Before writing the article received a lot of praise, mainly to help everyone to learn the new ideas. Since the release of the first article, I began to prepare the second article, the final plan to start in 07v8, this article I can guarantee that you can learn a lot of ideas. Before want to prepare an example video, request a lot of manufacturers to authorize, but involved in the vulnerability information, the manufacturers are very rigorous, so the whole process does not have relevant practical examples, but I as far as possible with the detailed description so that you can read. Everybody, don't fall asleep.
Speaking of the app gesture password bypass problem, we may have never touched, or contact, but the idea also stay at those points, here I summed up my 1 years of white hat career in the excavation of this idea, some are online already some, some of my own constantly groping discovered.
Here the app gesture password bypass the harm, gesture password generally applied in the payment class, financial class, security category and other related apps, such as XX finance, XX payment, XX wallet, XX Security Center and other apps, these basic will have gesture password, gesture password is a user's first app lock, If this lock is compromised, then it is easy to pose a threat to the user, although the problem is that it takes physical action, but in essence we do not see how it is difficult to exploit it, and we look at its security vulnerabilities. All of the ideas in this article include four environments: root access required, no root environment required, jailbreak environment not required.
No need to root& jailbreak environment gesture password Bypass idea
0X01 uses app ads to bypass
I was going to look for an example online, but I couldn't find it. The general app will load the ad when the page is launched, and if it's not verified properly, you can bypass the gesture password when you click the ad and return directly.
0x02 Using multiple boot bypass
This multi-boot is also my early discovery of the idea, before found that must be root environment, and then found that completely do not need, directly open the app, stay in the app gesture password input page, at this time we press the home button back to the desktop, open an application market, and then search this app, Now that you have downloaded the app, it shows the open, then you click Open, it will restart the app again, if not properly verified, can lead to directly bypass the gesture password, into the app.
0x03 using exit Bypass & Blasting
This is also the problem I found in the test a long time ago, of course, now many of the problems of the app still exist, I hope to fix this problem as soon as possible. General gesture password allowed to enter the number of errors 5 times, when the number of errors reached 5 times, you will need to re-login, and this time more than the number of messages may pop-up box to remind, or directly displayed in the TextView, that is directly displayed in the gesture password interface, this is not a problem, do not click on any decryption, For example, it pops up a gesture password more than the limit box, there will be a confirmation button below the information frame, do not click, we directly return to the desktop, and then clear the background of the app, sometimes clean up, cause or allow in the background, which may lead to failure, so, for the sake of success, To the settings to find the relevant application, and then select Force Stop, and then open the app again, if the verification is not done, it will go directly to the main page, or enter a new Gesture Password page, or will be out of the gesture password verification interface, then out of Gesture password Verification page There is a blasting problem, Because now you have 5 more chances to enter the gesture password, which can lead to violent disassembly of the gesture password.
I have found the relevant example in this question:
Http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0127528.html
0x04 using cleanup Improper bypass
Some apps store gesture passwords, store gesture passwords in local text messages, store the account's login status information in a local database, and when the local data is cleared, it doesn't actually clean up the log-in information-it doesn't clean up the local database, but it cleans up local text messages. This leads to the removal of the gesture password, and the login state remains, resulting in a bypass problem. Another way of thinking like you just uninstall and install the same principle.
Here I have found 2 examples, the first example:
Http://wooyun.jozxing.cc/static/bugs/wooyun-2013-036972.html
A second example:
Http://wooyun.jozxing.cc/static/bugs/wooyun-2013-040714.html
0x05 using Display improper bypass
Some apps when you start the app, it will be in a short time to enter or say that you can click on some features within the app, you just have to click on this page, as long as fast enough, you can bypass the gesture password to achieve this function interface.
On this issue, I found an example:
Http://wooyun.jozxing.cc/static/bugs/wooyun-2014-057885.html
0x06 use the app to bring hints around
Some apps will bring their own hints, such as in the status bar is not pushed some information, if not verified, you can directly bypass the gesture password, directly into the main page.
0x07 using Quick Send bypass
I have never encountered this, the app Gesture password verification interface will appear the Settings button, the direct settings are not verified to bypass.
I have found examples of this type of problem:
Http://wooyun.jozxing.cc/static/bugs/wooyun-2012-014456.html
0x09 using cleanup defect bypass
Just like that said, is also a gesture password and account information stored in different places, and after the chase only clean out the gesture password did not clean up the login information, in the need for Gesture password verification interface Click on the forgotten gesture password, this time will jump to the login interface, directly back to the desktop, clean out the background running app, Open it again and go directly to the main interface, and it is logged in.
0x10 using interface design bug Bypass
Previously saw the related problems, the problem is in iOS, so I listed, when entered into the gesture password interface, you can swipe left and right to slide to the main page, bypassing the gesture password, this problem may have little software exists.
Summarize:
Some of the above ideas are found in my own testing process, some are online, the above ideas are not in the root environment or jailbreak under the implementation, but iOS software inside the idea is rarely possible to achieve, because these ideas are mainly Android app problem. Now a lot of large-scale apps have half of this problem, I hope that the major manufacturers of SRC as soon as possible to repair or white hat found as soon as possible, to avoid the user and their products impact.
The above is no need for a variety of environments, the following are the need for high-privileged environment of the bypass idea.
The idea of bypassing the gesture password under root & privilege
(Software re manager, SQLite Editor required for modification)
0x01 leverages denial of service bypass
Through the analysis of the app, find the components associated with the gesture password, using a denial of service attack can directly bypass the gesture password to reach the main page, because it is different activity, when the activity stopped, will jump to the next activity, and the next activity is the main page, Thus bypassing the gesture password.
I did not apply this question in the test process, and I found the relevant examples to provide detailed reference:
Http://wooyun.jozxing.cc/static/bugs/wooyun-2016-0177256.html
0x02 Modify the files in the Shared_prefs directory to bypass the thought summary
In order to omit some unnecessary classification, I put all the way around this directory into this second idea, the way we read absorption. As I have been digging into this problem for so long, I have described the easy-to-appear points as detailed as possible. In this folder we only look at XML, some backup files do not need to see, in so many files how to find out about this gesture password related files, here I give everyone to say my skills, my skills are actually very simple, such as when you change the gesture password 1 minutes and then modified, Because you enter the app will load information, the file time will be synchronized changes, and so on set gesture password there we stop, and so on 1 minutes to modify, then, you can filter out relatively accurate files, then one by one view, all the value of encryption is not necessary to see, The parameters are relatively small and basic are time values, and there is no need to look at the following can be filtered again by the same method.
After you have found the storage gesture password file, you can begin to modify, here I say the relevant ideas.
The first idea: Modify file permissions
You can take it out of the Read permission, leaving only write permission, if the app is not verified properly, when you start the app it will invoke the setting gesture password interface, because you do not have Read permission, then only write, mistakenly think you need to set the gesture password, so bypass the gesture password authentication. Of course, you can also remove all permissions, do not let it load gesture password, then directly start the line.
Second idea: Modify the content of the file
When the idea of modifying permissions is useless, you need to modify the content. Find the gesture password in the file, see if the gesture password is encrypted, if the encryption to see whether the encryption method and plaintext information, such as Base64 or MD5 and other common encryption, then to decrypt, you can have password, directly enter the password on the line. How to encrypt the way is not known, you can test when the gesture password after closing the value of the gesture password, if the value in this parameter is emptied or the parameter is deleted, you can use this method to clear the parameter or parameter value, if the gesture when the password is closed when the value is still present, Can copy the value generated when the shutdown is used in another account, see can be forced to shut down, if not done so can be directly forced to close the gesture password, to achieve the bypass. Here I say one of my little tricks, maybe this problem will be troubled by a lot of digging this problem of white hat, when you modify this file, you may find that you have changed, but the app any changes, such as you have disabled any permissions but there is no change, at this time the problem is not what the app does to verify and limit , and you do not completely clean out the background running app entry, when you modify, in fact, it has been running, running is not able to modify the contents of the file, just as you uninstall the running software, but on the phone you modify the file when you do not see anything about the app is running cannot modify the file prompts, And the computer will be reminded, so you should go to the settings or shortcuts to find the corresponding app, select Force quit, and then modify the file, then open, you can. Online I really can not find this relevant example, found a but also just very simple clear text display problem, which makes me very helpless.
This is a gesture password clear text display problem:
Http://wooyun.jozxing.cc/static/bugs/wooyun-2016-0190545.html
Third idea: Modify directory Permissions
When you find that modifying the corresponding file does not work, you may be wrong or modify the problem, then you can try to modify the Shared_prefs directory permissions, the read and write permissions are all removed and then run the app, then you can bypass the gesture password.
0x03 modify files in the databases directory to bypass
Also use the above method to find the relevant gesture password stored in the database file. When you find the file that stores the gesture password, I'll say the relevant ideas here.
In advance, if you open the database file This error message appears
In fact, there are a lot of ideas, you can modify the permissions, specifically to modify the permissions I forgot, as if to modify the permissions of the database file, or database directory permissions, the implementation of the permissions are ticked on, specifically please test yourself.
You can also directly copy this database address to the local directory, which is the SDcard directory, you can open normally, because permissions allow, and then modify and then overwrite back, and then modify the relevant permissions.
The first idea: Modify the contents of a database file
If the gesture password is plaintext stored in the database file, you can find the corresponding database file through the SQLite editor, modify the contents, similarly, if you add a secret can try to decrypt, if not, to continue to test, see when there is no gesture password is worth the content of the database why, how to empty, Then you can directly remove the current content can be bypassed, if the other value is also copied under this closed value to replace see can be turned off the different account gesture password, if so, then the problem exists.
Second idea: Modify database file permissions
When the first way of thinking is not possible, you can try to modify the current database file permissions, remove all permissions, see if you can bypass.
Third idea: Modify database directory Permissions
If not, then it may be you find the wrong file or modify the error, you can directly modify the directory permissions, remove all permissions or only remove the execution permissions, see if you can bypass
0x04 modifies files directory to bypass
This is also the problem I found in the test, sometimes this directory will be stored in this gesture password-related files, where you can according to my ideas above is specific which file, and then keep switching gesture password to see if the contents of other files are changed, you can also try to modify the file permissions or directory permissions.
How do I find out where my gesture password is stored? The key is the method I said above, constantly modify to watch its directory and file time is synchronized transformation follow, here, some directory time with your modified time is not synchronized but its directory files are synchronized, more covert, such as you modify the gesture password, according to the modified time to find the relevant directory and files, But some of the directory it time or the past time, not careful may directly do not look, but I will go to see, and then the file in the last modified time is I just change the gesture password time, so careful is very important, if not pay attention to this problem, You may find it inappropriate to have this problem in existence or take a long time to find it.
Some of the ideas I found in the article can also be said to be a starter, and finally I put my latest ideas out, I really do not have the dedication to everyone, for the promotion of this area of more secure development and let you learn more relevant ideas, These problems may be avoided later in development or in the development process .
Latest Ideas: Disable permissions and turn on permission bypass
This question needs to see if the app is interacting in real time, that is, when local changes are made to change the app immediately based on local file changes.
The same is found relevant files, when you modify the permissions of this file, such as the Read permission to remove, you open the app, found that there is no verification gesture password, you may be happy at this moment, but you will find the current login information and is cleared out, then do not be depressed, then the Read permission to change back, tick, You go back to the app, as long as it can automatically sync, then it will read the database login information, then the status will never log in to the status of the state.
You can also directly modify the permissions of the current directory, the idea is the same.
If all of the above ideas are not feasible, you can try the final idea, as long as it is real-time, basically can bypass it.
Some gesture password mixed with the login information, also added a checksum, at this time you find the database directory databases, the Read permission to remove all, and then open the app, then it will go to the home page, but no login information, may show not logged in or a blank piece of information, At this point you change the Read permission to go back to the current app, then it will automatically load the app login information, then the login information is out, the gesture password also bypass the success.
Summary: Why do I write such a piece of article? Because I noticed that no one has summed up this idea at the moment, so I use my so long to find the idea of digging and online some ideas boil down to do a summary, but I want to say on-line ideas I have never been successful, I did not find the relevant ideas on the Internet, Most of the ideas in the article are my own in bypassing the gesture password one by one, so I boil down to together, at present is to let more people learn the relevant knowledge and ideas, so that manufacturers have to know the problems of their products early repair. The entire article writing process took 4 hours, very happy! Many of these problems are caused by the lack of validation of local gesture passwords and real-time validation, and many vendors have said that you are not a threat because you are doing it under root, but I am still saying that if your app doesn't have a problem, No matter what environment I can not find your loopholes, in the final analysis or your app has problems, the problem is here, found the problem, to solve, make the world more beautiful! Finally, I hope you all insist on what you learn, in the coming New year, I wish you a happy New Year! Next article See ~
07V8 Double-s says
In This paper, the author summarizes the idea of app gesture password bypassing and some ideas on line in the process of tunneling, hoping that more white hats can realize more digging ideas and ideas . hope that we have some gains, but also hope that more manufacturers pay more attention to safety.
App Gesture Password Bypass