Personal insights on mobile app security

For mobile application security, we recommend you read the latest carbon matrix summary ppt: http://www.bkjia.com/ebook/201212/35836.html. This article is a systematic perception of some personal amateur studies.

I. AboutAndroidDecompilation of applications:JdguiNot omnipotent 

In Android apps, dex2jar + jdgui is the most common method for Quickly Understanding the logic of mobile apps. However, in many cases, you may find that the Code provided by jdgui is obviously logically disconnected. For example, how can I return the operation before it starts? How can we calculate the break label?



Figure 1: The Code provided by jdgui has a logic issue

If you use the smail command code decomcompiled by apktool, you will find that the jdgui logic judgment adjustment algorithm may be faulty. The smail command does not contain else, while, for, and other syntaxes. These are controlled by various goto methods. Jdgui parses commands in sequence and dynamically makes logical judgments and adjustments based on the if and goto commands. For example, the following smail command:
Www.2cto.com
========================================================== ====================
If-lt v0, v2,: cond_0 // indicates that when v0

...... // These are commands executed when v0> = v1

: Cond_0

...... // These are the commands to be executed after the jump (goto) to the ": cond_0" target tag
========================================================== ====================


Jdgui may display:
========================================================== ====================
If (v0> = v1) {// opposite to "if-lt v0, v2,: cond_0"
// These are commands executed when v0> = v1
}

...... // These are the commands to be executed after the jump (goto) to the ": cond_0" target tag
========================================================== ====================



If the following goto command is added:
========================================================== ====================
If-lt v0, v2,: cond_0 // indicates that when v0

...... // These are commands executed when v0> = v1

Goto: target_0 // after execution, jump to: target_0

: Cond_0

...... // These are the commands to be executed after the jump (goto) to the ": cond_0" target tag

: Target_0 //: target_0 target tag

...... // Execute the following command: target_0
========================================================== ====================

Jdgui may display as follows:
========================================================== ====================
If (v0> = v1) {// potential opposite to the execution logic of "if-lt v0, v2,: cond_0"
...... // These are commands executed when v0> = v1
} Else {
...... // These are the commands to be executed after the jump (goto) to the ": cond_0" target tag
}

// Execute the target_0 command
========================================================== ====================

However, it may also be displayed as follows:
========================================================== ====================
If (v0> = v1) {// potential opposite to the execution logic of "if-lt v0, v2,: cond_0"
...... // These are commands executed when v0> = v1
}

...... // These are the commands to be executed after the jump (goto) to the ": cond_0" target tag
...... // Execute the target_0 command

========================================================== ====================


If multiple goto labels with different targets appear in an if instruction set, jdgui judges and adjusts the labels in the order of instructions, therefore, the dynamic adjustment of jdgui may make it impossible for multiple goto to form a reasonable close logic, this is the opposite of the original logic in the code to be viewed, or the execution sequence for non-logical and non-logical strange things. If the logic of the original code has loops such as while and for, this problem becomes more obvious.


In this case, there are two solutions:
(1) read smail directly without looking at the decompiled java code. It is difficult, but it is a necessary path to become a great god.

(2) decompile jar with XJad. It does not adjust the logic, but it is resolved as is. This is the most convenient method for dynamic adjustment of jdgui to fail, but to look at the java logic.



Figure 2: Code parsed by XJad as is

Add the code modified according to the XJad code, and the java code that is finally called. As you can see, the actual logic and decompilation are quite different.




Figure 3: changed code


Ii. AboutAndroidApplication log debugging: Understanding the effective means of Application Operation 

If the decompiled Code cannot produce useful information, searching for or even inserting the log debugging code is another effective method. From the perspective of development, log debugging and recording are necessary encoding methods, and their control methods are nothing more than a configuration, variable, or constant. Android originated from java, and its object-oriented feature will not remove many log classes, which creates conditions for obtaining debugging content by modifying the smail command. For example, an application uses a log constant control method, so after the constant is decompiled and modified, logcat prints out the entire communication process:





Figure 4: Modify an Application Log constant to obtain the application running information.

If the logic to be understood does not have log output, or the application removes all the method logic in the log class, the method can only be restored by inserting the smail command method. However, the place of insertion and the instruction content must be closely related to the application logic, so there is no general insert rule.


Iii. About androidWebviewDatabase storage: can be used as an auxiliary means to determine whether an application is phishing. 

When an Android app calls webview, it will create webview. db and webviewCache. db to the private storage location (/data/[Application ID]/databases) of the app. These two databases store the historical access paths, password records (plaintext), and cookies that the application calls webview. Some applications forge pages and use webview to open them in an attempt to hide URLs for phishing. In this case, you can expose them by checking the webview data stored in these two databases.

However, malicious developers can also obtain sensitive data such as user input through monitoring webview without forging pages. Therefore, this method has great limitations.

Another problem is that any application in the root state can read data anywhere. If you want to clear the webview information of the application, you can only clear data under application management. Therefore, it is not impossible for malicious developers to steal information here.



Figure 5: webviewCache. db



Figure 6: cookies in webview. db. SUS is an httponly cookie, which is not supported by android.


Iv. Questions about mobile phone Security Research 

At the beginning of the year, he announced that he would enter the Programming research of Windows Phone 7. However, when he spent less money, he eventually followed the cheapest Android platform, in addition, it is defined in the design of backend api interface communication that is most relevant to the work.

The time has reached the end of the year, but the more I study it, the more I find myself confused. The data of mobile phone api interfaces is pure and rich, making malicious collectors excited. However, attacks against mobile phone api interfaces cannot be defended by common web auxiliary means, in addition, the ease of decompilation of Android and other operating systems, the absence of encryption in the communication process due to server loads, or the prediction of encryption algorithms, all of which make interface defense Design of common applications unfeasible; for me, all the "destructive" research cannot be converted into useful practical development and design experience, which is unexpected. When I submitted a sogou number communication defect but could not provide defense advice, I asked myself: After studying for so long, what is the purpose?

Damage is easy to build. Where should we go after the last day?


V. Appendix: security issues related to interface communication in mobile apps that an individual is exposed 
(1) The mobile app uses http post (or even http get) plain text to send the user name and password, or the Unique Identification Code such as the address book or IMEI.
Case:
(A) Sina micro disk client vulnerability caused by user password leakage: http://www.wooyun.org/bugs/wooyun-2010-012961
(B) Netease news iphone Terminal Sensitive Information Leakage (plaintext password transmission): http://www.wooyun.org/bugs/wooyun-2010-07673

(2) Mobile Phone application encryption algorithms are not robust, which may lead to cracking or simulation; or the communication server cannot support high concurrency and high traffic.

(3) There are too many debugging portals or debugging information output for mobile apps.
Case:
(A) Sangfor mobile client log information leakage: http://www.wooyun.org/bugs/wooyun-2010-013940
(B) SECURITY remove lock pattern from being logged:
Https://github.com/CyanogenMod/android_frameworks_base/commit/56c014f289e04c0fd769af55c861b6e7bf7b4280
(Association: zone discussion) CyanogenMod was found to record the screen lock gesture set by the user in the log:
Http://zone.wooyun.org/content/1426

(4) the output data of mobile app interfaces is too rich, resulting in leakage of sensitive information.
Case:
Communications Commission developed software leakage brother Privacy: http://gcontent.oeeee.com/ B /7d/b7da6c184018c1c0/Blog/379/7fc1ff.html

(5) mobile app interfaces do not detect and limit various malicious behaviors such as frequency.
Case:
Sogou phone client can be malicious attacks, and privacy leak problems: http://www.wooyun.org/bugs/wooyun-2012-06459

(6) The mobile app interface does not check incoming parameters and relies only on encryption methods, leading to common web application problems such as SQL injection.
Case:
(A) the SQL injection vulnerability exists in the HTTP API interface behind the mobile phone app: http://www.wooyun.org/bugs/wooyun-2012-04324.
(B) Soldado mobile app SQL injection (which is categorized by a brief description only): http://www.wooyun.org/bugs/wooyun-2010-014531

(7) The mobile app is not kept confidential during the demonstration period, and the app installation package is leaked. As a result, the demo server or the C-segment ip address of the demo server that can connect to the Intranet and Internet are collectively exposed.

(8) A logic error occurs when mobile app data is handed over to the cloud for processing, resulting in information leakage and other problems.
Case:
UC cloud Acceleration Engine has abnormal leakage referer problem: http://www.wooyun.org/bugs/wooyun-2010-09025

(9) mobile app configuration files and certificates can be easily modified, so that the configuration can be replaced by the package party for phishing.
Case:
Construction Bank android client design logic defects cause users to be phishing: http://www.wooyun.org/bugs/wooyun-2010-04930

(10) When mobile apps use webview (the url address cannot be viewed at this time), the configuration is easily replaced by the package party, or the web page is counterfeited by malicious developers, or the webview is monitored by developers, for account phishing.
Case:
A malicious mobile app developed by an app developer steals Weibo accounts (unfortunately, Weibo is deleted and cannot be found)