SlideShare a Scribd company logo

CNIT 128 8. Android Implementation Issues (Part 2)

Sam Bowne
Sam Bowne

This document discusses exploiting Android devices through practical physical and remote attacks. It covers bypassing lock screens through USB debugging bugs, removing key files, and abusing application issues. Remote exploits discussed include browser and application memory corruption, JavaScript interface attacks, and maintaining privileged access through "minimal su". The document also mentions man-in-the-middle exploits and privilege escalation techniques.

Education
1 of 37
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
CNIT 128 Hacking Mobile Devices 8. Identifying and Exploiting 
 Android Implementation Issues Part 2 Updated 3-11-2020
Topics • Part 1 • Reviewing Pre-installed Applications • Exploiting Devices • Start through "Explanation of Privilege Levels" (up to p. 402)
Topics • Part 2 • Exploiting Devices • "Practical Physical Attacks" (p. 375) through • "Polaris Viewer Memory Corruption" (up to p. 402)
Topics • Part 3 • Exploiting Devices • "Injecting Exploits for JavaScript Interfaces" (p. 402) and following • Infiltrating User Data
Practical Physical Attacks
Bypassing Lock Screen • Getting ADB Shell Access: Two Ways • USB Debugging • Unlocked Bootloaders
USB Debugging • adb shell • Usually turned off by default • Exposes data and can be used to install new packages • User must approve it • Not possible if screen is locked
Bug • In Android 4.2.2 up to 4.4.2 • Navigating to emergency dialer or lock screen camera • Shows the USB debugging authorization prompt • With the screen locked
Privilege Levels • /default.prop file controls ADB privileges • By default: ro.secure=1 • Adb runs as the shell user • If ro.secure=0 • adbd runs as root
ALLOW_ADBD_ROOT • From Android 4.3 onwards • ADB won't run as root unless it's compiled with the ALLOW_ADBD_ROOT flag • Even if ro.secure=0 • To get root, compile a custom version of adbd and overwrite the binary on the device
Unlocked Bootloaders • First boot phone into Fastboot mode • Hold down power and volume keys while turning on the phone • or adb reboot bootloader • Then flash or boot a custom image • Not possible with Genymotion, Nox, or Bluestacks • They have no recovery partition
Unlock Bootloader • Forces factory reset • Wipes all user data • To stop thieves
Unlocked Bootloader • If user unlocked the bootloader and left it unlocked • Boot into ClockworkMod Recovery ROM (not updated since 2014) • Get a root ADB shell
Bypassing Lock Screens • Using the DISABLE_KEYGUARD Permission • Allows an app to remove the lock screen • App code: KeyguardManager kgm = ((KeyguardManager)getSystemService("keyguard")); KeyGuardManager.KeyguardLock kgl = kgm.newKeyguardLock("mahh"); kgl.disableKeyguard(); Even though the KeyguardManager.KeyguardLock
Custom Drozer Agent drozer agent build --permission android.permission.DISABLE_KEYGUAR D • Install agent with adb, launch it, and bypass screen lock • Works on Nox (Android 5.1.1) • Fails on Genymotion (Android 9.0)
Removing Key Files • Pattern lock screen uses data from • /data/system/gesture.key • PIN or password lock uses data from • /data/system/password.key • Removing these files disables lock screen entirely
Removing Key Files • But that requires running as system or root • Privilege escalation
Abusing Android Application Issues • On Android 4.3 and earlier, this intent unlocks the phone from an adb shell in any context: shell@android:/ $ am start -n 
 com.android.settings/ com.android.settings.ChooseLockGeneric 
 --ez confirm_credentials false 
 --ei lockscreen.password_type 0 --activity-clear-task Starting: Intent { flg=0x8000 cmp=com.android.settings/.ChooseLockGeneric (has extras) }
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
Using Logic Flaws that Don't Require Shell Access • Some actions are allowed when a phone is locked • Make emergency phone calls • Receive phone calls • Allow third-party apps to temporarily disable the lock screen • Or place an activity in front of it
Motorola Droid • Phone the locked device • Answer the call • Press Back button • Escape the lock screen
Viber • Messaging and calling app • Place a Viber call • Answer it • Press the back button multiple times • Escape the lock screen
Using Legitimate Lock Screen Reset Functionality • You can bypass a lock screen if you have the use's Google credentials • Entering the PIN five times incorrectly • Connects to a linked Google account • But only for Android 4 and earlier
Android Device Manager • Allows lock screen to be bypassed from a Google account • Not active by default--user must enable it • And it erases all your data (link Ch 8b)
Practical Remote Attacks
Remote Exploits • Launched over the Internet • Three modes of exploitation: • Loading a drozer JAR that loads a limited agent • Installing and starting a rogue drozer agent by abusing INSTALL_PACKAGES • Loading a drozer JAR that is passed Context
Browser Memory Corruption • The most technical method • Reverse shells via buffer overflow, etc. • Becoming rarer as the browser becomes more secure
Polaris Viewer Memory Corruption • Office and PDF file viewer • Pre-installed on some devices • Exploited in 2012 with a crafted DOCX file • Using a stack-based buffer overflow • App also had INSTALL_PACKAGES permission
Android Browser JavaScript Interface • All WebViews using JavaScriptInterface • And targeting API before 17 • Are vulnerable to code execution flaws • Includes all stock Android browsers on Android 4.1.1 and below • Can get Context and use full permissions of browser
Use Metasploit • Link Ch 8c
CNIT 128 8. Android Implementation Issues (Part 2)
Privilege Escalation • Exynos driver exploit on some devices • Drozer has a exploit.mmap_abuse module • Tries to get root by abusing the map device operation • Similar to the exynos exploit • Dangerous: may cause a kernel panic and reboot the device
Maintaining Access • Must install a special su binary bundled with Drozer, called "minimal su" • Allows every app to escalate to root • Without alerting the user
Man-in-the-Middle Exploits • Getting in the middie • Host a wireless network • ARP Poisoning • Use Burp
Man-in-the-Middle Exploits • Intercepting SSL requires the ability to get a root CA certificate • Only nation-states or very rich attackers • But many apps ignore this defense and allow MITM attacks anyway
CNIT 128 8. Android Implementation Issues (Part 2)

More Related Content

What's hot (20)

PDF
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
Sam Bowne
 
PDF
CNIT 128 7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
PPT
Hack In Paris 2011 - Practical Sandboxing
Tom Keetch
 
PDF
CNIT 126 Ch 9: OllyDbg
Sam Bowne
 
PDF
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
PDF
Introduction to iOS Penetration Testing
OWASP
 
PDF
CNIT 126: Ch 2 & 3
Sam Bowne
 
PDF
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
PDF
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
PDF
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
PDF
CNIT 126 11. Malware Behavior
Sam Bowne
 
PDF
Ch 10: Attacking Back-End Components
Sam Bowne
 
PDF
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
PDF
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 
CNIT 128: 7. Attacking Android Applications (Part 1 of 3)
Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 1)
Sam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
Sam Bowne
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
Sam Bowne
 
CNIT 128 9. Writing Secure Android Applications
Sam Bowne
 
Hack In Paris 2011 - Practical Sandboxing
Tom Keetch
 
CNIT 126 Ch 9: OllyDbg
Sam Bowne
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Introduction to iOS Penetration Testing
OWASP
 
CNIT 126: Ch 2 & 3
Sam Bowne
 
CNIT 126 Ch 11: Malware Behavior
Sam Bowne
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
CNIT 126 11. Malware Behavior
Sam Bowne
 
Ch 10: Attacking Back-End Components
Sam Bowne
 
UKC - Feb 2013 - Analyzing the security of Windows 7 and Linux for cloud comp...
Vincent Giersch
 
CSW2017 Geshev+Miller logic bug hunting in chrome on android
CanSecWest
 

Similar to CNIT 128 8. Android Implementation Issues (Part 2) (20)

PDF
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
PPTX
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
PDF
Android Pentesting
n|u - The Open Security Community
 
PPTX
Android Hacking + Pentesting
Sina Manavi
 
PDF
CNIT 128 7. Attacking Android Applications (Part 3)
Sam Bowne
 
PPT
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 
PDF
Android Security
Robin De Croon
 
PPTX
Mobile security
Stefaan
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PDF
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
PPTX
Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Svetlin Nakov
 
PDF
Android Security
Lars Jacobs
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PPTX
Mobile security
priyanka pandey
 
PDF
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
PDF
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 1)
Sam Bowne
 
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Android Pentesting
n|u - The Open Security Community
 
Android Hacking + Pentesting
Sina Manavi
 
CNIT 128 7. Attacking Android Applications (Part 3)
Sam Bowne
 
Securely Deploying Android Device - ISSA (Ireland)
Angelill0
 
Android Security
Robin De Croon
 
Mobile security
Stefaan
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
Cybersecurity and Mobile Device Protection - Nakov at CareerShow (Sept 2019)
Svetlin Nakov
 
Android Security
Lars Jacobs
 
Hacking your Android (slides)
Justin Hoang
 
Mobile security
priyanka pandey
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
Felipe Prado
 
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
PDF
6 Scope & 7 Live Data Collection
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 
6 Scope & 7 Live Data Collection
Sam Bowne
 
Ad

Recently uploaded (20)

PPSX
HEALTH ASSESSMENT (Community Health Nursing) - GNM 1st Year
Priyanshu Anand
 
PPTX
Views on Education of Indian Thinkers Mahatma Gandhi.pptx
ShrutiMahanta1
 
PDF
Dimensions of Societal Planning in Commonism
StefanMz
 
PPTX
How to Convert an Opportunity into a Quotation in Odoo 18 CRM
Celine George
 
PPTX
Unit 2 COMMERCIAL BANKING, Corporate banking.pptx
AnubalaSuresh1
 
PPTX
How to Create a PDF Report in Odoo 18 - Odoo Slides
Celine George
 
PDF
The Constitution Review Committee (CRC) has released an updated schedule for ...
nservice241
 
PDF
Isharyanti-2025-Cross Language Communication in Indonesian Language
Neny Isharyanti
 
PDF
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
PPTX
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
PPT
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
PPTX
Soil and agriculture microbiology .pptx
Keerthana Ramesh
 
PPTX
Universal immunization Programme (UIP).pptx
Vishal Chanalia
 
PDF
SSHS-2025-PKLP_Quarter-1-Dr.-Kerby-Alvarez.pdf
AishahSangcopan1
 
PPTX
Growth and development and milestones, factors
BHUVANESHWARI BADIGER
 
PDF
0725.WHITEPAPER-UNIQUEWAYSOFPROTOTYPINGANDUXNOW.pdf
Thomas GIRARD, MA, CDP
 
PPSX
Health Planning in india - Unit 03 - CHN 2 - GNM 3RD YEAR.ppsx
Priyanshu Anand
 
PPTX
STAFF DEVELOPMENT AND WELFARE: MANAGEMENT
PRADEEP ABOTHU
 
PPTX
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
PPTX
How to Set Maximum Difference Odoo 18 POS
Celine George
 
HEALTH ASSESSMENT (Community Health Nursing) - GNM 1st Year
Priyanshu Anand
 
Views on Education of Indian Thinkers Mahatma Gandhi.pptx
ShrutiMahanta1
 
Dimensions of Societal Planning in Commonism
StefanMz
 
How to Convert an Opportunity into a Quotation in Odoo 18 CRM
Celine George
 
Unit 2 COMMERCIAL BANKING, Corporate banking.pptx
AnubalaSuresh1
 
How to Create a PDF Report in Odoo 18 - Odoo Slides
Celine George
 
The Constitution Review Committee (CRC) has released an updated schedule for ...
nservice241
 
Isharyanti-2025-Cross Language Communication in Indonesian Language
Neny Isharyanti
 
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
Talk on Critical Theory, Part II, Philosophy of Social Sciences
Soraj Hongladarom
 
Soil and agriculture microbiology .pptx
Keerthana Ramesh
 
Universal immunization Programme (UIP).pptx
Vishal Chanalia
 
SSHS-2025-PKLP_Quarter-1-Dr.-Kerby-Alvarez.pdf
AishahSangcopan1
 
Growth and development and milestones, factors
BHUVANESHWARI BADIGER
 
0725.WHITEPAPER-UNIQUEWAYSOFPROTOTYPINGANDUXNOW.pdf
Thomas GIRARD, MA, CDP
 
Health Planning in india - Unit 03 - CHN 2 - GNM 3RD YEAR.ppsx
Priyanshu Anand
 
STAFF DEVELOPMENT AND WELFARE: MANAGEMENT
PRADEEP ABOTHU
 
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
How to Set Maximum Difference Odoo 18 POS
Celine George
 

CNIT 128 8. Android Implementation Issues (Part 2)

  • 1. CNIT 128 Hacking Mobile Devices 8. Identifying and Exploiting 
 Android Implementation Issues Part 2 Updated 3-11-2020
  • 2. Topics • Part 1 • Reviewing Pre-installed Applications • Exploiting Devices • Start through "Explanation of Privilege Levels" (up to p. 402)
  • 3. Topics • Part 2 • Exploiting Devices • "Practical Physical Attacks" (p. 375) through • "Polaris Viewer Memory Corruption" (up to p. 402)
  • 4. Topics • Part 3 • Exploiting Devices • "Injecting Exploits for JavaScript Interfaces" (p. 402) and following • Infiltrating User Data
  • 6. Bypassing Lock Screen • Getting ADB Shell Access: Two Ways • USB Debugging • Unlocked Bootloaders
  • 7. USB Debugging • adb shell • Usually turned off by default • Exposes data and can be used to install new packages • User must approve it • Not possible if screen is locked
  • 8. Bug • In Android 4.2.2 up to 4.4.2 • Navigating to emergency dialer or lock screen camera • Shows the USB debugging authorization prompt • With the screen locked
  • 9. Privilege Levels • /default.prop file controls ADB privileges • By default: ro.secure=1 • Adb runs as the shell user • If ro.secure=0 • adbd runs as root
  • 10. ALLOW_ADBD_ROOT • From Android 4.3 onwards • ADB won't run as root unless it's compiled with the ALLOW_ADBD_ROOT flag • Even if ro.secure=0 • To get root, compile a custom version of adbd and overwrite the binary on the device
  • 11. Unlocked Bootloaders • First boot phone into Fastboot mode • Hold down power and volume keys while turning on the phone • or adb reboot bootloader • Then flash or boot a custom image • Not possible with Genymotion, Nox, or Bluestacks • They have no recovery partition
  • 12. Unlock Bootloader • Forces factory reset • Wipes all user data • To stop thieves
  • 13. Unlocked Bootloader • If user unlocked the bootloader and left it unlocked • Boot into ClockworkMod Recovery ROM (not updated since 2014) • Get a root ADB shell
  • 14. Bypassing Lock Screens • Using the DISABLE_KEYGUARD Permission • Allows an app to remove the lock screen • App code: KeyguardManager kgm = ((KeyguardManager)getSystemService("keyguard")); KeyGuardManager.KeyguardLock kgl = kgm.newKeyguardLock("mahh"); kgl.disableKeyguard(); Even though the KeyguardManager.KeyguardLock
  • 15. Custom Drozer Agent drozer agent build --permission android.permission.DISABLE_KEYGUAR D • Install agent with adb, launch it, and bypass screen lock • Works on Nox (Android 5.1.1) • Fails on Genymotion (Android 9.0)
  • 16. Removing Key Files • Pattern lock screen uses data from • /data/system/gesture.key • PIN or password lock uses data from • /data/system/password.key • Removing these files disables lock screen entirely
  • 17. Removing Key Files • But that requires running as system or root • Privilege escalation
  • 18. Abusing Android Application Issues • On Android 4.3 and earlier, this intent unlocks the phone from an adb shell in any context: shell@android:/ $ am start -n 
 com.android.settings/ com.android.settings.ChooseLockGeneric 
 --ez confirm_credentials false 
 --ei lockscreen.password_type 0 --activity-clear-task Starting: Intent { flg=0x8000 cmp=com.android.settings/.ChooseLockGeneric (has extras) }
  • 21. Using Logic Flaws that Don't Require Shell Access • Some actions are allowed when a phone is locked • Make emergency phone calls • Receive phone calls • Allow third-party apps to temporarily disable the lock screen • Or place an activity in front of it
  • 22. Motorola Droid • Phone the locked device • Answer the call • Press Back button • Escape the lock screen
  • 23. Viber • Messaging and calling app • Place a Viber call • Answer it • Press the back button multiple times • Escape the lock screen
  • 24. Using Legitimate Lock Screen Reset Functionality • You can bypass a lock screen if you have the use's Google credentials • Entering the PIN five times incorrectly • Connects to a linked Google account • But only for Android 4 and earlier
  • 25. Android Device Manager • Allows lock screen to be bypassed from a Google account • Not active by default--user must enable it • And it erases all your data (link Ch 8b)
  • 27. Remote Exploits • Launched over the Internet • Three modes of exploitation: • Loading a drozer JAR that loads a limited agent • Installing and starting a rogue drozer agent by abusing INSTALL_PACKAGES • Loading a drozer JAR that is passed Context
  • 28. Browser Memory Corruption • The most technical method • Reverse shells via buffer overflow, etc. • Becoming rarer as the browser becomes more secure
  • 29. Polaris Viewer Memory Corruption • Office and PDF file viewer • Pre-installed on some devices • Exploited in 2012 with a crafted DOCX file • Using a stack-based buffer overflow • App also had INSTALL_PACKAGES permission
  • 30. Android Browser JavaScript Interface • All WebViews using JavaScriptInterface • And targeting API before 17 • Are vulnerable to code execution flaws • Includes all stock Android browsers on Android 4.1.1 and below • Can get Context and use full permissions of browser
  • 33. Privilege Escalation • Exynos driver exploit on some devices • Drozer has a exploit.mmap_abuse module • Tries to get root by abusing the map device operation • Similar to the exynos exploit • Dangerous: may cause a kernel panic and reboot the device
  • 34. Maintaining Access • Must install a special su binary bundled with Drozer, called "minimal su" • Allows every app to escalate to root • Without alerting the user
  • 35. Man-in-the-Middle Exploits • Getting in the middie • Host a wireless network • ARP Poisoning • Use Burp
  • 36. Man-in-the-Middle Exploits • Intercepting SSL requires the ability to get a root CA certificate • Only nation-states or very rich attackers • But many apps ignore this defense and allow MITM attacks anyway