One root to own them all
Download
1 / 44

One Root To Own Them All - PowerPoint PPT Presentation


  • 78 Views
  • Uploaded on

One Root To Own Them All. Black Hat US 2013 Jeff Forristal @ Bluebox. Outline. Introduction Android APK Overview Jar and Jar Signer Exploit Analyze APK Install Process Normal Case Abnormal Case Vulnerability Point Patch Similar Approach Conclusion Reference. Introduction .

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'One Root To Own Them All' - debbie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
One root to own them all

One Root To Own Them All

Black Hat US 2013

Jeff Forristal @ Bluebox


Outline
Outline

  • Introduction

  • Android APK Overview

  • Jar and Jar Signer

  • Exploit Analyze

  • APK Install Process

    • Normal Case

    • Abnormal Case

  • Vulnerability Point

  • Patch

  • Similar Approach

  • Conclusion

  • Reference






Android apk
Android APK

  • APK stands for Android application package file.

  • Just a Jar file with some other new files that Android need.


Android apk content
Android APK Content

  • Package resource files:

    • Android Manifest

    • Some Pictures, Audio files….

    • Etc…

  • classes.dex

  • META-INF/Manifest.MF


Compile android apk
Compile Android APK

  • What we usually do:

    • 1. writing code in Eclipse/ Android Studio

    • 2. press compile button

    • Simple and Easy 



Compile android apk2
Compile Android APK

  • 1. aapt will create R.java according to the following files:

    • Android Manifest

    • Recourses

    • Assets

  • 2. use javac to compile source code with some libraries

    -> generate many *.class files.

  • 3. use dx to transform Java bytecode into Dalvikbytecode

    -> many *.class files will be merged into 1 classes.dex

  • 4. use apkbuilder to generate unsigned APK with following files:

    • classes.dex

    • Package Resources Files

  • 5. use jarsigner to signed the unsigned APKinto signed APK

    • E(unsigned APK, Key) = signed APK


Jar and jarsigner
Jar and JarSigner


One root to own them all
Jar

  • Jar stands for Java Archive

  • Jar File Format is Same as Zip file

  • File Contents:

    • *.classes

    • Resources

    • META-INF/Manifest.MF


One root to own them all
Jar

Android APK


Jarsigner
JarSigner

  • Generate Signature for JAR (Java Archive)

  • Verify Signature for Signed JAR file.

  • Two Additional file placed in META-INF directory:

    • signature file with .SF as extension

    • signature block file with .DSA extension


Jarsigner signing
JarSigner - Signing

jarsigner

aapt


Jarsigner signing1
JarSigner - Signing

Integrity


Jarsigner signing2
JarSigner - Signing

Integrity


Jarsigner signing3
JarSigner - Signing

Identity


Jarsigner signing4
JarSigner - Signing

Identity


Jarsigner signing5
JarSigner - Signing

Certificate


One root to own them all

Public Key

Digital Signature

for the

Certificate







Packagemanager
PackageManager

PackageParser

Installer

PackageHandler

Parsing Package

And

Verify

Sending Command to

installd

Handle Event


Overview1
Overview

  • Parsing

  • Verify

  • Install


Parsing
Parsing

JarEntry.Class

File 1

JarFile.Class

File 2

File 3

File 4

Central

Directory

Android APK


Parsing1
Parsing

JarEntry.Class

File 1

JarFile.Class

File 2

File 3

File 4

File 1 Meta-Data

File 2 Meta-Data

Central

Directory

File 3 Meta-Data

File 4 Meta-Data

End of Central Directory

Android APK


Parsing verify and install
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install1
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install2
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Parsing verify and install3
Parsing, Verify and Install

  • 1. Get entries list from Central Directory.

  • 2. Create JarEntry object for each entry and put into mEntriesHashMap.

    • The index is calculate by :

      • secondHash(String entry name)

  • 4. JarVerifier will verify each entries according to the mEntries.

  • 5. After Verify, find classes.dex entry and install it.


Normal case
Normal Case


One root to own them all

Parsing

……..

mEntries

Manifest.xml

Manifest.xml

META-INF

Classes.dex

res

ZipEntry

object

META-INF

classes.dex

res

1. Manifest.xml Meta-Data

2. META-INF Meta-Data

Central

Directory

3. classes.dex Meta-Data

4. res Meta-Data

Android APK

End of Central Directory


One root to own them all

Verify

……..

mEntries

Manifest.xml

META-INF

Classes.dex

res

ZipEntry

object


Install
Install

installd

Manifest.xml

META-INF

classes.dex

res

1. Manifest.xml Meta-Data

2. META-INF Meta-Data

Central

Directory

3. classes.dex Meta-Data

4. res Meta-Data

Android APK

End of Central Directory


What if
What If …

Manifest.xml

classes.dex

Manifest.xml

META-INF

META-INF

classes.dex

classes.dex

res

res

Central

Directory

Central

Directory

Android APK


One root to own them all

Parsing

……..

mEntries

Manifest.xml

classes.dex

META-INF

Manifest.xml

META-INF

Classes.dex

res

Classes.dex

ZipEntry

object

classes.dex

res

1. Manifest.xml Meta-Data

Central

Directory

2. META-INF Meta-Data

3. classes.dex Meta-Data

4. classes.dex Meta-Data

5. res Meta-Data

End of Central Directory


One root to own them all

Verify

……..

mEntries

Manifest.xml

META-INF

Classes.dex

res

Classes.dex

ZipEntry

object

!!!!!!


Install1
Install

installd

Manifest.xml

classes.dex

META-INF

classes.dex

!!!!!!

res

1. Manifest.xml Meta-Data

Central

Directory

2. META-INF Meta-Data

3. classes.dex Meta-Data

4. classes.dex Meta-Data

5. res Meta-Data

End of Central Directory