ParseDroid: Targeting The Android Development & Research Community

so hello everyone guten tag my name is Alan box inna and today with me is a run rockman well both security researchers at checkpoint and today we are going to talk about our latest research app asteroid and before we begin we have a little tradition with every new conference that we come to so it's selfie time be ready all right it's mine okay so now that we've self it let's begin so before we begin let's talk about ourselves a little so who we are we're both cute researchers at checkpoint well we really like German cars and we are also a German car collectors you can take a look we have link their accounts and get up accounts so if you have any

questions feel free to ask and if you have a nice job offer we are really ready to you so what we are going to talk about today we are going to talk about the research golf pants roid we're going to deep dive into it we have a little demo and if you have some time questions and answers so a password well the main aim of fast rate is targeting the Android development and security community basically pass rate is nickname for multiple vulnerabilities found within the development and research tools that with this vulnerabilities we could penetrate to every big organization that forming Android development and security so what products are vulnerable well one of the most interesting ones is a potato

well if you are not familiar with it it's an open source tool written in Java I will elaborate it in a minute what else well Android studio IntelliJ and Eclipse these are the three most famous ideas for Java and Android development and we focused on them and some say that the more ideas that are vulnerable to but we focused on this ones so let's begin and everything began with in internal pentas that we performed on checkpoint product well this product was executing apktool and we found it interesting to get into applicator because there are not many vulnerabilities that found within applicator and we thought that it would be interesting so as I said applicator is an open source tool written in Java

it has two main functionalities the building and the compiling functionalities well basically it's taking an apk which is an zip file and building an apk is taking the whole files that needed to be inside the file that you install on your Android devices for installing an application and packing them into one apk and the compiling is the opposite is taking a PK and spreading files inside it inside with the compiling functionality well applicator is the compiling the Dex files so you have a readable code and we have our little contribution over on to the project and that is a spoiler let okay so in the middle process that I will be focusing on there is a

functionality that is taking the old files that should be in vehicle and packing them to the file and there are many XML files that's found inside an apk and as there are some XML files that probably an XML parser and as we all know XML parsers suffers from many vulnerabilities one of them is an ecstacy xx is found inside the building functionality of a potato and that exposes the whole victim operation system to the attacker and one of the most interesting XML files is the androidmanifest.xml file and this file we could inject a malicious XML code that looks like this and that way we could steal any file that we desire to from that victim so that looks like this

the victim has a super secret password file well the victim is building our malicious apk and while the victim is building the malicious apk the attacker has its files right so this was the review of the apktool vulnerabilities actually performed by Alon and now we start focusing on some other tools to be exploited and we start looking at github for some open source projects messing with Java and the XML parsers and we came through the ID the IntelliJ IDEA code which is an open source tool and then we found the XML parser configuration which is also vulnerable to xxe attack and then we have some questions some really important questions for the important of the future of the research and it was is

Android studio eclipse IntelliJ which which is the most powerful IDs in the market today he's vulnerable and the answer was absolutely yes actually but the attack payload the attack vector of exploiting the IDs was kindly different because we had to mess with a ours a ours to those who not familiar with its like library for building an application every Android application developer need to have some errors inside this application to leverage this functionality of the project and make these applications more big and strong and beautiful all right and so we we research the structure of the a ours and we found that inside the errors there are also some androidmanifest.xml file and we think ourself it is possible

to inject our from under is to your x-axis payload inside a are and upload it to some remote repository like maven repository then we'll need to rank our AR as some valuable and famous area that everybody will be downloaded and imported into the project and while this will happend like this line of code from in from maven repository into the Gradle configuration file it will be possible to steal from the operating system of any victim of or any developer that actually performing this kind of action and still is files may be you can take it to an in to an advantage to steal any file from the apprentice system any file from the project itself and it was very

critical but we don't want to but we didn't want to finish the research we wanted it to be to go back to apk tool and start thinking if there is some may be other critical vulnerabilities can be found there and there was absolutely some critical additional vulnerabilities like the apk tool has some configuration file called apktool dot yml this configuration file actually configured the application out to decompile the appropriate sections of the APK and inside the apk to dot yml there is a section called unknown files that is responsible to tell the apk tool which files or folders should not be decoded within the d compile process and we take this into a vantage to our attack and

make some path manipulation attack or path traversal attack inside the unknown files section and this would lead to after versatile which possibly can lead to RCE or on some apk analyzers apk decoders which is in online services and on the offline section there is some possibilities to move some necessary files of the operating system and when the boot loads and on some other cryptic area it will be executed on the operating system itself and this is actually what we think about when we when we saw that this is actually happened and working and now it's time for demo so along with take it ok so demo time ok so we have two scenarios for to show you the first one is

attacking through public repositories as Ron mentioned an attacker has to upload an AR into a public repository for example some sort of maven repository we uploading the malicious AR containing with the malicious XML code inside and as we applauded it all and victim has to do is searching for an AR is copying the line of code into his project syncing and we have his files

so we stole some files the second scenario is basically uploading a malicious apk into an online apk analyzer we have managed to create an a malicious apk now we are building it using a PK tool and as that sake uploads the malicious apk into the online analyzer containing with a PHP shell inside we approach to the shell and executing some comments so we have reported to the vendors last year about the vulnerabilities they all came across and tell told that it was nice Google had even sent us a nice sketch mail but no money because bounty program and they all fixed pretty quick application fixed in I know like two days of three days Google fixed it in a week and the others

fixed a bit later and that's it so I think we have time for some questions and the question from quad [Applause]