Re: "Data-Clone" -- a new way to attack android apps

[IEhrepus <5up3rh3i () gmail com>]

http://www.80vul.com/android/data-clone.txt update

thx jonn Horn(jannhorn () googlemail com)




hitest


2013/3/18 IEhrepus <5up3rh3i () gmail com>

> “I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The
>
> crypto is flawed, but not so flawed that this kind of attack would
> be possible. Also, apps on the device even need an exploit just to be
> able to read the encrypted data.”
>
> yes,"apps install on SDcard" is wrong :( apps install on sdcard ,but the
> data  on /data/data/xxx , like "Already have super privileges"
>
> thank u :), i will change it .
>
> hitest
>
>
> 2013/3/18 Jann Horn <jannhorn () googlemail com>
>
> > On Sun, Mar 17, 2013 at 06:09:09PM +0800, IEhrepus wrote:
> > > "Data-Clone" -- a new way to attack android apps
> > >
> > > Author: SuperHei () www knownsec com [Email:5up3rh3i#gmail.com]
> > > Release Date: 2013/03/16
> > > References: http://www.80vul.com/android/data-clone.txt
> > > Chinese Version:
> > > http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/
> > >
> > > --[ I - Introduction
> > >
> > > This is a new way to attack android apps t,and i call it "Data-Clone
> > > Attack". it can bypass password authentication ,when user login the
> > > app and set "remember password"(some apps is define).
> > [...]
> > > --[ III - How to exploit
> > >
> > > "How to get the contents of data" is key to the completion of the
> > > attack. some like this:
> > >
> > > 1. Already have super privileges
> > >
> > > under the root shell like the demo,u can bypass password
> > > authentication used "Data-Clone Attack".
> > >
> > > 2. apps install on SDcard
> > >
> > > the others have read  permissions to obtain the app's data.
> >
> > I'm pretty sure that this is wrong. Apps on the SD card are encrypted. The
> > crypto is flawed, but not so flawed that this kind of attack would
> > be possible. Also, apps on the device even need an exploit just to be
> > able to read the encrypted data.
> >
> >
> > > 3. Cross-site scripting on android
> > >
> > > app + webview + xss(or webkit xcs vul) = "Data-Clone"
> > >
> > > On older version of android , android app's xss or webkit xcs  vul can
> > > read the loacl file's contents :
> > > http://www.80vul.com/android/android-0days.txt
> > >
> > > So the app's webview have the file read permissions to the app's data.
> > > when a app user visit a URL link,the data will Be cloned。
> > >
> > > --[ IV - Disclosure Timeline
> > >
> > > 2012/03/   - Found this
> > > 2012/12/10 - Report it to security () android com
> > >
> > > ......For a long time has passed......
> > >
> > > 2013/03/16 - security () android com do not have any response
> > > (maybe,because Google was not andriod's biological mother)
> > > 2013/03/16 －Public Disclosure
> >
> > Or maybe because it's not exactly interesting that you can read an app's
> > data if you can execute code in its context?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/