Android Security: Dangers of hybrid frameworks (XDA:Devcon14 write-up)

At the end of September I gave a presentation at xda:devcon14 which gave an overview of attack surfaces in Android and security issues in web-based applications. I have put my slides online on slideshare, and a lot of people were asking questions, so I decided to post a write-up.

Attack Surfaces

A big part of the presentation covers attack surfaces in Android, what are they?

Attack surfaces are pieces of code which are executable by everyone who has access to a system. They are called the open flanks of a system and allow input or code execution, not necessarily from a malicious user. A hacker will usually search in these places as these are the most interesting to manipulate.

In order to decide which attack surfaces an attacker will try to attack some properties of the surface are considered, as mentioned in the slides. These properties determine what the gain is for an attacker once he successfully compromises the surface entirely or just the code behind the surface. The general rule here to follow, is that an attacker will try to gain as much privileges as possible with the least amount of investment of resources and time.

I will not cover all the attack surfaces but only the one that is interesting for web-based applications. This is called the remote attack surface, more specific the WebView component. This is a class which offers functionality to render web content using the webkit render engine. This is a broad attack surface as a lot of web technologies and protocols need to be supported. These all represent an attack surface on their own, with their own vulnerabilities and security models which can be in conflict with the Android security model. Which is the case when we consider hybrid frameworks.

To be on the same page, I define a web-based Android application as an application who uses the Webview class to render web content.

JavaScript-Java Bridges, burn them

Security issues arise when you use a JavaScript-Java bridge in your web-based application. Android allows in the Webview class to call Java native code from Javascript, you can register the native code that can be called by using addJavaScriptInterface(). The security issues become apparent when you don’t know which content you are loading.

What happens with JavaScript being loaded in an iFrame? Or more general with JavaScript coming from a third party source?

Basically there is nothing stopping them from calling your Java native code associated with the JavaScript bridge. Android uses a permissions model to allow apps to do certain actions. Third-party JavaScript can call the same public methods associated with the JS bridge. This is because the Same-Origin-Policy is not applied to the bridge. It is in conflict with at one side native code running in a permissions security model and on the other side web content, which is bound to the SOP. These two security models do not interleave perfectly and thus allows attackers to use functionality the user never granted permissions for.

Hybrid Frameworks (Apache Cordova, Sencha Touch, …)

Hybrid frameworks are frameworks who let you develop a web application using HTML5, CSS and JavaScript for example. They allow you to pack your application to run cross-platform. Benefits of this approach is the fact you only need to develop your application once and you can pack it for the different platforms. This saves you time and money if you need to pay the developers.

When packing your application for Android, the following happens. Your web application is nothing more than web-content running in a Webview class. These frameworks come default with a Java-JS bridge which are publicly available. The same problems arise as mentioned here above with simple Webview applications. There are however solutions to these problems.

Domain Whitelisting

Just implement your own origin policy! You decide which third parties you trust. For hybrid frameworks it is fairly easy, just use the domain whitelisting functionality. The funny part here, is the fact that default this is implemented as allow every domain. Yeah, you’re welcome.

In applications using a Webview-component the solution is to just intercept pageloads and resource loading requests and implement whitelist logic to deny loading if you don’t trust the origin. The slides give you the two interesting methods which you need to override in the Webview class: shouldOverrideUrlLoading() and shouldInterceptRequest()

When a third-party ad-network is used the same vulnerabilities are present as ad-networks can inject third-party content. Recent study of MWRLabs discovered the following numbers:

A script was then crafted to automatically download Android applications, decompile them and identify if an ad network was in use, and if so determine if it is vulnerable. Out of the 1,000 top applications 570 were found to be vulnerable.

This means that over 50% of the Top 1000 web-based Android applications are vulnerable. Makes you think, if security is a key aspect and concern, stay away from web-based applications. It is very tricky to get it right, and in the end native coding is more fun ;-)


PS: Those who want to see the talk, it was filmed, but is not yet online. Keep an eye on this blog or my twitter feed ;-)

First conference talk. Exciting!

So tomorrow starts an exciting and stressy three days. I will be talking at xda:devcon which is a pretty big deal for me. Never did something like this, but because of the topic I have a strange relaxed feeling. Strange in the sense that I would expect to be far more stressed, but that will probably come tomorrow or saturday. *knocks on wood*

I like my topic (Android Security) because it is a topic that combines my two big passions in the field of computer science. An awesome mobile platform (Android) and computer security. Hence my talk will be an introduction to Android, attack surfaces on Android and I will end my talk with the security in web-based Android  applications. For the full abstract of the talk:

Android Security Overview and Safe Practices for Web-Based Android Applications

The talk will start with a brief overview of the different layers of the Android platform, highlighting interesting parts for attackers. Layers covered will be: Android apps, Android Framework, Dalvik Virtual Machine, User-space native code, The kernel.

Next the talk will cover the attack surface for Android. Covering several attack surfaces for example: remote attacks, physical, local…

And last, the bigger part of the presentation will cover web-based apps. These are apps made with web technology and compiled into native apps by using for example: Apache Cordova. Web applications have different security issues than native applications. I will try to inspire developers to take better care of security when using and developing their own web-based app using the WebView component. This component has been a big source of application vulnerabilities along with the JavaScriptInterface logic.

Another thing I like about giving the talk, is the fact that my talk is scheduled on an awesome conference. xda:devcon is a community for and by developers. Helping each other and always raising the bar in Android development. When I joined the community several years ago, I never thought I would one day giving a presentation at a conference organized by XDA-Developers. Really looking forward to meeting new talented people. If you want to stay tuned you can follow me on twitter or fb where I will probably be spamming the living shit out of it.

For the interested, there will be no livestream but the presentation is likely to be filmed and put on YouTube.

Well, wish me luck!


PS: BIG BIG UP for my sister, she graduated today and received her second diploma! Proud brother here!

Internship: Interesting week

Hi there folks! In between washing clothes and studying, I’m having a small break for writing a blogpost. Last week has been a good week, a lot of interesting things happend! I worked on a fork of the BouncyCastle crypto library to use in an Android runtime environment. Something similar to SpongyCastle but to be independent and have our own java security provider, we prefer to fork the BouncyCastle library and add our own changes. My job was to perform an upgrade to the new BouncyCastle version. This means pulling in the code and fixing the problems that arise with incompatible or new code. I finished the project rather early and have some time left on my hands.

Since I have time left, my boss proposed to teach me how to program Hardware Security Modules (HSM’s) and setting up Public Key Infrastructures (PKI’s) which are core systems in for example every security system of a bank. It makes sure your transactions are performed in a secure and trusted environment. This will be a very hands-on experience which I don’t think you can learn in school (apparently some dare to discuss that if you make the right choice of course), the experience of someone in the industry is really big. That’s something I started to realize early on in my internship and now am more than aware of.

Besides work I also did some things which the most part consisted out of studying for my exams. Other than that I also skyped with my girlfriend, which flew to Peru on Tuesday , where she will be staying till the end of december! Thank God for technology like Skype, imagine if I could only write letters or e-mails to her and don’t see her pretty face!

We also had colleagues in, from a dutch company called Advanced Encryption Technology (AET Europe) . Me personally did not have much to do with them, as my project is focused on a whole other part of the business than they are conducting. But this meant that we went for dinner in the evenings on Thursday and Friday. Had the best fish in the world on Friday by the way, truly marvelous. Despite the fact that you learn a lot at the internship itself, you learn more from these dinner talks. How things are done on a managing level, as everybody (besides the spanish intern José and me) sitting at the table have managing positions. Interesting talk with the head manager on how he selects his people and how they do the sales and development of their product. Too much to sum up here.

Signing off for now, got some work to do, groceries and studying => woohoo! This will be my last post originating from a swiss IP. Although I might use a swiss VPN in the future, which technically would invalidate my claim that this will be my last post from a swiss IP-address. Oh well, you get my point.

Cheers, folks!


PS: My last project is being open-sourced at

Interning: week 5: Whirlpool of emotions

Longtime no see, as they say.. last weeks were so busy, full of emotions and passed fast , I hardly found the time to write. Internship is going awesomely well. Finished the first part of the project which was kind of penetration testing and checking for information leaks. Now busy on the second part of the project which is updating a BouncyCastle fork for the Android framework. By far the most interesting library project in Android I have done.

Besides work I also had some free time here in Swiss, I kid you not! =D Although I worked mostly long days, but that is compensated by starting late in the morning. Anyhow, in my weekends I visited a friend up in the mountains, which was a nice experience! Last weekend was magical, my girlfriend came to visit me, had the best weekend so far here in Swiss. Miss her every bit of the way. And coming weekend my sister will visit with her boyfriend! Yeah agreed, I’m spoiled.

Okay, enough with the emotional stuff. Really loving the vibe at work, due to the small size of the team I have a very good contact with everyone in the office. Which basically nowadays is my boss,  a colleague and the other intern haha :D Learning a lot of stuff which is impossible to learn at school. Going from the JCA/JCE frameworks in Java and concepts and techniques for implementing crypto systems to working with HSM (Hardware Security Modules) and EJBCA enabled appliances (for PKI’s).

For the interested reader, I will be talking at XDA-DevCon which is from 26th till 28th september in Manchester, UK. My talk will be about “Android Security Overview and Safe Practices for Web-Based Android Applications”. Still tickets available!

Looking forward to the last two weeks (tomorrow is national holiday in Swiss yeaaah), signing off for now!



Week 2: Interning, eating veggie and doing laundry

It has been a while since I wrote a blog post about my internship (more than a week, woooah), anyhow got half an hour to spare as I’m doing the laundry. Yes, for the second time, no I have not ruined my clothes. Yet.

Made some progress at work, nothing too fancy but nevertheless it was a progression. For obvious reasons I won’t go into much detail. Oh and while compiling some stuff, which I needed for a cross-compilation, I managed to wreck my linux distro. On a Friday. Yeah not the best way to end your week.

On Thursday my boss Thomas took me to the oldest vegetarian restaurant in the world: Hiltl. I love meat so needless to say I was a little bit skeptical about eating vegetarian. I must say, that vegetarian burger was quite good. The restaurant was also simply amazing. I would certainly recommend it when going to Zürich, even when you’re not a vegetarian.  After Hiltl we went to a panorama bar in the center of Zürich. First you enter a restaurant and at the end of the restaurant there is an elevator which brings you to the sky bar. It is called Jules Verne, after the famous French writer. The view there was amazing. Not that cheap though ;-)

Woops, there goes my alarm. Time to fetch the freshly washed clothes. Look at me, doing all grown up stuff.



PS: Go Belgium!!! Seriously Messi, just have a bad day today, thaaaaat would be great.


Serious crypto vulnerability in Android

The whole mobile/android world was shocked when a new vulnerability was disclosed which, to sum it up, weakens the security of the built-in KeyStore. However, the Android fanboy in me, couldn’t help but notice that a lot of media fail to cover the story in a correct manner. Bear with me here, it will get a little bit technical.

“The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers. By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. The advisory said Google has patched the stack-based buffer overflow only in version 4.4, aka KitKat, of Android. In an update, IBM said the vulnerability affected only version 4.3, which runs on about 10.3 percent of handsets.”

Now, a stack-based overflow itself is not that hard to exploit. However, every self-respecting security team in a big software company knows and implements countermeasures against these exploits/overflows. Android for example uses as 2 major ones: data execution prevention and address space layout randomization (ASLR). Without the technical details, this makes it pretty hard for an attacker to execute its own malicious code. But assume for now, that an attacker has the possibility to do this. It’s still pretty difficult to actually exploit this. Whenever you inject code into the stack on the Android OS, the code is converted to an ASCII 7-bit representation. So what, you may ask. Well basically this reduces the set of instructions that can be executed. Because of this 7-bit representation, the most significant bit is changed to 0 and you can’t encode values less than b’0011000. This restricts us to code words of the form b’ 0xxxxxxx 0xxxxxxx 0xxxxxxx 0xxxxxxx. Now consider this chart which represents the instruction set for an ARMv7 CPU, frequently used in Android devices.

Instruction set ARMv7 CPU

Instruction set ARMv7 CPU

If you look at the chart and interpret the 7-bit representation explained above correctly, you can see that all condition codes must start with a 0. That immediately throws out “always execute”. So every instruction you encode will be conditional. Furthermore, your Rd register always starts with a 0, pain in the ass but not something you can’t bypass. Basically you can only write to half the registers, bummer. Consider the compare functions, these require all a non-ASCII character. Whoops, no comparisons for you. To finish off with, the ADD instruction. The values you can add are constrained by the requirement that they do not include ASCII values below 0x30, so depending on what operand you choose you can only pass in certain values. To sum it up, you can’t use most of the instructions, write to most of the registers and your immediate operands are sharply constrained. Nevertheless the exploit is something that should be taken care off, but not something that should keep you awake at night.

Cryptography everywhere

Halfway through my first week, I learned already a lot of new things. Monday was pretty chill, did some touring in the city with the secretary and got to know my boss in person. Everyone was friendly and easy going. In the afternoon I got introduced to the company’s products and fields of business which are Smart-card systems and Public Key Infrastructures (PKI). Yesterday and today I got extensive workshop-sessions from my daily supervisor. We covered A LOT.

We started of with the basic concepts and techniques of the Java Cryptography Architecture (JCA) and Java Cryptography Extension (JCE) API’s, basically the components that put security and crypto into the Java platform. I got drilled in symmetric and asymmetric cryptography algorithms, with all the flavors. Going from CBC to EBC to ECC. Hybrid cryptographic concepts, signing of files and PKI’s. It was overwhelming and nice to learn. But needless to say a mild headache got the better of me today. Oh, and to top it off: some of the slides were in German. Jup, German. But my supervisor was very good in explaining it in perfect English. So I had that going for me, which is nice.

Tomorrow I start on the real job , which I cannot really disclose the details of but basically it’s penetration testing/information extraction in an Android environment. Anyhow, very interesting start of the internship and everybody is nice, friendly and more important, they are experts in their respective fields, simply amazing.



PS: Did you know that intelliCard forked the open-source BouncyCastle library and adapted it for Android! Awesome, I know :D :

PPS: My daily supervisor is a security wizard. The things he knows is from my perspective, endless. He wrote a lot of useful software: Take a look at the FileBrowser: simply the most useful swiss army knife every IT-guy needs. (PUN INTENDED)

Grote avonturen beginnen klein

Before I left, someone special gave me a small card with the text “Grote avonturen beginnen klein”, which in english translates to “Big adventures start small”. It couldn’t be closer to the truth. First sunday in Switzerland, I am simply impressed by the nature and the city. You can find photographs on my FB-stream.

It started, indeed, very small. Searched for an internship online, applied, did an interview and got the internship. It all flew by so fast, and tomorrow morning it’s my first day on the job.

The surrounding nature is ridiculously beautiful. I can walk from the apartment to the side of the lake in, I think, 2 minutes. Got a flatscreen in the room, got a living room with an even bigger flatscreen. Hell, even a kitchen with a Nespresso machine :D (heaven on earth for computer geeks).  Also got fitness machines, no excuses there I guess.

That will be all for now. Swiss greetings,


View of the lake on 2 minutes from the apartment.

View of the lake on 2 minutes from the apartment.

Prepping for that internship

Sooooooo. For everybody who does not follow my Facebook-feed or heard me in the last couple of months, I will be doing an internship in Switzerland for two months. I will probably be blogging about my stay in Switzerland a lot, so anybody interested can subscribe or just follow twitter or fb for updates about this blog.

Now we got those administrative messages  out of the way, my first actual blogpost about my internship. I am still at home, prepping like a maniac for my first long stay abroad. Luckily my mom is doing the major part of the ‘work’, so my part of the job is reduced to saying : “yes I need that” or “no mom, I have enough of those things already”.

I’ll be driving to Switzerland saturday morning, my parents are accompanying me and will drop me off safely at the apartment. Yes I am spoiled, no I am not ashamed for having lovely parents ;-).

The internship itself is situated in the field of security engineering, penetration testing and (big surprise) Android development. Not necessarily in that order. I am very excited for my first work experience in these major fields, which are undoubtedly the most interesting ones for me.  I am interested in security since we had a computer with windows 95 and my dad had put a password on it.  I wanted to bypass the goddamn thing, which gave birth to my (healthy) interest in cyber security. The Android-part of my geek personality started 5 years ago, when I bought my first Android device and which kickstarted my enthusiasm and passion for this mobile-piece-of-art platform.  I think it’s pretty clear that I am very excited to learn a lot in these fields, things I can impossibly learn in an academic environment.

What can you expect from this blog for the next two months? Probably pictures and stories about my stay, not much about my internship or technical details since I signed NDA’s and I don’t want to risk leaking critical information. Look at me all acting mature and responsible.

Signing off here for now. Next blog post will probably come from a swiss IP-address.



Interviewing at Google

Yesterday I had two technical interviews for a software engineering internship position at Google. This article is an attempt to motivate people to apply and tell them what to expect. So, here we go.

The first Google engineer called me around 14:30. The connection was not optimal from the interviewers side so instead of a phone interview we had a Google Hangout interview. We shared a Google word document where I should write all my code (yes, a plain and simple Google doc).

The interviewer was nice to talk to, his first question was : “What made you apply at Google ?”. Well, everybody knows that I am an Android geek/enthusiast/dreamer. So that was my answer. Also, interning at Google will give you experience in the field which you can impossible learn in school. Things like for example : scaling of systems, coping with huge datasets, an extremely large codebase, etc. After that we proceeded towards the first question, which was something like this :

Question 1 : Assume you have a sentence represented by a string-object. Write a function (in Java) that will swap all vowels with a vowel at the end of the sentence. So for example : “United States => “Enated Stitus”.

Basically the approach here, is to work with an array of characters and work your way down the sentence using 2 pointers. One pointer points to a vowel on the left half of the string, the other to the right half of the string. If the right pointer is smaller than the left pointer, work is done and you can return the string.

I did OK on this question, had a little bug with my pointers that were incremented in the wrong place. But the interviewer pointed me to it, and I resolved it rather quickly.

Question 2 : Write a class called CollectionsIterator that is capable of iterating over a set of iterators. Make sure this class can hold Iterators of any type.

The interviewer thought this was the difficult question but I found it rather easier than the string traversal. Approach is again, rather easy. Create a class that implements the Iterator<E> interface. Use a field for a current_iterator and a field for the main_iterator. The main_iterator will loop over all the iterators and the current_iterator is the one that is providing the elements of a certain collection in the set of collections. Sounds easy, but tricky when implementing the hasNext() method. In the end, my first solution was perfect and that concluded the end of the first interview.

After a 15 minutes break I got the second interview. This one was by phone and again on a shared Google doc. This interview was not as good as the first one. The question was also more difficult than the first one.

Question 3 : Write a function that has as input a list of strings and will print to stdout strings that are rotational equivalent line per line. So all strings on one line are rotational equivalent.

I struggled the most with this question, due to the fact the interviewer started with the question : “Do you have any experience with rotation ciphers ?”. Sure I do know what they were, but never really implemented one so I didn’t know all the details about them. This threw me off a bit, but in the end you didn’t need to know exactly how they work. Just the notion how a string can be rotated over the alphabet.

So the approach I took for this question was looping over the strings and computing their fingerprint. Basically the fingerprint(String s) function should be a function that returns the same string for every rotational equivalent string. This can be achieved by using the convention that the first character of every string should be ‘a’. So we calculate the distance from the current first char to ‘a’. (only taking into account the chars a->z) and we rotate the whole string over this distance. We then use a HashMap to store a mapping “fingerprint -> set<rotational equivalent strings>”. In the end we write a prettyPrint() method which will iterate over the set and print out one set of rotational equivalent strings per line.

I needed some help, the interviewer for example pointed out to use a fingerprint method. After this I came up with the whole solution. A last question was what I thought was good/bad about my approach. At this point I perfected my code and told why I used some data-structures (like hashmaps and sets).

In the end it was a pleasant experience, much better than interviewing at Facebook. I have a good feeling, but if I don’t make it now , I can’t really be sad as I couldn’t do much more. At least I’m chasing dreams, as everybody should do !