One root to own them all
Download
1 / 44

One Root To Own Them All - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

One Root To Own Them All. Black Hat US 2013 Jeff Forristal @ Bluebox. Outline. Introduction Android APK Overview Jar and Jar Signer Exploit Analyze APK Install Process Normal Case Abnormal Case Vulnerability Point Patch Similar Approach Conclusion Reference. Introduction .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' One Root To Own Them All' - debbie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
One root to own them all

One Root To Own Them All

Black Hat US 2013

Jeff Forristal @ Bluebox


Outline
Outline

  • Introduction

  • Android APK Overview

  • Jar and Jar Signer

  • Exploit Analyze

  • APK Install Process

    • Normal Case

    • Abnormal Case

  • Vulnerability Point

  • Patch

  • Similar Approach

  • Conclusion

  • Reference






Android apk
Android APK

  • APK stands for Android application package file.

  • Just a Jar file with some other new files that Android need.


Android apk content
Android APK Content

  • Package resource files:

    • Android Manifest

    • Some Pictures, Audio files….

    • Etc…

  • classes.dex

  • META-INF/Manifest.MF


Compile android apk
Compile Android APK

  • What we usually do:

    • 1. writing code in Eclipse/ Android Studio

    • 2. press compile button

    • Simple and Easy 



Compile android apk2
Compile Android APK

  • 1. aapt will create R.java according to the following files:

    • Android Manifest

    • Recourses

    • Assets

  • 2. use javac to compile source code with some libraries

    -> generate many *.class files.

  • 3. use dx to transform Java bytecode into Dalvikbytecode

    -> many *.class files will be merged into 1 classes.dex

  • 4. use apkbuilder to generate unsigned APK with following files:

    • classes.dex

    • Package Resources Files

  • 5. use jarsigner to signed the unsigned APKinto signed APK

    • E(unsigned APK, Key) = signed APK


Jar and jarsigner
Jar and JarSigner


Jar

  • Jar stands for Java Archive

  • Jar File Format is Same as Zip file

  • File Contents:

    • *.classes

    • Resources

    • META-INF/Manifest.MF


Jar

Android APK


Jarsigner
JarSigner

  • Generate Signature for JAR (Java Archive)

  • Verify Signature for Signed JAR file.

  • Two Additional file placed in META-INF directory:

    • signature file with .SF as extension

    • signature block file with .DSA extension


Jarsigner signing
JarSigner - Signing

jarsigner

aapt


Jarsigner signing1
JarSigner - Signing

Integrity


Jarsigner signing2
JarSigner - Signing

Integrity


Jarsigner signing3
JarSigner - Signing

Identity


Jarsigner signing4
JarSigner - Signing

Identity


Jarsigner signing5
JarSigner - Signing

Certificate


Public Key

Digital Signature

for the

Certificate







Packagemanager
PackageManager

PackageParser

Installer

PackageHandler

Parsing Package

And

Verify

Sending Command to

installd

Handle Event


Overview1
Overview

  • Parsing

  • Verify

  • Install


Parsing
Parsing

JarEntry.Class

File 1

JarFile.Class

File 2

File 3

File 4

Central

Directory

Android APK


Parsing1
Parsing

JarEntry.Class

File 1

JarFile.Class

File 2

File 3

File 4

File 1 Meta-Data

File 2 Meta-Data

Central

Directory

File 3 Meta-Data

File 4 Meta-Data

End of Central Directory

Android APK


Parsing verify and install
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install1
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install2
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install3
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Normal case
Normal Case


Parsing

……..

mEntries

Manifest.xml

Manifest.xml

META-INF

Classes.dex

res

ZipEntry

object

META-INF

classes.dex

res

1. Manifest.xml Meta-Data

2. META-INF Meta-Data

Central

Directory

3. classes.dex Meta-Data

4. res Meta-Data

Android APK

End of Central Directory


Verify

……..

mEntries

Manifest.xml

META-INF

Classes.dex

res

ZipEntry

object


Install
Install

installd

Manifest.xml

META-INF

classes.dex

res

1. Manifest.xml Meta-Data

2. META-INF Meta-Data

Central

Directory

3. classes.dex Meta-Data

4. res Meta-Data

Android APK

End of Central Directory


What if
What If …

Manifest.xml

classes.dex

Manifest.xml

META-INF

META-INF

classes.dex

classes.dex

res

res

Central

Directory

Central

Directory

Android APK


Parsing

……..

mEntries

Manifest.xml

classes.dex

META-INF

Manifest.xml

META-INF

Classes.dex

res

Classes.dex

ZipEntry

object

classes.dex

res

1. Manifest.xml Meta-Data

Central

Directory

2. META-INF Meta-Data

3. classes.dex Meta-Data

4. classes.dex Meta-Data

5. res Meta-Data

End of Central Directory


Verify

……..

mEntries

Manifest.xml

META-INF

Classes.dex

res

Classes.dex

ZipEntry

object

!!!!!!


Install1
Install

installd

Manifest.xml

classes.dex

META-INF

classes.dex

!!!!!!

res

1. Manifest.xml Meta-Data

Central

Directory

2. META-INF Meta-Data

3. classes.dex Meta-Data

4. classes.dex Meta-Data

5. res Meta-Data

End of Central Directory


ad