1. InfoconDB
  2. Black Hat
  3. Black Hat Asia 2021 Virtual
  4. (Un)protected Broadcasts in Android 9 and 10

(Un)protected Broadcasts in Android 9 and 10

Presented at Black Hat Asia 2021 Virtual, May 6, 2021, 1:30 p.m. (30 minutes)

We discovered a systemic vulnerability affecting Android version 9, Android version 10, and Android version 11 Developer Preview that allowed third-party apps to spoof certain protected broadcast Intent messages, allowing the sending of unauthorized messages that only the Android system and privileged pre-installed apps should be authorized to send. This (un)protected broadcast vulnerability occurs when an app declares that the system must protect some broadcast Intent message from being sent by other apps, yet --- due to a bug in AOSP --- the system granted that protection only to apps installed at a specific location on the file system. In other words, unless the app is installed at a certain path on the file system, the system would silently not honor these protection requests, leaving the app's broadcast messages unprotected at runtime.

Specifically, only vulnerable versions of Android, only pre-installed apps that reside in a priv-app directory (e.g., /system/priv-app/SystemUI/SystemUI.apk) can register protected broadcasts with the system. This leaves apps that are not present in a priv-app directory (e.g., other pre-installed apps or third-party apps installed from the market) unable to have their protected broadcast declarations honored by the system which provides no access control and allows them to be sent by any app co-located on the device.

The lack of protection of protected broadcast Intent messages enables unauthorized parties to escalate their privileges where they can send spoofed messages to carry out functionalities, they do not have the capability or authorization to perform. This can be viewed as a confused deputy problem since the process (deputy) receiving the broadcast Intent message acts upon it as if it was from an authorized source. We identified numerous Android vendors and devices that are impacted by this vulnerability where unauthorized apps can exploit vulnerable pre-installed apps to perform highly privileged functionalities, including arbitrary command execution with system privileges, access to the logcat log, and access to Personally Identifiable Information (PII).


Presenters:

  • Angelos Stavrou - CEO, Kryptowire
    Dr. Angelos Stavrou is a Professor at the Bradley Department of Electrical & Computer Engineering. Stavrou has served as principal investigator on research awards from NSF, DARPA, IARPA, DHS, AFOSR, ARO, ONR, he is an active member of NIST's Mobile Security team and has written more than 125 peer-reviewed conference and journal articles. Stavrou received his M.Sc. in Electrical Engineering, M.Phil. and PhD (with distinction) in Computer Science all from Columbia University. He also holds an M.Sc. in theoretical Computer Science from the University of Athens, and a B.Sc. in Physics with distinction from the University of Patras, Greece. Stavrou is an Associate Editor of IEEE Transactions on Reliability and a co-chair of the IEEE Blockchain initiative. His current research interests include security and reliability for distributed systems, security principles for virtualization, and anonymity with a focus on building and deploying large-scale systems. Stavrou received the GMU Department of Computer Science Outstanding Research Award in 2010, 2016 and 2018 and was awarded the 2012 George Mason Emerging Researcher, Scholar, Creator Award, a university-wide award. In 2013, he received the IEEE Reliability Society Engineer of the Year award. He is a NIST guest researcher, a member of the ACM and USENIX, and a senior IEEE member.
  • Mohamed Elsabagh - Director of Research, Kryptowire
    Dr. Mohamed Elsabagh leads the research and development efforts at Kryptowire. He specializes in automated static/dynamic binary security analysis and reverse engineering for Android, ARM, and x86 platforms. He has created several tools that helped detect and prevent hundreds of zero-day vulnerabilities in the wild. Mohamed holds a PhD in CS during which he developed automated binary hardening techniques for COTS systems.
  • Ryan Johnson - VP of Research, Kryptowire
    Dr. Ryan Johnson is the VP of Research at Kryptowire LLC in McLean, VA. His research interests are static and dynamic analysis of Android apps and reverse engineering. He is a co-founder of Kryptowire LLC and has presented at Black Hat, DEF CON, and IT-Defense.

Links:

Similar Presentations: