aug 2012

Mercury Reflection

Mercury developed a dynamic reflection interface for Android security assessment that enables runtime code execution and plugin creation. The interface allows developers to load Java code dynamically on the server side without modifying the core application. This approach provides flexible functionality for examining and interacting with Android applications through a simple set of reflection methods.

  • 30 Apr 2012

Building Android Java/JavaScript Bridges

This article explores security vulnerabilities in Android WebView implementations, focusing on Java/JavaScript bridges. It examines methods like addJavascriptInterface and method overriding that allow native code exposure to web content. The research highlights potential attack vectors in cross-platform mobile application development frameworks, particularly in PhoneGap.

  • 23 Apr 2012

Adventures with Android WebViews

This article provides guidance on securing Android WebViews by implementing best practices for mobile application security. Key recommendations include disabling JavaScript and plugins, restricting file system access, and implementing resource inspection techniques to prevent potential vulnerabilities. The article details methods for intercepting and controlling resource loading within WebViews to enhance mobile application security.

  • 16 Apr 2012

Adventures with iOS UIWebviews

This article explores security challenges with iOS UIWebviews, focusing on techniques to mitigate risks when loading remote content. It discusses methods for implementing secure WebView interactions, including using SSL/TLS, implementing URL request inspection, and carefully managing content loading to prevent unauthorized access to local resources.

  • 2 Dec 2011

How to find Android 0day in no time

WebContentResolver is an Android assessment tool that exposes Content Providers through a web interface. The tool allows security testing of Android Content Providers by enabling queries and revealing potential vulnerabilities like SQL injection. It provides a simple method to explore and test Content Providers using web application testing techniques.

  • 7 Jul 2011

Debuggable Apps in Android Market

A security analysis of Android applications revealed that approximately 5% of popular free apps are shipped with debugging enabled. Debuggable applications can be exploited by malicious apps to establish a JDWP connection and gain full access to the Java process. Developers are advised to disable debugging before shipping applications to prevent potential security risks.

  • 18 May 2011

The Google Android Update Dilemma

The Android update process involves multiple parties including Google, device vendors, and carriers, creating a complex and fragmented security update mechanism. This multi-stage update chain introduces significant delays and vulnerabilities, as patches must pass through numerous intermediaries before reaching end-users. Google's recent update initiative fails to comprehensively address the fundamental security challenges in Android's update ecosystem.

  • 18 Oct 2010

Building Android Sandcastles in Android's Sandbox

This paper examines Android's sandbox architecture and security vulnerabilities beyond traditional kernel-level exploits. The study shifts focus to analyzing systemic and third-party application security risks in the Android ecosystem. The research explores potential security weaknesses in Android's application isolation and sandbox implementation.