Stuff

Just random blogs with no meaning.

How 950 Million Android Devices became vulnerable (Stagefright Vulnerability)

Imagine remotely executing code by sending an MMS to your victim, crazy right? It’s not that crazy now, considering that researcher  Joshua J. Drake just discovered a very intrusive vulnerability in the Android operating system. It is estimated that this vulnerability exposes 95% of all Android devices.

Stagefright is a library in Android that is responsible for all the media processing. It provides a playback engine and the codecs necessary to playback a variety of media formats. Media processing is a very resource intensive functionality which needs to run as efficient as possible. In order to achieve this, the library is implemented in the C-language (native code). This language is, in contrast with Java, an unsafe language. The reason C is considered unsafe, is due to the fact that a developer writing C code is responsible for controlling the memory region that his code needs. This gives possibilities to a variety of vulnerabilities that can arise due to insufficient bound checks on input data that is being handled by a C routine. The vulnerability in the Stagefright library is an example of a memory vulnerability, which allows an attacker to perform remote code execution.

The Stagefright vulnerability

Not a lot of technical details are known about the vulnerability. This is probably because the vulnerability is going to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7. However, it seems that the specific attacks that are possible, are the attacks that researchers call a ‘buffer overflow attack“. It seems that Cyanogenmod already provided some patches, the following figure shows the patches for the MPEG-4 processing module of Stagefright. The commit comes with a comment that describes a part of the vulnerability in some technical details:

When the ‘chunk_data_size’ variable is less than ‘kSkipBytesOfDataBox’, an integer underflow can occur. This causes an extraordinarily large value to be passed to MetaData::setData, leading to a buffer overflow.

Should I be scared?

No, it’s a serious issue, but you should not go all paranoid. Some precautions can be taken to prevent an attack from executing successfully. In order to trigger the exploit in the Stagefright library, you’d have to execute media first. For the case of SMS/MMS, just disable MMS. Don’t play content that you don’t trust, this includes but is not limited to: MMS (why even use those?), URLs or content from spam e-mails, strange-looking URLs that load in the browser, etc. Using some common sense could bring you a long way.

That’s for the common sense part. Now the technical part is somewhat more reassuring. Android has several security boundaries built-in to contain and block memory exploits from successfully executing. Without going in a lot of details, some of the countermeasures are ASLR and DEP. Which make a memory attack quite difficult to execute, and for the real technical part I refer to a previous article I wrote, on another Android vulnerability. This proves that it is a very intrusive vulnerability but it is not something that should keep you awake at night 😉

Who is to blame?

Collin Mulliner, senior research scientist at Northeastern University, said in an interview, “In this case Google is not the actual one to blame. It’s ultimately the manufacturer of your phone, in combination possibly with your carrier…If you can save money by not producing updates, you’re not going to do that. Since the market is moving that fast, it sometimes doesn’t make sense for the manufacturer to provide an update.”

Sources:

http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text

http://www.extremetech.com/mobile/210906-950m-phones-at-risk-for-stagefright-text-hack-thanks-to-android-fragmentation

DroidSec – New Android Reverse Engineering Tool

Quite often I find myself reverse engineering Android applications when I try to review the security of applications. A good reverse engineering tool is critical to perform a good security assessment. DroidSec  is a reverse engineering tool, specifically build for reverse engineering Android applications, and features are built in, which from my experience, have proven to be useful. However, DroidSec is not a silver bullet, it’s more like a Swiss army knife.

How to get DroidSec

DroidSec is hosted at my GitHub account, which can be found here: https://github.com/DarioI/DroidSec

The GitHub page displays a README.md, or it can be viewed at the homepage: https://darioi.github.io/DroidSec/

 

Under the hood

DroidSec is built using the AndroGuard codebase, and developed in Python. It uses the DAD decompiler to decompile Android to .java sources.

If you are a security researcher in need of assistance or if you would like to see additional features added, please contact me at dario.incalza@gmail.com and we’ll discuss it further. Please keep in mind that the project is just being bootstrapped, the code is far from optimal and a lot of refactoring will be done once I work towards a first release candidate. I’ll try however to keep the master branch in a building state, so everyone can experiment with nightly builds.

This tool is build for educational purposes only, keep in mind that reverse engineering applications is illegal in most countries and use this tool on your own risk.

Privacy: The Nothing to Hide Argument

When I am having a discussion about mass surveillance and privacy, it is far to often the case that the discussion gets stuck on the argument: if you have nothing to hide, you have nothing to fear. It seems that a lot of people are convinced that the idea of more security for less privacy is a valid reason for giving up on privacy. Not only is this a destructive argument (it makes further discussion completely impossible), it is also a faulty premise. The usage of this argument is a reason to make the reasoning that a lot of people see privacy as hiding something bad or illegal. Why is this? If this were the case, that privacy has this purpose, why is it a human right (see art 12)?

What is privacy?

Understanding privacy is a crucial step, before you can have any valuable or non-destructive discussion. It should be clear that privacy comes in different forms. Privacy is something that is defined by the culture in which you try to define it. The concept of privacy has changed throughout the years due to the introduction of new technologies (i.e. Internet, smartphones, etc ).

For my discussion, I would like to define the concept of privacy as follows. Privacy, in our western culture, is the ability to have control over you information when you share it over media and, when using common sense, expect implied privacy. The concept of implied privacy: if I say something in a private chat to my friend X, I expect the notion of ‘implied privacy’. If I share it with my friend X, I don’t expect my message to end up in some sort of mass surveillance program. If I walk in a public space, and my face is recorded on a CCTV camera, I don’t expect it to be linked with my online messages. Why? Because it is my choice if I want to disclose the link between my location (where the camera has recorded me) and my online conversations or even search history on search engines.

Problems with mass surveillance

The privacy problem I would like to touch here, are the problems that arise with mass surveillance. This type of data gathering is an attack on the fundamentals of free speech and personal privacy. Data is being gathered from the biggest social media and search engines, wires are being tapped and even routers are being backdoored to get to your data.

The problem with mass surveillance on this scale, is the fact that data is stored in central data centers. Pieces of data are linked together behind the user his back. Aleksandr Solzhenitsyn declared:

Everyone is guilty of something or has something to conceal. All one has to do is look hard enough to find what it is.

Which is an ironic remark on the fact, that if you piece data together in some specific way you can make a case against somebody. The context of the data is lost when it is being tapped or gathered, the intention or purpose of the data is not recorded, together with a non-transparant data-gathering program, this is a recipe for privacy breaching measures or wrongfully incriminating an individual. It can be best describe with this scene in Friedrich Dürrenmatt’s novella “Traps,” which involves a seemingly innocent man put on trial by a group of retired lawyers in a mock-trial game, the man inquires what his crime shall be. “An altogether minor matter,” replies the prosecutor. “A crime can always be found.”

Although my article used examples and facts about the spying programs of the NSA, it should be noted that all big governments have these programs. As ordinary people we should demand privacy and take this right in our own hands. We shouldn’t give up on privacy for a deal on more security. The perfect end to this blogpost is a quote of Mikko, which I used in a previous blogpost aswel:

Privacy is implied, privacy is not up for discussion. This is not a question between privacy against security. It’s a question of freedom against control.

h4oxer

References:

Application Security Engineering Analyst @ LSEC

Some of you may know I work part-time for a security firm called LSEC – Leaders in Security, or if you didn’t know, now you know. Some ask me what I do and what keeps me busy, well the upcoming conference is a good chance to explain it. I have the opportunity to go to the Cloud Security Alliance EMEA conference in Rome. This is quite the opportunity, as a lot of great speakers are scheduled to give a talk (Google, Dropbox, Microsoft, LinkedIn, Atos, etc).

Cloud Security Alliance is an organization which focuses on security issues when transitioning to the cloud. Or more in general, security issues which should be considered when you’re talking about running applications in the cloud. My official function at the firm is Application Security Engineering Analyst, quite a mouthful; I know. Basically I do research on the migration to the cloud. More specifically, I will try to pin-point security issues and bundle best practices when a company wants to move their systems to the cloud.

Moving to the cloud has a lot of benefits and is thus becoming increasingly popular. Employees can work from anywhere and the company does not need to manage resources, the cloud does this for you. Scaling is no issues, if you need more resources; you simply update your agreement with the cloud service provider. But as you might sense, these advantages do not come without any issues.

When migrating your traditional software to the cloud, you’ll need to scan your code and architecture. If your software uses some shared resources (specific company data), you’ll have to make the choice to move it to the cloud or not. The outcome of this decision affects the other systems who share the resources. From a security point of view some other, additional questions may arise:

  • Does the CSP provide sufficient data encryption?
  • Does the CSP provide strong authentication (using TPM’s, smartcards, card readers, …)
  • Does the CSP support multi-factor authentication?
  • What if your software uses LDAP for example. This is typically deployed internal in the company’s network. Does it need to be made accessible to the programs running in the cloud or are we replicating LDAP in the cloud?
  • Does the CSP emergency response team respond fast on vulnerabilities (i.e. heartbleed).
  • ….

I think it’s quite clear that there’s a lot to cover when a company decides to migrate their applications to the cloud, a lot of security issues need to be taken care of and be thought well through. So the main part of my job consists of doing research in state-of-the-art security mechanism for cloud platforms and searching for possible security issues. Which is a fun job to do.

Everybody who wants to follow me on the CSA EMEA 2014 conference can check my twitter or the blog on http://www.saasificationsecurity.com!

Cheers,

H4

First conference talk. Exciting!

So tomorrow starts an exciting and stressy three days. I will be talking at xda:devcon which is a pretty big deal for me. Never did something like this, but because of the topic I have a strange relaxed feeling. Strange in the sense that I would expect to be far more stressed, but that will probably come tomorrow or saturday. *knocks on wood*

I like my topic (Android Security) because it is a topic that combines my two big passions in the field of computer science. An awesome mobile platform (Android) and computer security. Hence my talk will be an introduction to Android, attack surfaces on Android and I will end my talk with the security in web-based Android  applications. For the full abstract of the talk:

Android Security Overview and Safe Practices for Web-Based Android Applications

The talk will start with a brief overview of the different layers of the Android platform, highlighting interesting parts for attackers. Layers covered will be: Android apps, Android Framework, Dalvik Virtual Machine, User-space native code, The kernel.

Next the talk will cover the attack surface for Android. Covering several attack surfaces for example: remote attacks, physical, local…

And last, the bigger part of the presentation will cover web-based apps. These are apps made with web technology and compiled into native apps by using for example: Apache Cordova. Web applications have different security issues than native applications. I will try to inspire developers to take better care of security when using and developing their own web-based app using the WebView component. This component has been a big source of application vulnerabilities along with the JavaScriptInterface logic.

Another thing I like about giving the talk, is the fact that my talk is scheduled on an awesome conference. xda:devcon is a community for and by developers. Helping each other and always raising the bar in Android development. When I joined the community several years ago, I never thought I would one day giving a presentation at a conference organized by XDA-Developers. Really looking forward to meeting new talented people. If you want to stay tuned you can follow me on twitter or fb where I will probably be spamming the living shit out of it.

For the interested, there will be no livestream but the presentation is likely to be filmed and put on YouTube.

Well, wish me luck!

h4

PS: BIG BIG UP for my sister, she graduated today and received her second diploma! Proud brother here!

Interviewing at Google

Yesterday I had two technical interviews for a software engineering internship position at Google. This article is an attempt to motivate people to apply and tell them what to expect. So, here we go.

The first Google engineer called me around 14:30. The connection was not optimal from the interviewers side so instead of a phone interview we had a Google Hangout interview. We shared a Google word document where I should write all my code (yes, a plain and simple Google doc).

The interviewer was nice to talk to, his first question was : “What made you apply at Google ?”. Well, everybody knows that I am an Android geek/enthusiast/dreamer. So that was my answer. Also, interning at Google will give you experience in the field which you can impossible learn in school. Things like for example : scaling of systems, coping with huge datasets, an extremely large codebase, etc. After that we proceeded towards the first question, which was something like this :

Question 1 : Assume you have a sentence represented by a string-object. Write a function (in Java) that will swap all vowels with a vowel at the end of the sentence. So for example : “United States => “Enated Stitus”.

Basically the approach here, is to work with an array of characters and work your way down the sentence using 2 pointers. One pointer points to a vowel on the left half of the string, the other to the right half of the string. If the right pointer is smaller than the left pointer, work is done and you can return the string.

I did OK on this question, had a little bug with my pointers that were incremented in the wrong place. But the interviewer pointed me to it, and I resolved it rather quickly.

Question 2 : Write a class called CollectionsIterator that is capable of iterating over a set of iterators. Make sure this class can hold Iterators of any type.

The interviewer thought this was the difficult question but I found it rather easier than the string traversal. Approach is again, rather easy. Create a class that implements the Iterator<E> interface. Use a field for a current_iterator and a field for the main_iterator. The main_iterator will loop over all the iterators and the current_iterator is the one that is providing the elements of a certain collection in the set of collections. Sounds easy, but tricky when implementing the hasNext() method. In the end, my first solution was perfect and that concluded the end of the first interview.

After a 15 minutes break I got the second interview. This one was by phone and again on a shared Google doc. This interview was not as good as the first one. The question was also more difficult than the first one.

Question 3 : Write a function that has as input a list of strings and will print to stdout strings that are rotational equivalent line per line. So all strings on one line are rotational equivalent.

I struggled the most with this question, due to the fact the interviewer started with the question : “Do you have any experience with rotation ciphers ?”. Sure I do know what they were, but never really implemented one so I didn’t know all the details about them. This threw me off a bit, but in the end you didn’t need to know exactly how they work. Just the notion how a string can be rotated over the alphabet.

So the approach I took for this question was looping over the strings and computing their fingerprint. Basically the fingerprint(String s) function should be a function that returns the same string for every rotational equivalent string. This can be achieved by using the convention that the first character of every string should be ‘a’. So we calculate the distance from the current first char to ‘a’. (only taking into account the chars a->z) and we rotate the whole string over this distance. We then use a HashMap to store a mapping “fingerprint -> set<rotational equivalent strings>”. In the end we write a prettyPrint() method which will iterate over the set and print out one set of rotational equivalent strings per line.

I needed some help, the interviewer for example pointed out to use a fingerprint method. After this I came up with the whole solution. A last question was what I thought was good/bad about my approach. At this point I perfected my code and told why I used some data-structures (like hashmaps and sets).

In the end it was a pleasant experience, much better than interviewing at Facebook. I have a good feeling, but if I don’t make it now , I can’t really be sad as I couldn’t do much more. At least I’m chasing dreams, as everybody should do !

Cheers,

H4

Why I didn’t get the Internship at Facebook

So last Friday I had a big opportunity to get an internship at Facebook. Made it to the final round and had to do one last technical interview.
Those are not the most fun to do, but hey I took a shot. It was pretty clear that the data structures I learned about in my first bachelor year needed some dusting.

I had my first exam Friday morning and was stressed to the max, afterwards I tried to prepare for the interview by doing some exercises from “Cracking the Coding Interview”. Excellent book, I would really recommend it. In the evening at 21.16 an American landline number showed up on my cell screen. Jup, there it was.

Interview started rather chill and the engineer (awesome guy btw) at the other end of the line asked about: what drives me for becoming a software engineer, and what I considered were the less fun parts of being a software engineer (CLASS DIAGRAMS !). We continued on to the technical part, oh boy stress was building up.

So the question was :

Consider a professor that wants to check two paper assignments from two different students on cheating. Design a function hasCheated(String s1, String s2, int N) that returns true if the two papers, represented by the strings, have a common content of at least length N.

I think I went into a limbo. The first 5 minutes I had it visualized what I wanted to do, but it felt like I forgot how to code. The engineer calmed me down and said to just start with a naive approach. So I started and came up with an O(n^3) approach, worst algorithm I had ever written. But now I started to feel confident again, and I improved the code to an average linear complexity. The engineer then told me to imagine that the String.contains() and String.substring() do not exist in Java and you only have an array of characters. Implement these functions and reflect again on your complexity.

After 30 minutes of coding we stopped and he asked if I had questions for him, about his work,life,..

Hell yeah ! How often do you get a chance to speak with a Facebook engineer. So I asked him how they handle the massive scaling issues at Facebook (he is on the memcache-team) and how a typical day at the office looks like. After that my time was up, was on the phone for about 50 minutes. Pretty exhausted and glad the day ended.

And about half an hour ago I got a message that my technical skills we’re not quite of the level they expect from their interns. But the engineer stated that he would certainly recommend to re-apply next year as I finish my masters degree then. (I can go straight to the last round, jeej !) I don’t feel I could have done more, maybe on a day where I didn’t had an exam and I had to only stress about the interview, the conditions could be better. As I look back now, I could implement this without a problem and choose better data structures than the ones I used during the talk. But things went how they went, and I’m already glad I had this huge experience !

Prior to Facebook, I already had an awesome offer in Switzerland which is more security related than I would be doing at Facebook. So I’ll spend my summer in Switzerland, which is also very cool, especially doing an internship that contains all aspects of my (cyber) passions : Android and Security !

Cheers,

H4

Why dreams are worth chasing in 2014.

Exams exams exams, yet writing a blog post is ideal for taking a break from the books. What follows is maybe something people did not expect to read from me, as it is a rather personal blog post.

Last couple of weeks a lot changed and a lot is happening in my life. Some things are changing for the good, others I wished I saw changing differently. But what became apparent is the fact we should build our own happiness.

Sure, you could wish somebody a happy 2014. But in the end what are you really wishing him ? You’re wishing the person that he can do stuff which makes him feel happy. For me the ideal way to make me feel happy is to work and try to achieve dreams. You make your own opportunities for achieving your dreams, don’t wait and think “Wish I could do that” or “In order to achieve my dreams, X has to happen”. Yeah you’ll fail one time, two times, maybe even a hundred. But in the end isn’t that better than not trying at all ?

For me, one thing is sure. Coming week is one big step towards a personal dream and I’ll take every chance, I worked hard for it and sacrificed at lot of things/moments for it. Yes, the chances are not really in my favor, but hell at least I can say I tried.

Work on dreams, and make yourself happy. Nobody else will do it for you. Now back to my books !

Cheers,

H4

BBJam 10 : Day 1

Hi guys, what up !? First blog post in a long time, will be a short one though. Here’s what happend today :

First up  we took the Eurolines bus that took us to Amsterdam after a 3.5 hours busride. After that we arrived at the Sarphati hostel and dropped our bags. (I get a free room the next time I come if I mentioned them in my blog 😉 )

The BlackBerry Jam 10 reception and TweetUp started around 5 p.m. , here we talked with several BlackBerry partners along with a beer. Some interesting partners were there , with a lot of interesting content. For example :

Marmelade : A framework to port any C++ code to Android,iOS,BlackBerry or Windows. Without overhead or less performance, they claim. Hard to believe, but okay.CAM00085

Application Developer Alliance : A community where you find everything you need to know about building,funding and distributing webapps or mobile apps. Free membership for now, so subscribe!

Further there were also : Sencha, Unity 3D, Evernote,TenCode and many more.

This took pretty much the whole evening, and was interesting. Excited to start the real work tomorrow at 10.30 a.m. more coverage to come ! Keep an eye out on twitter if you want to know my thoughts and things live on BlackBerry 10 Jam Europe 2013, Amsterdam.

Cheers !

@h4oxer

Privacy. My view.

Privacy. Government point of view : ” If you aren’t doing anything illegal, why bother if we see everything you do online ? ” 

My point of view : ” Why checking and screening what I do online ? I am not doing anything illegal.” Privacy is a fundamental human right. Privacy is the key to find some rest, away from the eyes of the community. It doesn’t make a difference if we search for privacy on the internet or other places. If internet traffic should be screened , why don’t hang camera’s in every home ? Put taps on every phone ? Privacy is the key to a free opinion, a free mind. 

The internet is no one’s property. It doesn’t belong to a private corporation, it doesn’t belong to a government.

The day we lose our privacy, our free will. Is the day we stop being human. 

Demand your privacy, be anonymous.