Thursday, January 8, 2015

Android app with full control over your Google account

Some time ago after I had defended my diploma thesis on OAuth security my groupmate asked me: "Hey, have you looked into Android OAuth?", and I felt slightly lost since I realized there is yet another OAuth implementation, and I didn't know how it works.

Lately I found some time to resolve this problem. The task seemed challenging at the beginning since Android OAuth is a part of Google Play, which is closed source: this was the first time I had to reverse-engineer to see how the open standard works (namely OAuth). Instead of explaining the whole design myself in this write up, I recommend to read sbktech's blog where he has recently published his full, descriptive, and easy to read explanation of Android OAuth internals. I would just add a few notes about my own findings to the existing sbktech's post:

TL;DR: I was able to find two vulnerabilities in Google Play system apk which allowed me to bypass the Android application permission model: an installed app asking no permissions could get full access to the device owner's Google account (it is sufficient for a new app install or Chrome sync access).

As a first step to understand the weak parts of the OAuth logic I binded to the com.google.android.gms/.auth.GetToken service manually and made, perhaps, a classic mistake with "NetworkOnMainThreadException", which thankfully brought me the "getToken() -> ... -> network request" callstack in a logcat to explore:

W/GLSUser (  602): GoogleAccountDataService.getToken()
I/GoogleHttpClient(  602): Falling back to old SSLCertificateSocketFactory
I/GoogleHttpClient(  602): Using GMS GoogleHttpClient
W/GLSActivity(  602): [GetToken] - getToken exception!
W/GLSActivity(  602): android.os.NetworkOnMainThreadException
W/GLSActivity(  602): at android.os.StrictMode$AndroidBlockGuardPolicy.onNetwork(StrictMode.java:1145)
W/GLSActivity(  602): at libcore.io.BlockGuardOs.connect(BlockGuardOs.java:84)
W/GLSActivity(  602): at libcore.io.IoBridge.connectErrno(IoBridge.java:144)
W/GLSActivity(  602): at libcore.io.IoBridge.connect(IoBridge.java:112)
W/GLSActivity(  602): at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:192)
W/GLSActivity(  602): at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:459)
W/GLSActivity(  602): at java.net.Socket.connect(Socket.java:843)
W/GLSActivity(  602): at com.android.okhttp.internal.Platform.connectSocket(Platform.java:131)
W/GLSActivity(  602): at com.android.okhttp.Connection.connect(Connection.java:101)
W/GLSActivity(  602): at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:294)
W/GLSActivity(  602): at com.android.okhttp.internal.http.HttpEngine.sendSocketRequest(HttpEngine.java:255)
W/GLSActivity(  602): at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:206)
W/GLSActivity(  602): at com.android.okhttp.internal.http.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:345)
W/GLSActivity(  602): at com.android.okhttp.internal.http.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:89)
W/GLSActivity(  602): at com.android.okhttp.internal.http.HttpURLConnectionImpl.getOutputStream(HttpURLConnectionImpl.java:197)
W/GLSActivity(  602): at com.android.okhttp.internal.http.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:254)
W/GLSActivity(  602): at gaz.a(SourceFile:823)
W/GLSActivity(  602): at gaz.c(SourceFile:692)
W/GLSActivity(  602): at gaz.execute(SourceFile:601)
W/GLSActivity(  602): at xt.execute(SourceFile:365)
W/GLSActivity(  602): at xt.execute(SourceFile:447)
W/GLSActivity(  602): at avc.a(SourceFile:258)
W/GLSActivity(  602): at avd.a(SourceFile:575)
W/GLSActivity(  602): at avd.a(SourceFile:649)
W/GLSActivity(  602): at avd.a(SourceFile:812)
W/GLSActivity(  602): at avi.a(SourceFile:282)
W/GLSActivity(  602): at avh.a(SourceFile:163)
W/GLSActivity(  602): at axm.a(SourceFile:133)
W/GLSActivity(  602): at axf.a(SourceFile:337)
W/GLSActivity(  602): at axf.a(SourceFile:132)
W/GLSActivity(  602): at arx.a(SourceFile:92)
W/GLSActivity(  602): at arh.a(SourceFile:107)
W/GLSActivity(  602): at wj.onTransact(SourceFile:63)
W/GLSActivity(  602): at android.os.Binder.execTransact(Binder.java:404)
W/GLSActivity(  602): at dalvik.system.NativeStart.run(Native Method)
W/System.err( 1093): android.os.NetworkOnMainThreadException
W/System.err( 1093): at android.os.Parcel.readException(Parcel.java:1475)
W/System.err( 1093): at android.os.Parcel.readException(Parcel.java:1419)
W/System.err( 1093): at com.google.android.gms.auth.sample.helloauth.GetNameInForeground$myConnection.onServiceConnected(GetNameInForeground.java:100)
W/System.err( 1093): at android.app.LoadedApk$ServiceDispatcher.doConnected(LoadedApk.java:1110)
W/System.err( 1093): at android.app.LoadedApk$ServiceDispatcher$RunConnection.run(LoadedApk.java:1127)
W/System.err( 1093): at android.os.Handler.handleCallback(Handler.java:733)
W/System.err( 1093): at android.os.Handler.dispatchMessage(Handler.java:95)
W/System.err( 1093): at android.os.Looper.loop(Looper.java:136)
W/System.err( 1093): at android.app.ActivityThread.main(ActivityThread.java:5017)
D/ConnectivityService(  389): handleInetConditionHoldEnd: net=0, condition=0, published condition=0
W/System.err( 1093): at java.lang.reflect.Method.invokeNative(Native Method)
W/System.err( 1093): at java.lang.reflect.Method.invoke(Method.java:515)
W/System.err( 1093): at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:779)
W/System.err( 1093): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:595)
W/System.err( 1093): at dalvik.system.NativeStart.main(Native Method)


I restored the logic of those three-letter classes from arh to gaz (that's the Google Play part) and felt an extreme sympathy to the avd class because of the two following reasons:

1. URL parameter injection


The below function of the avd class parsed the getToken Bundle extras argument and inserted all _opt_XXX parameters from it inside the HTTP request as XXX, obviously allowing to set has_permission=1 without any user consent:

  public final List a(String paramString1, String paramString2, int paramInt, String paramString3, boolean paramBoolean1, Bundle paramBundle, boolean paramBoolean2, String paramString4, boolean paramBoolean3, boolean paramBoolean4, CaptchaSolution paramCaptchaSolution, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig, String paramString5)
    if (str8.startsWith("_opt_"))
    {
      localaux1.a(str8.replaceFirst("_opt_", ""), paramBundle.getString(str8));

      ...


2. Magic scopes "SID" and "LSID"


The GooglePlay also gladly granted me a couple of undocumented scopes, actually giving me back those SID and LSID session cookies in clear:

  public final TokenResponse a(TokenResponse paramTokenResponse, Map paramMap, int paramInt, String paramString1, boolean paramBoolean1, boolean paramBoolean2, String paramString2, PACLConfig paramPACLConfig, FACLConfig paramFACLConfig)
    {
    ...
      if (("SID".equals(paramString1)) || ("LSID".equals(paramString1)))
      {
         str1 = (String)paramMap.get(paramString1);

         ...

Additionally, I made a few more steps on my way to the PoC:

  • I impersonated the gms app by setting _opt_app=com.google.android.gms
  • I bypassed the signature verification by copy-pasting the signatures and setting them through _opt_client_sig=<sig> (sorry, no crypto flaws here)
  • I collected signatures for all versions of gms (two in total: 58e1c4133f7441ec3d2c270270a14802da47ba0e and 38918a453d07199354f8b19af05ec6562ced5788), so that my code worked on all Android 4/5 phones
  • I was able to leak the device owner's email through the AccountManager.newChooseAccountIntent for using it in GoogleAuthUtil.getToken (this intent silently returns the user's email if you signed into the only one Google account)

As a result, considering an installed app requiring no permissions, (1) allowed me to just leak all possible oauth2 scopes, while with (2) I was able to take over Google account.

PoC: https://gist.github.com/isciurus/df4d7edd9c3efb4a0753

Timeline:
December 2, 2014 — Reported the vulnerability to the Android security, @natashenka confirmed the repro works
January 6, 2015 — Response form Android security saying that the fix was pushed in mid-December, I checked that the repro stopped working on all my phones
January 9, 2015 — Public disclosure

Thanks to @evdokimovds from DSecRG for helping with unpacking tools and to @jduck from droidsec for verifying the code on multiple Android phones.

59 comments:

  1. It's interesting that many of the bloggers your tips helped to clarify a few things for me as well as giving.. very specific nice content. And tell people specific ways to live their lives.Sometimes you just have to yell at people and give them a good shake to get your point across.
    Mobile App Development Company
    Android app Development Company
    ios app development Company
    Mobile App Development Companies
    Mobile App Development Company in india

    ReplyDelete
  2. Hello my dear,

    I see your blog every day ... your blog is Very useful for me and I love so much ...

    You can see

    Chat and meet friends & singles around you and the world for free!



    Visit Now - Dating app

    ReplyDelete
  3. hi welcome to this blog. really you have posted an informative blog. it will be really helpful to many peoples. thank you for sharing this blog.
    selenium training in chennai

    ReplyDelete
  4. This article is so informatic and it really helped me to know more about the Selenium Testing. This selenium article helps the beginners to learn the best training course. So keep updating the content regularly.
    Selenium Training in Chennai | Best Selenium Training institute in Chennai | Selenium Course in Chennai

    ReplyDelete
  5. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy.
    Mobile Application development Company

    ReplyDelete
  6. great blog Vendorzapp provides Mobile apps for small business, Ecommerce android apps India, iOS ecommerce apps, Ecommerce website Pune, Ready ecommerce website and apps. Android ecommerce apps then visit now Ecommerce android apps India, iOS ecommerce apps, ecommerce website for small business call us +91-9850889625

    ReplyDelete
  7. Hai Thanks for sharing valuable info about Andriod. Now a day’s everyone is depend on andriod . This blog post is really helped a lot. Nice tutorial. Please keep sharing updated tutorials…

    ReplyDelete
  8. Given so much info in it, These type of articles keeps the users interest in the website, and keep on sharing more ... good luck.
    Android Training in velachery | Android Training in chennai | Android Training in chennai with placement

    ReplyDelete
  9. This information is impressive; I am inspired with your post writing style & how continuously you describe this topic. After reading your post, thanks for taking the time to discuss this, I feel happy about it and I love learning more about this topic.Android Training institute in chennai with placement | Best Android Training in velachery

    ReplyDelete
  10. Very Informative! This blog is great source of information which is very useful for me. Thank you very much for sharing this!
    Excellent blog..Thanks for your ideas. android development company Canada

    ReplyDelete
  11. Great post… Thanks for sharing it. You have posted an informative blog to me and averyone. I have something to share with you. Indoor Navigation System Android App

    ReplyDelete
  12. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    ios app training

    ReplyDelete
  13. The feeling was shared. This page is great. You can refer to this page. It also has similar content.
    APK Downloader

    ReplyDelete
  14. Thanks for the great post on your blog, it really gives me an insight on this topic.

    how to design a mobile app

    ReplyDelete
  15. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging...
    ios app development course

    ReplyDelete
  16. Thanks for your informative blog!!! Keep on updating your with such awesome information.
    Android Online Training

    ReplyDelete
  17. great blog Vendorzapp provides Mobile apps for small business, Ecommerce android apps India, iOS ecommerce apps, Ecommerce website Pune, Ready ecommerce website and apps.


    Android Training in Chennai

    ReplyDelete
  18. Great blog!! You have clearly explained baout Android app. It's very informative and useful for me to gather more information about android app
    Mobile Development training chennai

    ReplyDelete
  19. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging...
    ios app development course

    ReplyDelete
  20. I love the blog. Great post. It is very true, people must learn how to learn before they can learn. lol i know it sounds funny but its very true. . .
    youtube apps

    ReplyDelete
  21. very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information about the web design and web development.Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing.
    android app development
    Hire android app developer india

    ReplyDelete
  22. If you want your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you gotta watch this video
    right away...

    (VIDEO) Have your ex CRAWLING back to you...?

    ReplyDelete
  23. RxASAP app for android home page https://rxasap.online app for online pharmacy shopping. pills like viaga, cialis...

    ReplyDelete
  24. Nice to read this article... Thanks for sharing.....
    Android training

    ReplyDelete
  25. New RXASAP makes it easy for US customers to place orders directly from Android pharmacy app

    ReplyDelete
  26. Nice post. Thanks for sharing and providing relevant information.This is really useful.
    Android Training in Lucknow | Best Android Training in Lucknow

    ReplyDelete
  27. Online pharmacy android app - direct link: https://rxasap.mobi/ review!

    ReplyDelete
  28. Extremely interesting! Much obliged additionally to share the blog. Extremely helpful to comprehend the impact of Android Training & Placement in Ahmedabad.

    ReplyDelete
  29. Thanks for your marvelous posting! It is very useful and good. Come on. I want to introduce the best aso services for you, I try it and I feel it is so good to rank app to top in app store search results, have you ever heard it?

    ReplyDelete
  30. Thanks for the information. Very helpful blog for people who want know that Android Training in Ahmedabad, here I am sharing additional details of best Android App Development just go with this Android App Development

    ReplyDelete
  31. Hi Guys, who did install pharmacy app? RXASAP https://rxasap.mobi

    ReplyDelete
  32. The information which you have provided is very good. It is very useful who is looking for selenium Online Training Bangalore

    ReplyDelete
  33. Great post! This is very useful for me and gain more information, Thanks for sharing with us.

    Selenium Training in Chennai

    ReplyDelete
  34. A very nice information thank you so much. For more details please visit.
    Click here: Android Application Development Training in Hyderabad

    ReplyDelete
  35. This is the best explanation I have seen so far on the web. I was looking for a simple yet informative about this topic finally your site helped me a lot.
    selenium course
    selenium Testing Training
    Selenium Training in Velachery
    Selenium Training in T Nagar

    ReplyDelete
  36. This is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article.
    iphone app training course
    iphone app training course in bangalore
    ios app development in hyderabad

    ReplyDelete
  37. E-Commerce has captured a major segment of the market with the advent of technology in the current decade. This has necessitated the presence of the optimized mobile website and mobile app for E-Commerce marketers.

    e commerce app android

    ReplyDelete
  38. Keep up the good work; I read few posts on this website, including I consider that your blog is fascinating and has sets of the fantastic piece of information. Thanks for your valuable efforts. W3webschool - Kolkata SEO Training
    SEO Training

    ReplyDelete
  39. Nice Blog thanks for the blog. Good to share with my friends.
    Wedding Photographer

    ReplyDelete
  40. Your post is really awesome. Your blog is really helpful for me to develop my skills in a right way. Thanks for sharing this unique information with us.
    - Learn Digital Academy

    ReplyDelete
  41. Thank you for sharing your article. Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.

    best openstack training in chennai | openstack course fees in chennai | openstack certification in chennai | openstack training in chennai velachery

    ReplyDelete
  42. Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job.
    Best Cross Platform Mobile Development

    ReplyDelete
  43. thanks for sharing this article to us , it is very nice article thanks for sharing this article to us , it is very nice article ,
    i really like like this article because i got good info about this article thanks for sharing this article to us best regards.
    hardware and networking course in hyderabad

    ReplyDelete
  44. Appreciation for really being thoughtful and also for deciding on certain marvelous guides most people really want to be aware of.
    industrial safety course in chennai

    ReplyDelete
  45. The great service in this blog and the nice technology is visible in this blog. I am really very happy for the nice approach is visible in this blog and thank you very much for using the nice technology in this blog
    safety course in chennai

    ReplyDelete