USB backup attacks against Android applicationsAndroid allows users to make online backups of their application data. This happens silently based on settings created by the applications' developers (http://developer.android.com/google/backup/index.html). According to the documentation, the data is held in "cloud storage" (the exact definition will vary based on the OEM), allowing users to restore their data when they get a new phone.
But the backup function also allows users to make backups over USB using the "adb backup" command. This command will backup data from all applications that have not explicitly set the allowBackup flag to false in their manifest. The data that is retrieved is taken from the sandbox of the applications, in escence giving users access to the contents of their applications' sandboxes without being root. This is something that the shell user can not normally do. For an excellent writeup as to how to access, edit and restore data using adb backup by Nikolay Elenkov see here: http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html
As far as an attack vector it is often contrived and unrealistic. Essentially an attacker would need to have physical access to an unlocked phone. If they have this then they could do all manner of nasty things, like replace applications, install trojans or just ringing their premium rate phone line.
For a number of applications however, the vector is more reasonable. The value of the assets is high and they can only be accessed from the sandbox. Below are three applications that can be compromised using the ADB backup restore functionality:
MyWicker (com.mywickr.wickr) - 126.96.36.199 Beta
F-Secure Freedome VPN (com.fsecure.freedome.vpn.security.privacy.android) - 1.04
OpenVPN(net.openvpn.openvpn) - 1.1.12
OpenVPN / F-Secure Freedome VPNBoth the OpenVPN and F-Secure Freedome were found to allow backups over ADB
According to Android documentation:
Whether to allow the application to participate in the backup and restore infrastructure. If this attribute is set to false, no backup or restore of the application will ever be performed, even by a full-system backup that would otherwise cause all application data to be saved via adb. The default value of this attribute is true.
Performing a backup on the Freedome app we can see the following:
androidvm@androidvm:/tmp$ adb backup com.fsecure.freedome.vpn.security.privacy.android Now unlock your device and confirm the backup operation. androidvm@androidvm:/tmp$ dd if=backup.ab bs=1 skip=24| openssl zlib -d > backup.tar 8726+0 records in 8726+0 records out 8726 bytes (8.7 kB) copied, 0.0134311 s, 650 kB/s androidvm@androidvm:/tmp$ tar -xaf backup.tar androidvm@androidvm:/tmp$ cd apps/com.fsecure.freedome.vpn.security.privacy.android/ androidvm@androidvm:/tmp/apps/com.fsecure.freedome.vpn.security.privacy.android$ ls -la total 24 drwxrwxr-x 5 androidvm androidvm 4096 Jan 14 16:15 . drwxrwxr-x 3 androidvm androidvm 4096 Jan 14 16:15 .. drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 f -rw------- 1 androidvm androidvm 1506 Jan 14 16:15 _manifest drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 r drwxrwxr-x 2 androidvm androidvm 4096 Jan 14 16:15 sp androidvm@androidvm:/tmp/apps/com.fsecure.freedome.vpn.security.privacy.android$ ls f/ clp-beta-prov.client.crt clp-beta-prov.client.key clp-beta-prov.servers.conf clp-ca-server.pem pvpn.conf
We can see that there are a number of files available for us either to just read, or to alter and restore.
For Freedome, we are able to overwrite the configuration and key files used by the application. This would mean that every time the user then ran this application, they would connect to our malicious VPN. This would allow us to MITM the user's traffic.
The OpenVPN looked almost identical in terms of what we could access and change. This would give us access to their private VPN keys and configuration, letting us connect to the user's VPN. It would also allow us to overwrite the VPN settings as per Freedome and have them connect to our malicious VPN without them realising.
WickrWickr was found to also allow backups by not explicitly disabling it
MyWickr allows users to select the "remember me" option. If this is selected (the user must accept a warning), then they can log in to the app without entering their password. When they choose this option, two extra files are created in the sandbox (pcc.wic and pcd.wic). These can be accessed using the ADB backup.
androidvm@androidvm:/tmp/com.mywickr.wickr$ ls db f _manifest r sp androidvm@androidvm:/tmp/com.mywickr.wickr$ ls f/ icu magic.mgc pcc.wic pcd.wic
This would allow an attacker to clone an account by performing and ADB backup on the victim device and then an ADB restore on to a different device. A safe guard against this is that Wickr's functionality relies on the Android device ID for decryption. Unfortunately, Wickr store the device ID when the app is first run in a shared preferences file. As this is copied as part of the backup, the security control doesn't work.
It is therefore possible for an attacker to clone a Wickr account on to a different device using the ADB backup/restore functionality. Below is a video demo-ing a wickr account on the device to the left being cloned on to a device on the right.
Communication with Wickr19-01-2014 - Emailed Wickr with details of vulnerability
12-02-2014 - Wickr replied accepting issue as a valid vulnerability
15-04-2014 - Wickr permitted vulnerability to be disclosed