Android Hacking Part 4: unexpected information leakage (edge channel information leakage)

Android Hacking Part 4: unexpected information leakage (edge channel information leakage)

We will discuss unexpected information leaks, that is, the so-called "edge channel information leakage" that I often mention ".

What is unexpected information leakage?

When an application processes data input by users or other data sources, it may put the data in an insecure location, and the data can be read by other malicious applications on the same device, this creates a risk.

Security risks

Because such edge channel information is very easy to leak, the application is vulnerable to severe attacks. Attackers can read insecure sensitive information through a small segment of code, we can also use tools such as adb to read data.

Example

Below is an example of Channel Information Leakage

Content Provider Information Leakage

Copy/paste buffer cache

Log records

URL Cache

Browser Cookie object

Third-party statistics

In the next section, we will demonstrate how the above scenario will be exploited by attackers.

1. Contetn Provider Information Leakage

Even if the data is not stored on the device, you can use a malicious application to extract the data of the vulnerability Content Provider.

For more information, see the second article (transfer to the second article)

2. Copy/Paste buffer cache

The Copy/Paste buffer cache in Android is also a security issue. Due to hard-hitting restrictions on mobile devices, users prefer to Copy and Paste the buffer. If a user copies sensitive information such as a credit card number to the clipboard, attackers can easily read data using a small piece of code.

By embedding malicious applications in the victim's device, attackers can read the sensitive information of the victim anytime, anywhere, causing serious losses to the victim.

We developed an example application using the above Code to demonstrate how malicious applications can read sensitive information from the clipboard.

Assume that the user has copied sensitive information to the clipboard when using valid applications. Now, we use malicious programs to read information from the clipboard:

In our example, the data is read and displayed on the screen, but attackers can remotely control malicious applications to send the read information to their own servers.

3. Logs

The log function provided by Android is also a place that may cause information leakage. logs are generally used for debugging during development. In this section, we will see how attackers can discover information leakage through log information. During the test, I used logcat to read log information in multiple ways. See the next section.

3.1 Use Eclipse

If you use Eclipse IDE, you only need to connect your device to your computer. On the Logcat tab, we can see all the log information output during the application running, which may contain some sensitive information, the following is the password printed in the log for the test application.

3.2 use adb

We use adb to view logs.

Connect the device to your computer and run the following command:

# Adb logcat

This command prints all logs in the terminal, such. In the figure, the application logs we are interested in are scattered in a large number of System Event Logs. We can filter out the items we are interested in using the logcat option:

-V verbose print details

-D debug: Print debug logs

-I information: print the prompt-level log

-E error: print error logs

-W warning: Print warning logs

We can also save the logcat output to a file using the following command:

1 # adb logcat> output.txt

Save the logs to your computer for further analysis.

3.3 Use malicious applications

We can also develop a malicious application to Read Device logs. The key code is as follows:

 

Tip: The READ_LOGS permission is no longer available to third-party applications after Jellybean (Android 4.1 API level 16), but this code can still run on the root device.

4. URL caching and browser cookie objects

There are already a large number of web view-based applications that cause URL, cookie, and cache leaks. This allows attackers to hijack user sessions. Such cache may have logs, traffic history, browser cache, and other forms.

We can use grep to filter sensitive information such as cookies from logcat output. The command is as follows:

1 # adb logcat | grep "cookie"

Many applications do not disable caching. You can simply use HTTP headers such as "no-cache" and "no-store" to avoid information leakage.

There are many vulnerability reports in this regard. For details, refer to the relevant links at the end of the article.

5. analyze the information sent to a third party

In some cases, some applications use third-party APIs. When using such applications, third-party APIs may read sensitive information such as device ID and location information.

Summary:

According to the OWASP mobile security vulnerability TOP 10 released in 2014, unexpected information leaks ranked fourth, although this seems a very simple vulnerability, however, the leaked key information may cause serious security risks. It is relatively simple for attackers to check information leakage. Therefore, developers are strongly advised to prevent information leakage during application development.