Lake Missoula Group’s Director of Research Eric Fulton introduces his Defcon 19 talk about Android privacy risks and security vulnerabilities emanating from smartphone apps.
Hi there! My name is Eric Fulton, I work for a consulting firm called Lake Missoula Group, in beautiful Missoula, Montana. I know you might be thinking: “Do you guys have public transportation in Montana?” Yes, we do. And we also got hackers up there, which is a lot of fun. So we can hack in the morning and hike in the afternoon, as I like to say.
I also help run ForensicsContest.com. We actually run a Network Forensics Contest Puzzle during Defcon, which is pretty sweet.
During this talk, I really would like to say thank you to Sherri Davidoff and Jonathan Ham. They are absolutely amazing ninjas with packets, and they are actually writing a book, and I was able to use in advance a copy of their book to do some of the analyses that I am going to kind of show you guys today.So what I am going to show you today is I am going to start with some definitions and testing methodology, kind of going into how I analyzed the packets, what I was looking for, what I found, some fun findings I found through all of this; and then I’ll come to a conclusion (see preview).
But what I am trying to cover here is some distinct topics, privacy especially; I mean, obviously – it’s in the title. Privacy in our lives is important. I think that our privacy that we have is eroding, and we don’t exactly know what’s happening. Maybe at home you’ve got a smartphone and you don’t realize that every day it’s leaking your location, your apps, and some other interesting facts.
So that’s what I wanted to cover. I also want to touch a little bit on network forensics, because this is what I used to help discover what’s being shared over your Android phone.
So what is network forensics? The Wikipedia article says: “Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.” But basically it’s sniffing packets on the wire.
You’ve got traditional forensics, you know, we take your hard drive, you ‘dd’1 it, you make an image, you analyze it, and then you try and say: “Hey, what’s on this hard drive?”
But there is also network forensics, and that’s where you’re going: “What is going over the wire? What is my computer leaking? What is going on?” I mean, with traditional forensics, unless you pull the memory, you won’t ever realize that there is something loaded in the memory leaking any number of things.
So listening on the wire gives you a definite perspective, and it lets you really understand what your phone, your laptop, your server, etc. is actually sharing with your network and the world. Or network forensics can be called: listening to the wire for fun, ???, profit and lulz.So, how does network forensics affect us? All of us use network devices: we use laptops, phones, etc. And everything is network based. I mean, back in the day before the advent of the Internet, and the beauty that is network communications, people just had a single computer that was not connected to anything else. Everything you did was on that terminal.
But now we send all sorts of things to everyone. We send usernames, passwords, hashes, URLs, lolcat pictures with your Grandma. But we send all of these amazing things over the Internet, and we think to ourselves: “Oh, I am sending my password to this service”. And a lot of people don’t think of all the third parties that affect that.
When you log into Twitter for example, most people think: “Oh, my computer, Twitter – that’s all that’s happening”, but they don’t realize that they are going from most likely their laptop, iPhone, iPad, iDevice etc., to probably a wireless router, which then connects to the ISP, which then is routed over the Internet to Twitter service. And along there, whether or not I have access to your actual computer, I might have access to your network traffic, and through that, I have access to lot of fascinating information.
I mean nobody wants to be handing out their usernames, passwords or anything else. And a lot of companies are really good at protecting that, that’s why they hash your passwords, but the simple fact that I may look at is that it’s a huge not only privacy risk, but security vulnerability.
Some of our applications send: licensing and registration data, update information, demographic data etc. And all this data can be filtered, logged, and analyzed by third party. You don’t know what your ISP is doing. Most people just sign that contract and assume that the ISP has their best interest at heart. And I am not saying the ISPs can be evil, but if they wanted to be, there is a good chance that they can do a lot and a lot of damage.
Or your roommate who is also on your wireless network can do a lot of damage, assuming how close you are with your roommate; or the guy next door if you are using WAP.So essentially, what I am trying to say is that there are a lot of ways our phones could f**ck us (see image). What I am really specifically focusing on is Android application security. A lot of people have done a computer thing, a lot of people have done laptop forensic analysis etc., but something we don’t realize is we’ve got this essentially super computer in our pocket. I mean, when I got my first computer, and though I cannot say what that was, but it was like a tenth of the processing speed of my current phone on my pocket.
And people don’t realize all the fascinating things that they have on their phone, and what their phone knows. Our phones have a lot of things. If you are doing GPG encryption and try to decrypt your emails – that’s assuming you are a naturally secure thinking person – you have to have your private key on your phone to decrypt your emails. If you are not a private thinking individual, or secure thinking individual, you are just sending your emails over your network connection. You have emails, usernames, GPS, etc., and more.
When I first got to this research I thought: “You know what would be really cool, let’s build an evil application”, which I think some of the other presenters at Defcon have done, which is awesome.But when you make that application, it’s ultimately silly because as long as you can get the user to press OK – you’re done. I mean, how many people with smartphones scroll through their phone and they’re like: “I wanna play this game”, scroll, scroll, scroll, OK.
I mean, I don’t know how many of you guys watch South Park, but there was a whole episode on HUMANCENTiPAD, where someone didn’t actually read the EULA. Oh, God forbid someone read 39 pages on a short level of dense legal text. That doesn’t happen.
So anyone can build an evil app, put it on the market and say: “Hey, you should download this”. And anyone could execute it and it could export a lot of bad information. And we know this is bad, right. There are a lot of companies out there that do a lot of great things trying to prevent malware, evil applications etc.
But then I got thinking: “Okay, we know evil applications are evil, but what about regular applications?” I mean, when you get your Android phone you think: “The first thing I wanna do is I wanna stream music through Pandora”. Right? I mean, it’s really awesome having an unlimited Internet radio station on your phone.
And you play with it a little bit longer, then you’re like: “Oh, sweet, I forgot about Angry Birds”. Who of you loves Angry Birds? I am not gonna lie, I use it. You are sitting in the meeting, you are sitting in your office, you are on the phone with your boss, and you are just playing. Not that they know you are playing it, but…
The fact of the matter is, you are thinking: “All of these apps, I’ve paid for and downloaded them from the Android application market, and it’s a game. What I’ve downloaded is a game”. But what you don’t realize is you’ve downloaded a little spy in your pocket.Now, some previous research has been done by the Wall Street Journal and by a man named Aldo Cortesi. And I’d like to meet this man and say a lot of great thanks to him. I was even going to call my original presentation ‘Android – the spy in your pocket’. And the Wall Street Journal has done a great research thing on what these applications are sharing, and how they are sharing it.
To get back to the privacy side of it, in terms of privacy we don’t realize how much we share about our lives. We think: “You know, all these companies have anonymized data”. And one of the best examples is with Apple, where you have UDID2. It’s basically an anonymized number that says: “Oh, I am me, but I am not actually Eric Fulton. The company doesn’t know who I am, they just know my number”.
Well, that’s cool. But there are companies out there in the world, where their whole idea is de-anonymizing who you are, like figuring out: “Oh, this guy that lives in Montana, that loves ‘Dorido’s’ and ‘Mountain Dew’, and also travels to these places – is this number”. And they can easily tag it as Eric Fulton, because I love ‘Mountain Dew’.
And so, as part of this I thought: “Alright, let’s start looking at these applications – these applications that I blindly trust, that I think, well, yes, I totally believe these people”.
1 – dd is a common Unix command whose primary purpose is the low-level copying and conversion of raw data.
2 – UDID (short for Unique Device Identifier) is a 40-character long hex value (20 bytes) which is specific to each Apple device.