what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Good Technology Authentication Insecure Coupling

Good Technology Authentication Insecure Coupling
Posted Sep 26, 2015
Authored by Tobias Ospelt

The Good Mobile Device Management solution suffers from an insecure application-coupling vulnerability.

tags | exploit
SHA-256 | af107c97cd4d7d4de1c924959092ed0c56c2cc5541967d7bdf9e2c3dfe46fe34

Good Technology Authentication Insecure Coupling

Change Mirror Download
---------------------------------------------------------------- v1 -

modzero Security Advisory: Insecure application-coupling in Good
Authentication Delegation [MZ-15-03]

---------------------------------------------------------------------

---------------------------------------------------------------------

1. Timeline

---------------------------------------------------------------------

* 2015-08-18: Vulnerability has been discovered
* 2015-09-09: Vendor contact to agree on responsible disclosure
* 2015-09-25: Public Disclosure.

---------------------------------------------------------------------

2. Summary

---------------------------------------------------------------------

Vendor: Good Technology, Inc.
Products known to be affected:
* Combination of Android Good Dynamics SDK version 1.11.1206
Android Good Access app version 2.3.1.626
Android Good for Enterprise app version 3.0.0.415
Good Control server version 1.10.47.31
Good Proxy server version 1.10.47.2
Good for Enterprise server version 7.2.2.5c
* Other products, versions and apps using authentication-delegation
may be affected as well.
Severity: Medium/High

The Good Mobile Device Management solution provides two separate
Android applications, Good for Enterprise [1] (a mobile device
management Android application with functionality such as E-Mail) and
Good Access [2] (an Android application that has similar
functionality as a regular browser app to access company intranet
servers). Both apps use the underlying Good Dynamics framework to
communicate with the Good server located in the customer's company
network.

Authentication delegation is a method to provision the Good Access
Android app by using the Good for Enterprise Android app. Using this
mechanism, an employee does not need to manually enter an activation
key to provision the Good Access app, if Good for Enterprise was
already provisioned before.

Third-party apps can spoof their identity and try to request access
to company servers and data. Users could be tricked into allowing
access to company intranet servers to a faked Good Access app. The
server administrator is not able to prevent or detect the
unauthorized access.

A CVE has not yet been assigned to this vulnerability.

---------------------------------------------------------------------

3. Details

---------------------------------------------------------------------

As a precondition for this vulnerability, the Good servers have to
allow access to intranet servers on the company network via the Good
Access app. It is also necessary to enable authentication delegation
through Good for Enterprise.

A specially crafted third-party Android app can use an Android
package name that starts with "com.good.gdgma" (the Good Access
package name). Subsequently the app is able to announce itself as the
Good Access app to the authentication delegate (Good for Enterprise).
The user of the Android device has to explicitly grant access to this
third-party app [3], even though the specially crafted application
might be indistinguishable from the legitimate app for a user. It is
possible to activate not only one, but several faked apps through the
authentication delegate (Good for Enterprise) by using different
package names (e.g. "com.good.gdgma.test1", "com.good.gdgma.test2",
etc.).

The Good Dynamics server administrator can not distinguish between a
malicious third-party app and the legitimate app accessing company
data, as the provisioned app in the Good backend web interface is
showing that Good Access was provisioned.

As a mitigation the Good for Enterprise app could protect its
authentication-delegation-API intent (Android IPC mechanism) with the
signature level protection provided by the Android operating system
(android:protectionLevel="signature"). Only apps signed with the same
private key can use such permissions.

---------------------------------------------------------------------

4. Impact

---------------------------------------------------------------------

After tricking a user into installing a modified application that
pretends to be a Good Access app towards the authentication
delegation mechanism, the missing authentication can be exploited to
gain access to the intranet data via the Good servers. Additionally,
other third-party apps could request permission to access
company-data from the user - the Good server administrator is not
able to prevent usage of such third-party apps.

---------------------------------------------------------------------

5. Proof of concept exploit

---------------------------------------------------------------------

As a proof of concept, an example app of the Good Dynamics Android
SDK can be used. modzero used the ApacheHttp example application.
After loading the example project in the Android Studio IDE, the
GDApplicationID variable in the included settings.json file has to be
changed to "com.good.gdgma". Additionally the package name in the
AndroidManifest.xml file must be changed to a value that starts with
"com.good.gdgma". The included classes have to be refactored to match
the new package name. After installing the example application and
clicking the button to use authentication delegation, Good for
Enterprise will show the dialog to confirm access to company data
[3]. If the user enters his Good for Enterprise app password, the
malicious application is allowed to access intranet servers [4].

An alternative to demonstrate the issue is probably to disassemble
the Good Access app via apktool [5], add malicious code to the
application and reassemble the app via apktool.

---------------------------------------------------------------------

6. Workaround

---------------------------------------------------------------------

Users can deactivate authentication delegation and revoke access for
Good Access. Another workaround is not known.

---------------------------------------------------------------------

7. Fix

---------------------------------------------------------------------

It is not known to modzero, if a security fix is available.

---------------------------------------------------------------------

8. References

---------------------------------------------------------------------

[1] https://play.google.com/store/apps/details?id=com.good.android.gfe
[2] https://play.google.com/store/apps/details?id=com.good.gdgma
[3] http://www.modzero.ch/advisories/media/good_dynamics_provisioning.png
[4] http://www.modzero.ch/advisories/media/good_dynamics_usage.png
[5] https://ibotpeaches.github.io/Apktool/

---------------------------------------------------------------------

9. Credits

---------------------------------------------------------------------

* Tobias Ospelt

---------------------------------------------------------------------

10. About modzero

---------------------------------------------------------------------

The independent Swiss company modzero AG assists clients with
security analysis in the complex areas of computer technology. The
focus lies on highly detailed technical analysis of concepts,
software and hardware components as well as the development of
individual solutions. Colleagues at modzero AG work exclusively in
practical, highly technical computer-security areas and can draw on
decades of experience in various platforms, system concepts, and
designs.

https://www.modzero.ch

contact@modzero.ch

---------------------------------------------------------------------

11. Disclaimer

---------------------------------------------------------------------

The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close