On the security development of Android key hard-coded

Source: Internet
Author: User

on the security development of Android key hard-coded

Ishin, stay Fox @ Ali gather security



1 Introduction

In the Ali gather security vulnerability scanner and the Human app security audit, it is often found that developers are hard-coded in Java code, files, which can cause great risk. information security is based on cryptography, and commonly used cryptography algorithms are public , the confidentiality of encrypted content depends on the confidentiality of the key, if the secret key, for symmetric cipher algorithm , according to the key algorithm used and encrypted ciphertext, it is easy to get the plaintext before encryption; Asymmetric cryptographic algorithm or signature algorithm , according to the key and the plaintext to be encrypted, it is easy to obtain the calculation of the signature value, so as to forge the signature.


2 Risk Cases

Key hard-coded in the code, and according to the purpose of the key is different, which leads to different security risks, some lead to the decryption of encrypted data, data is no longer confidential, and some of the server communication is cracked, triggering a variety of murders, the following borrowing clouds have been published on a number of app vulnerabilities to say.


2.1 An Internet financial app encryption algorithm is cracked to cause sensitive information disclosure

The key of the DES algorithm used to encrypt the data is hard coded in the Java code, while the DES algorithm is the symmetric cipher algorithm, which is the same as the encryption key and decryption key.
Anti-compilation app, Discover des algorithm:

Discovers the key of the DES algorithm, hard-coded as "Yrdappke", used to encrypt the gesture password:



The gesture password is encrypted with Des and stored in the local locuspasswordview.xml file:


Knowing the ciphertext and encryption algorithm as well as the key, through the decryption operation, you can recover the original gesture password from the file. Or use the new to generate a new gesture password

The Jason field in the interface when communicating with the server also uses the DES algorithm and the key hard-coded as "Yrdappky":


and server communication using HTTP transmission, do not use HTTPS to encrypt the communication, if the use of middle-man attack or router mirroring, to obtain traffic data, can be cracked out of the user's communication content.


2.2 A car rental app encryption algorithm is cracked causing some column risk

A car rental app communicates with the server interface using HTTP to transmit data, and some of the parameters of the transmission is encrypted, the encryption algorithm uses AES, but the key hardcoded in the Java code as "shenzhoucar123123", can be reversed analysis, resulting in a forgery request, The combination of server-side vulnerabilities, resulting in the risk of unauthorized access, such as ultra-vires view other users ' orders.
The data when communicating with the server is:


The Q field is the encrypted content. Reverse app, starting with login activity:


Analysis Login Process: v1 is the user name, V2 is the password, V3 is Pushid, the user name and password is not empty and the length is not less than 11 cases, the implementation of loginoperate related operations, tracking loginoperate implementation, found to inherit from Baseoperate, Continue to track the implementation of Baseoperate:


In Baseoperate's Initurl () method, find out how the app generated the request data:


Continue tracing the Initjsonurl () method and discover that it called AES encryption:


Continue tracing the Aes.onencrypt () function:


The Encrypt () function is called in the Onencrypt () function to encrypt the data, trace the implementation of the Encrypt () function, discover that it uses the AES algorithm, and that the key is hardcoded in the Java code as "shenzhoucar123123"


To now the data encryption in the request is clear, and because the server permissions control is not strict, you can construct the order ID request, to achieve unauthorized access to other users of the order.
Request to construct {"id": "11468061"}:


Where the UID is set to your own UID, you can successfully see other people's orders:


Attackers can use other scripts to re-implement the same encryption function and to stitch up the individual interface requests, batch brush order information and user other information.



2.3 A hotel app signature algorithm is cracked to cause a series of risks

A hotel app and server communication interface uses HTTP communication, the data is encrypted, and the transmission parameters are signed, the server-side verification of the signature, to check whether the transmitted data has been tampered with, but the algorithm and the key is reversed analysis, can lead to the signing mechanism invalidation, the attacker can arbitrarily forge the request packet, If the combination of server-side permissions control loopholes, it can lead to ultra vires risk.

The original package for the app and server communication, such as, can be seen with a signed segment sign:


The reverse app locates the logic code of the cryptographic algorithm, Com.htinns.biz.HttpUtils.class, and its implementation logic is:


The raw data is unsigndata, encrypted with the RC4 algorithm, the key is the value represented by the key variable, the encrypted data is SignData, and the data when it is transmitted is signdata.
Add Signature section Signd is generated using unsigndata stitching time and Resultkey, then do MD5, and then base64 code. Timestamps ensure that each request package is not the same.
Sendsign () algorithm is written in C or C + +, put in so library, other important algorithms are written in Java.
You can use IDA to reverse-analyze so libraries to find the Sendsign () method


The dark Cloud Vulnerability submitter uses the analysis of sign and getsign (sign) data to do an algorithmic cracking dictionary. In fact, there is a way to call this so library directly to generate a dictionary.

After the signature is cracked, it is possible to construct the packets sent to the server for other aspects of security testing, such as exceeding the authority, resetting the password, etc.


3 Ali gather security development recommendations


Through the above cases, and summed up their own usually found key hard-coded main forms are:


1, the key directly plaintext exists in the Sharedprefs file, which is the least secure.
2, the key is directly hardcoded in the Java code, which is very insecure, Dex files can easily be reversed into Java code.
3, the key into a few different paragraphs, some stored in the file, some stored in the code, and finally splicing them up, can be the entire operation is very complex, this is because the Java layer, the reverse as long as the time, it is easy to reverse.
4, with the NDK development, the key is placed in so file, encryption and decryption operations are in so file, this to a certain extent, improve the security, blocking some of the reverse, but experienced reverse will still use Ida cracked.
5, in so file does not store the key, so file encryption and decryption operation of the key, the key is encrypted after the key is named other ordinary files, stored in the assets directory or other directories, and then in the so file to add extraneous code (flower instructions), although can increase the static analysis difficulty, However, you can use the dynamic mode method to trace the cryptographic decryption function, or find the key content.


Ensuring key security is a difficult task, involving key distribution, storage, failure recovery, app anti-compilation and anti-debugging, and risk assessment. It can be said that the basic non-solution of the security store key on the device, can only choose to increase the reverse cost of the attackers, let the attackers quit. It takes a lot of effort to do the right thing to protect the key, if it's a normal developer.


The product designer or developer needs to understand what their key is for, how important it is, what the risk is when the key is reversed, and choose the appropriate technical solution by evaluating the importance of the app.


Therefore, it is recommended to try the security hardening and security components of Ali Poly , wherein the security encryption function of the security component provides the security management and encryption algorithm implementation of the developer key, ensure the security of the key, and realize the security encryption and decryption operation; secure Signature The function realizes the signature processing of the client request and ensures that the client and server communication requests are not forged. Safety Reinforcement increases safety levels and prevents applications from being reversed. So at the same time from the application layer, the running layer, the native layer to provide multi-level comprehensive three-dimensional protection, in addition to security sandbox, white box encryption, the bottom of the reinforcement together to ensure client data security. Attack and defense is a constantly changing evolution, Ali Poly Security Services can update the client module in real-time, through the security vulnerability of Ali Poly Scan to detect whether the application has a key hard coding risk, to ensure that in attack and defense confrontation in the upper hand forever.


Professional things to professional people to do, their main energy to do functional development or business logic, quickly build a reliable product to win the market is the king.


Reference

[1] http://www.wooyun.org/bugs/wooyun-2010-0187287
[2] http://www.wooyun.org/bugs/wooyun-2010-0105766
[3] http://www.wooyun.org/bugs/wooyun-2015-0162907
[4] Http://jaq.alibaba.com/safety?spm=a313e.7837752.1000001.1.zwCPfa

[5] https://www.zhihu.com/question/35136485/answer/84491440


Ishin, stay Fox @ Ali Poly Security, more security technical articles, please visit the Security blog Ali Poly


On the security development of Android key hard-coded

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.