Georgia Weidman touches upon the Android rooting issue and describes her experiment with Android permissions to show how apps can get hold of user data.
I figured out why Android apps have so many permissions. Since I’ve done so much Android development lately, and I’ve watched my apps just fall over and die randomly, and I can’t figure out why, and nothing comes up in the debugging settings – why is it falling over? Go to Stack Overflow, they give me their source code that looks just like mine, so it must work, right? It’s Stack Overflow, no problems there. And it just falls over. I figured it out: it’s because I didn’t have the permission, it just dies, because if you don’t have the permission, you can’t use the functionality.
So developers are just asking for all the permissions so that they don’t forget later, and then they forget to take them out, because Facebook doesn’t actually use half of these. I write the source code, I would know.
So, naturally, having seen this I thought: if I put out an application that asks for a lot of permissions (I can assume that users will accept them), how hard would it be for me as not necessarily a very good developer (certainly haven’t had much experience in Android yet) to code ways to abuse this, given that users are willing to accept these permissions – they accept them on Facebook, they accept them on any other app? So, naturally, I wrote an app to see. So we’re going to look at a little demo.
Alright, I’ve got my Android and I’ve got my iPhone here; I wrote an app called ‘Hello Android’, not a very sophisticated name. I’m just going to install it off the SD card and replace what’s already on there.
So, it wants 3 permissions, a lot less than Facebook. It wanted the ability to read your contacts, read that IMEI, and it wants to be able to send SMS. It puts up a screen that says something like: “Hi, I’ve basically just exploited the hell out of you;” but of course a bad developer wouldn’t have to put up this screen at all, they would just put up a game or something, and this would happen in the background.
I go to my Sent folder and I see that I’ve sent no SMS’es, I have no indication that anything has happened here. But if I go to my iPhone, I see that I have sent the IMEI number, my personal identification number, worth about as much to an attacker as a credit card to about 10 cents – so, basically, nothing, but if you have millions of them, you see how this adds up. How malware writers actually make money is a mystery to me; they make a lot more money than I do. It’s probably best that I don’t find out so I don’t turn to the dark side.
But, anyhow, we have just exploited all these permissions: the ability to send SMS – we did it in the background where the user couldn’t see it, it wasn’t in the Sent folder, no indication it happened. The only indication was that screen that I put up that says: “I did it,” which, of course, the user will not see if that was the real evil application, this will just go on in the background.
It stole your IMEI, sent it to someone else, and it also put up the last person you talked to based on your contacts, so it could tell who the last person you talked to was. It can also read all of them and send them off. If I had asked for network communication, I could send this up to a server.
So the moral of the story is that it’s really, really easy to write Android malware without exploiting it at all. Just given the amount of permissions that users are willing to accept, you’re able to completely exploit them in any way you want.
I’ve basically just undermined the whole rest of the presentation; this research never needed to be done because you can just ask for the permissions and exploit them that way. So there is no reason you have to steal permissions, there are no reasons you have to root their phone, you can just do this. But now we’re going to talk about it anyways.Alright, so basically what happened here, as a run-down, is I asked for 3 permissions. First, read the IMEI, which comes up a lot – a lot of apps ask for this, they should not; no apps should ever ask for this because the only reason to ask for it is to uniquely identify you on their server based on your IMEI, which is like uniquely identifying you based on your credit card number. We don’t stand for that in secure coding, that’s bad, but we allow it on Android. Other permissions – read you contacts and send SMS. And we exploited every single one of these: we stole your IMEI, we saw the last person you talked to, and we SMS’ed the IMEI to ourselves, all in the background, which brings us to the next topic.
A lot of the malware in the world roots your Android. A lot of the not-malware in the world roots your Android too. We wanted to root it, we want complete control over our phones. We buy the device, we get control over it – not so much necessary with Android as it is with iPhone. Basically, if you want to do anything with your iPhone, you have to root it, but you’ll probably be over there, in the other room, if you were interested in that, because they’re showing Absinthe1 right now at the same time as my talk, so thank you all for coming.Here are the two of the prevalent rooting programs (see image). SuperOneClick still goes on, they update regularly, it does, like, the most recent versions of Android. Well, back in the day and still for a lot of phones, because you’re not getting updates, because Google doesn’t update you or your carriers do not, Z4Mod was the rooting solution for up to, like, Android 2.2, which, sadly, still works for a lot of Android users.
I’ve looked at the source code of both of these, I’m going to talk about evil exploitation for rooting. Neither one of these exploit you evilly; they give you your super user permissions and then they’re done and they go away. So do not come out of this thinking that these 2 apps are evil; they’re not, and I use them regularly.
1 Absinthe – jailbreak solution for iPhone.
Read previous: Bypassing the Android Permission Model
Read next: Bypassing the Android Permission Model 3: Evil Rooting with DroidDream