Sunday 27 April 2014

Wickr account cloning vulnerability

USB backup attacks against Android applications

 Android allows users to make online backups of their application data. This happens silently based on settings created by the applications' developers (http://developer.android.com/google/backup/index.html). According to the documentation, the data is held in "cloud storage" (the exact definition will vary based on the OEM), allowing users to restore their data when they get a new phone.

 But the backup function also allows users to make backups over USB using the "adb backup" command. This command will backup data from all applications that have not explicitly set the allowBackup flag to false in their manifest. The data that is retrieved is taken from the sandbox of the applications, in escence giving users access to the contents of their applications' sandboxes without being root. This is something that the shell user can not normally do. For an excellent writeup as to how to access, edit and restore data using adb backup by Nikolay Elenkov see here: http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html

 As far as an attack vector it is often contrived and unrealistic. Essentially an attacker would need to have physical access to an unlocked phone. If they have this then they could do all manner of nasty things, like replace applications, install trojans or just ringing their premium rate phone line.

 For a number of applications however, the vector is more reasonable. The value of the assets is high and they can only be accessed from the sandbox. Below are three applications that can be compromised using the ADB backup restore functionality:


MyWicker (com.mywickr.wickr) - 1.9.8.8 Beta
F-Secure Freedome VPN (com.fsecure.freedome.vpn.security.privacy.android) - 1.04
OpenVPN(net.openvpn.openvpn) - 1.1.12


OpenVPN / F-Secure Freedome VPN

Both the OpenVPN and F-Secure Freedome were found to allow backups over ADB

According to Android documentation:
android:allowbackup
Whether to allow the application to participate in the backup and restore infrastructure. If this attribute is set to false, no backup or restore of the application will ever be performed, even by a full-system backup that would otherwise cause all application data to be saved via adb. The default value of this attribute is true.

Performing a backup on the Freedome app we can see the following:

androidvm@androidvm:/tmp$ adb backup com.fsecure.freedome.vpn.security.privacy.android
Now unlock your device and confirm the backup operation.
androidvm@androidvm:/tmp$ dd if=backup.ab bs=1 skip=24| openssl zlib -d > backup.tar
8726+0 records in
8726+0 records out
8726 bytes (8.7 kB) copied, 0.0134311 s, 650 kB/s
androidvm@androidvm:/tmp$ tar -xaf backup.tar
androidvm@androidvm:/tmp$ cd apps/com.fsecure.freedome.vpn.security.privacy.android/
androidvm@androidvm:/tmp/apps/com.fsecure.freedome.vpn.security.privacy.android$ ls -la
total 24
drwxrwxr-x 5 androidvm androidvm 4096 Jan 14 16:15 .
drwxrwxr-x 3 androidvm androidvm 4096 Jan 14 16:15 ..
drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 f
-rw------- 1 androidvm androidvm 1506 Jan 14 16:15 _manifest
drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 r
drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 sp
androidvm@androidvm:/tmp/apps/com.fsecure.freedome.vpn.security.privacy.android$ ls f/
clp-beta-prov.client.crt  clp-beta-prov.client.key  clp-beta-prov.servers.conf  clp-ca-server.pem  pvpn.conf


We can see that there are a number of files available for us either to just read, or to alter and restore.

For Freedome, we are able to overwrite the configuration and key files used by the application. This would mean that every time the user then ran this application, they would connect to our malicious VPN. This would allow us to MITM the user's traffic.

The OpenVPN looked almost identical in terms of what we could access and change. This would give us access to their private VPN keys and configuration, letting us connect to the user's VPN. It would also allow us to overwrite the VPN settings as per Freedome and have them connect to our malicious VPN without them realising.

Wickr

Wickr was found to also allow backups by not explicitly disabling it

MyWickr allows users to select the "remember me" option. If this is selected (the user must accept a warning), then they can log in to the app without entering their password. When they choose this option, two extra files are created in the sandbox (pcc.wic and pcd.wic). These can be accessed using the ADB backup.

androidvm@androidvm:/tmp/com.mywickr.wickr$ ls
db  f  _manifest  r  sp
androidvm@androidvm:/tmp/com.mywickr.wickr$ ls f/
icu  magic.mgc  pcc.wic  pcd.wic


This would allow an attacker to clone an account by performing and ADB backup on the victim device and then an ADB restore on to a different device. A safe guard against this is that Wickr's functionality relies on the Android device ID for decryption. Unfortunately, Wickr store the device ID when the app is first run in a shared preferences file. As this is copied as part of the backup, the security control doesn't work.

It is therefore possible for an attacker to clone a Wickr account on to a different device using the ADB backup/restore functionality. Below is a video demo-ing a wickr account on the device to the left being cloned on to a device on the right.



Communication with Wickr

19-01-2014 - Emailed Wickr with details of vulnerability
12-02-2014 - Wickr replied accepting issue as a valid vulnerability
15-04-2014 - Wickr permitted vulnerability to be disclosed