About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bypassing Android Permissions From All Protection Levels- 994

Nikita Kurtin - DEFCON 30Posted 3 Years Ago
  • The goal of the talk was to figure out what a user could do with no permissions. Android has three types of permissions for actions:
    • Application defined. These are permissions and capabilities defined in the appfest manifest for an application.
    • Runtime Operations (Dangerous). Things like location, phone calls and other things must be verified every time they happen.
    • System Permissions. These are things that require leaving the application, going to the Android settings and explicitly allowing the application to do.
  • There are default permissions within Android for each application. The author of the post dove into what these were in order to analyze the attack surface. Some of these allowed for interactions with other applications, such as Chrome. If we don't have a permission, can we convince another app to do something for us?
  • The first permission bypass was the INTERNET permission. If an application doesn't have this permission, then they cannot make web requests. However, the Chrome deeplink (implicit intent) allows sending an arbitrary request through it. Then, the response can contain the app to send the data back to. With this, the author was able to successfully make a web request without internet access!
  • There is a special message called SYSTEM_ALERT_WINDOW which can only be called from extremely privileged locations. Of course, user applications cannot trigger this directly. But, can anything mimic this functionality?
  • TOAST is used for displaying messages to the user. However, it can be used to display almost anything. From webviews, to pictures to videos which cover the entire screen. Theoretically, it has a time limit of 4 seconds. Naturally, the TOAST can be done over and over again to bypass this limitation though.
  • The fake system message can be used for clickjacking and Ransomware. The clickjacking is particularly bad since we can hijack a click to approve location permissions or start a phone call. Overall, interesting research into bypassing the permission boundaries of the Android eco-system.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed