Thursday, January 8, 2015

Android app with full control over your Google account

Some time ago after I had defended my diploma thesis on OAuth security my groupmate asked me: "Hey, have you looked into Android OAuth?", and I felt slightly lost since I realized there is yet another OAuth implementation, and I didn't know how it works.

Lately I found some time to resolve this problem. The task seemed challenging at the beginning since Android OAuth is a part of Google Play, which is closed source: this was the first time I had to reverse-engineer to see how the open standard works (namely OAuth). Instead of explaining the whole design myself in this write up, I recommend to read sbktech's blog where he has recently published his full, descriptive, and easy to read explanation of Android OAuth internals. I would just add a few notes about my own findings to the existing sbktech's post:

TL;DR: I was able to find two vulnerabilities in Google Play system apk which allowed me to bypass the Android application permission model: an installed app asking no permissions could get full access to the device owner's Google account (it is sufficient for a new app install or Chrome sync access).

As a first step to understand the weak parts of the OAuth logic I binded to the service manually and made, perhaps, a classic mistake with "NetworkOnMainThreadException", which thankfully brought me the "getToken() -> ... -> network request" callstack in a logcat to explore:

W/GLSUser (  602): GoogleAccountDataService.getToken()
I/GoogleHttpClient(  602): Falling back to old SSLCertificateSocketFactory
I/GoogleHttpClient(  602): Using GMS GoogleHttpClient
W/GLSActivity(  602): [GetToken] - getToken exception!
W/GLSActivity(  602): android.os.NetworkOnMainThreadException
W/GLSActivity(  602): at android.os.StrictMode$AndroidBlockGuardPolicy.onNetwork(
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at
W/GLSActivity(  602): at gaz.a(SourceFile:823)
W/GLSActivity(  602): at gaz.c(SourceFile:692)
W/GLSActivity(  602): at gaz.execute(SourceFile:601)
W/GLSActivity(  602): at xt.execute(SourceFile:365)
W/GLSActivity(  602): at xt.execute(SourceFile:447)
W/GLSActivity(  602): at avc.a(SourceFile:258)
W/GLSActivity(  602): at avd.a(SourceFile:575)
W/GLSActivity(  602): at avd.a(SourceFile:649)
W/GLSActivity(  602): at avd.a(SourceFile:812)
W/GLSActivity(  602): at avi.a(SourceFile:282)
W/GLSActivity(  602): at avh.a(SourceFile:163)
W/GLSActivity(  602): at axm.a(SourceFile:133)
W/GLSActivity(  602): at axf.a(SourceFile:337)
W/GLSActivity(  602): at axf.a(SourceFile:132)
W/GLSActivity(  602): at arx.a(SourceFile:92)
W/GLSActivity(  602): at arh.a(SourceFile:107)
W/GLSActivity(  602): at wj.onTransact(SourceFile:63)
W/GLSActivity(  602): at android.os.Binder.execTransact(
W/GLSActivity(  602): at Method)
W/System.err( 1093): android.os.NetworkOnMainThreadException
W/System.err( 1093): at android.os.Parcel.readException(
W/System.err( 1093): at android.os.Parcel.readException(
W/System.err( 1093): at$myConnection.onServiceConnected(
W/System.err( 1093): at$ServiceDispatcher.doConnected(
W/System.err( 1093): at$ServiceDispatcher$
W/System.err( 1093): at android.os.Handler.handleCallback(
W/System.err( 1093): at android.os.Handler.dispatchMessage(
W/System.err( 1093): at android.os.Looper.loop(
W/System.err( 1093): at
D/ConnectivityService(  389): handleInetConditionHoldEnd: net=0, condition=0, published condition=0
W/System.err( 1093): at java.lang.reflect.Method.invokeNative(Native Method)
W/System.err( 1093): at java.lang.reflect.Method.invoke(
W/System.err( 1093): at$
W/System.err( 1093): at
W/System.err( 1093): at dalvik.system.NativeStart.main(Native Method)

I restored the logic of those three-letter classes from arh to gaz (that's the Google Play part) and felt an extreme sympathy to the avd class because of the two following reasons:

1. URL parameter injection

The below function of the avd class parsed the getToken Bundle extras argument and inserted all _opt_XXX parameters from it inside the HTTP request as XXX, obviously allowing to set has_permission=1 without any user consent:

  public final List a(String paramString1, String paramString2, int paramInt, String paramString3, boolean paramBoolean1, Bundle paramBundle, boolean paramBoolean2, String paramString4, boolean paramBoolean3, boolean paramBoolean4, CaptchaSolution paramCaptchaSolution, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig, String paramString5)
    if (str8.startsWith("_opt_"))
      localaux1.a(str8.replaceFirst("_opt_", ""), paramBundle.getString(str8));


2. Magic scopes "SID" and "LSID"

The GooglePlay also gladly granted me a couple of undocumented scopes, actually giving me back those SID and LSID session cookies in clear:

  public final TokenResponse a(TokenResponse paramTokenResponse, Map paramMap, int paramInt, String paramString1, boolean paramBoolean1, boolean paramBoolean2, String paramString2, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig)
      if (("SID".equals(paramString1)) || ("LSID".equals(paramString1)))
         str1 = (String)paramMap.get(paramString1);


Additionally, I made a few more steps on my way to the PoC:

  • I impersonated the gms app by setting
  • I bypassed the signature verification by copy-pasting the signatures and setting them through _opt_client_sig=<sig> (sorry, no crypto flaws here)
  • I collected signatures for all versions of gms (two in total: 58e1c4133f7441ec3d2c270270a14802da47ba0e and 38918a453d07199354f8b19af05ec6562ced5788), so that my code worked on all Android 4/5 phones
  • I was able to leak the device owner's email through the AccountManager.newChooseAccountIntent for using it in GoogleAuthUtil.getToken (this intent silently returns the user's email if you signed into the only one Google account)

As a result, considering an installed app requiring no permissions, (1) allowed me to just leak all possible oauth2 scopes, while with (2) I was able to take over Google account.


December 2, 2014 — Reported the vulnerability to the Android security, @natashenka confirmed the repro works
January 6, 2015 — Response form Android security saying that the fix was pushed in mid-December, I checked that the repro stopped working on all my phones
January 9, 2015 — Public disclosure

Thanks to @evdokimovds from DSecRG for helping with unpacking tools and to @jduck from droidsec for verifying the code on multiple Android phones.