440 likes | 573 Views
One Root To Own Them All. Black Hat US 2013 Jeff Forristal @ Bluebox. Outline. Introduction Android APK Overview Jar and Jar Signer Exploit Analyze APK Install Process Normal Case Abnormal Case Vulnerability Point Patch Similar Approach Conclusion Reference. Introduction .
E N D
One Root To Own Them All Black Hat US 2013 Jeff Forristal @ Bluebox
Outline • Introduction • Android APK Overview • Jar and Jar Signer • Exploit Analyze • APK Install Process • Normal Case • Abnormal Case • Vulnerability Point • Patch • Similar Approach • Conclusion • Reference
Android APK • APK stands for Android application package file. • Just a Jar file with some other new files that Android need.
Android APK Content • Package resource files: • Android Manifest • Some Pictures, Audio files…. • Etc… • classes.dex • META-INF/Manifest.MF
Compile Android APK • What we usually do: • 1. writing code in Eclipse/ Android Studio • 2. press compile button • Simple and Easy
Compile Android APK • 1. aapt will create R.java according to the following files: • Android Manifest • Recourses • Assets • 2. use javac to compile source code with some libraries -> generate many *.class files. • 3. use dx to transform Java bytecode into Dalvikbytecode -> many *.class files will be merged into 1 classes.dex • 4. use apkbuilder to generate unsigned APK with following files: • classes.dex • Package Resources Files • 5. use jarsigner to signed the unsigned APKinto signed APK • E(unsigned APK, Key) = signed APK
Jar • Jar stands for Java Archive • Jar File Format is Same as Zip file • File Contents: • *.classes • Resources • META-INF/Manifest.MF
Jar Android APK
JarSigner • Generate Signature for JAR (Java Archive) • Verify Signature for Signed JAR file. • Two Additional file placed in META-INF directory: • signature file with .SF as extension • signature block file with .DSA extension
JarSigner - Signing jarsigner aapt
JarSigner - Signing Integrity
JarSigner - Signing Integrity
JarSigner - Signing Identity
JarSigner - Signing Identity
JarSigner - Signing Certificate
Public Key Digital Signature for the Certificate
PackageManager PackageParser Installer PackageHandler Parsing Package And Verify Sending Command to installd Handle Event
Overview • Parsing • Verify • Install
Parsing JarEntry.Class File 1 JarFile.Class File 2 File 3 File 4 Central Directory Android APK
Parsing JarEntry.Class File 1 JarFile.Class File 2 File 3 File 4 File 1 Meta-Data File 2 Meta-Data Central Directory File 3 Meta-Data File 4 Meta-Data End of Central Directory Android APK
Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.
Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.
Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.
Parsing, Verify and Install • 1. Get entries list from Central Directory. • 2. Create JarEntry object for each entry and put into mEntriesHashMap. • The index is calculate by : • secondHash(String entry name) • 4. JarVerifier will verify each entries according to the mEntries. • 5. After Verify, find classes.dex entry and install it.
Parsing …….. mEntries Manifest.xml Manifest.xml META-INF Classes.dex res ZipEntry object META-INF classes.dex res 1. Manifest.xml Meta-Data 2. META-INF Meta-Data Central Directory 3. classes.dex Meta-Data 4. res Meta-Data Android APK End of Central Directory
Verify …….. mEntries Manifest.xml META-INF Classes.dex res ZipEntry object
Install installd Manifest.xml META-INF classes.dex res 1. Manifest.xml Meta-Data 2. META-INF Meta-Data Central Directory 3. classes.dex Meta-Data 4. res Meta-Data Android APK End of Central Directory
What If … Manifest.xml classes.dex Manifest.xml META-INF META-INF classes.dex classes.dex res res Central Directory Central Directory Android APK
Parsing …….. mEntries Manifest.xml classes.dex META-INF Manifest.xml META-INF Classes.dex res Classes.dex ZipEntry object classes.dex res 1. Manifest.xml Meta-Data Central Directory 2. META-INF Meta-Data 3. classes.dex Meta-Data 4. classes.dex Meta-Data 5. res Meta-Data End of Central Directory
Verify …….. mEntries Manifest.xml META-INF Classes.dex res Classes.dex ZipEntry object !!!!!!
Install installd Manifest.xml classes.dex META-INF classes.dex !!!!!! res 1. Manifest.xml Meta-Data Central Directory 2. META-INF Meta-Data 3. classes.dex Meta-Data 4. classes.dex Meta-Data 5. res Meta-Data End of Central Directory